OEWG Chair releases Zero Draft of the Final Report, setting stage for final talks 

The report includes concrete actions and cooperative measures to address ICT threats and captures concrete progress made at the OEWG to promote an open, secure, stable, accessible and peaceful and interoperable ICT environment.
A close-up of a flag

The Chair of the Open-ended Working Group (OEWG) on the security of and in the use of information and communications technologies in 2021–2025 released the Zero Draft of the OEWG Final Report. This initial draft serves as the basis for further negotiations and provides a comprehensive overview of the progress made during the OEWG’s mandate, outlining key proposals, discussions, and potential areas for future work on ICT security within the context of international peace and security. The report is expected to be adopted at the OEWG’s elevent substantive session in July 2025.

States reaffirmed the consensus reached in the OEWG’s first three Annual Progress Reports, the 2021 OEWG report, and earlier GGE reports (2010, 2013, 2015, 2021). These documents form a cumulative and evolving framework for responsible state behaviour in the ICT domain, including 11 voluntary norms and measures for confidence-building, capacity-building, and cooperation. States reiterated that international law, particularly the UN Charter, applies to the ICT environment.

The draft highlights that the OEWG addressed its mandate in a balanced way, advancing common understandings and the implementation of prior commitments. States acknowledged the sustained engagement of stakeholders and the key role of regional and sub-regional organisations in supporting implementation.

Existing and potential threats

States expressed growing concern over intensifying ICT threats amid a challenging geopolitical climate. They noted the development of military ICT capabilities and the increasing use of ICTs in conflicts. Concerns extended to malicious activities targeting critical and civilian infrastructure, undersea cables, orbit communication network, space-based networks, industrial systems, operational technology, 5G, IoT, cloud services, VPNs, and firewalls. Serious concern was expressed regarding malicious ICT activity targeting international and humanitarian organisations. A worrying increase in states’ malicious use of ICT-enabled covert information campaigns to influence another state’s processes, systems and overall stability was also noted. 

Ransomware emerged as a key threat, with States warning of its growing scale, severity, and impact on international security. They called for a comprehensive response—targeting ransomware actors, their tools, and illicit financial flows—and noted the need for a human-centric approach to mitigate harms. States also flagged rising threats from cryptocurrency theft and the growing availability of commercial ICT intrusion tools and vulnerabilities on the dark web.

New and emerging technologies, particularly AI and quantum computing, were considered double-edged, offering security benefits and expanding the attack surface. AI-driven attacks and misuse of large language models (LLMs) were noted as reducing barriers to malicious activity. States stressed the need for secure-by-design approaches, post-quantum cryptography, and strong data protection.

States continued to express concern that a lack of awareness of existing and potential threats and a lack of adequate capacities to detect, defend against and/or respond to malicious ICT activities may make them more vulnerable. States encouraged enhanced awareness, capacity-building, and international cooperation, especially among CERTs and CSIRTs.

The report’s recommendations

  • States to continue exchanging views on existing and potential threats to security in the use of ICTs in the context of international security at the future permanent mechanism.
  • States to continue focused discussions on possible cooperative measures to address these threats, aware that all states’ commitment to the framework for responsible behaviour in the use of ICTs is fundamental to addressing threats.

Norms, rules, and principles 

States affirmed that voluntary, non-binding norms of responsible behaviour help reduce risks to international peace and stability by improving predictability and preventing misperceptions.  Such norms reflect the international community’s expectations and standards regarding states’ use of ICTs and allow the international community to assess states’ activities.

States also encouraged whole-of-government coordination and awareness-raising on these norms, acknowledging the need to consider technical gaps, differing national systems, and regional contexts.

States underlined the importance of norms (c), (d), (f), (g), (h), and (i).

States stressed the need to protect critical infrastructure (CI) and critical information infrastructure (CII) from ICT threats, through measures such as voluntary designation of CI and CII, comprehensive risk assessments, ICT awareness and training, and the development of relevant national regulatory requirements and guidelines. States proposed creating common templates for responding to ICT incidents affecting CI/CII to facilitate effective international cooperation.

Emphasis was placed on strengthening supply chain integrity through establishing policies and programmes to promote the adoption of good practices by suppliers and vendors of ICT equipment and systems, enhancing quality and promoting choice, exchanging best practices and developing globally interoperable standards for supply chain security.

States proposed measures to prevent the illegitimate and malicious use of commercially available ICT intrusion tools by ensuring their development and use align with international law. They stressed the importance of embedding security-by-design in ICT products, prioritising security over rapid market release. States also highlighted the essential role of the private sector in maintaining supply chain integrity and preventing the spread of malicious tools.

States proposed the adoption of the Voluntary Checklist of Practical Actions as a reference document for the voluntary implementation of voluntary, nonbinding norms. The checklist contains voluntary, practical actions for implementing norms. These actions are divided into actions at the national level and actions requiring international cooperation.

Targeted ICT security capacity-building programs are important to address implementation challenges and capacity gaps. Technical differences, diverse national systems, and regional specifics should be considered when using the voluntary checklist.

New norms for ICT use could be developed over time, states affirmed, and new norms can be developed alongside implementing existing ones. States proposed continuing discussions on additional norms at the future permanent mechanism, including compiling and sharing a list of proposed rules and principles to support ongoing study and dialogue.

The report’s recommendations

  • States to continue exchanging views at the future permanent mechanism on rules, norms and principles of responsible State behaviour in the use of ICTs
  • The UN Secretariat to compile a non-exhaustive list of proposals from states on rules, norms and principles of responsible behaviour of states and circulate that list to delegations.
  • States agree to adopt the Voluntary Checklist of Practical Actions for the implementation of voluntary, non-binding norms of responsible state behaviour in the use of ICT

International law

States reaffirmed that the core principles of international law, including sovereignty, sovereign equality, and the peaceful settlement of disputes, as outlined in Articles 2(3), 2(4), and 33(1) of the UN Charter, apply to cyberspace. States reaffirmed that ICT operations may amount to a use of force under Article 2(4) of the UN Charter if their scale and effects are comparable to non-ICT operations rising to the level of a use of force. Even when not rising to that level, ICT activities could still be contrary to other principles of international law, such as state sovereignty and non-intervention. States emphasised that no state should interfere—directly or indirectly—in another state’s internal affairs through the use of ICTs.

States also made additional concrete, action-oriented proposals on international law:

  • States proposed that discussions on international law could continue to benefit from expert briefings, such as from the International Law Commission or academia, as appropriate.
  • States proposed that the application of international law in the use of ICTs could be discussed further at the future permanent mechanism. States suggested that areas of an in-depth study could be: States’ obligations regarding respect for territorial sovereignty; the due diligence obligations of a state in the use of ICTs; the obligations of non-state actors in the use of ICTs under international law; and how CI and CII, as well as data, are protected under international law.
  • States noted the importance of exchanging national positions to build common understandings.
  • States continued to underscore the urgent need to continue capacity-building initiatives on international law. Such initiatives could include: Workshops, conferences and the exchanging of best practices; Online and in-person training courses and modules as well as online resource libraries; Strengthening collaboration with academics, civil society and the private sector to tailor international law capacity-building programmes; Partnering with regional and sub-regional organisations to implement capacity building initiatives that address localised needs.

The report’s recommendations

  • States to continue to engage in focused discussions at the future permanent mechanism on how international law applies in the use of ICTs
  • States to continue to voluntarily share their national views and positions on how international law applies to the use of ICTs.
  • States in a position to do so to continue to support, neutrally and objectively, additional efforts to build capacity in the areas of international law

Confidence-building measures

Countries highlighted the importance of continuing to expand and operationalise the Global Points of Contact (POC) Directory, and supported its seamless transition from the OEWG to the future permanent mechanism on ICT security. 

They also stressed the need to put into practice the ‘Initial List of Voluntary Global Confidence-Building Measures’ from the third Annual Progress Report. These include:

  • Nominating national Points of Contact to the Global POC Directory, and operationalising and utilising the Global POC Directory (CBM 1)
  • Continuing to exchange views and undertaking bilateral, sub-regional, regional, cross-regional and multilateral dialogue and consultations between states (CBM 2)
  • Sharing information, on a voluntary basis, such as national ICT concept papers, national strategies, policies and programmes, legislation and best practices (CBM 3)
  • Encouraging opportunities for the cooperative development and exercise of CBMs (CBM 4)
  • Promoting information exchange on cooperation and partnership between states to strengthen capacity in ICT security and to enable active CBM implementation (CBM 5); 
  • Engaging in regular organisation of seminars, workshops and training programmes on ICT security (CBM 6); 
  • Exchanging information and best practices on protecting CI and CII (CBM 7); 
  • Strengthening public-private sector partnerships and cooperation on ICT security (CBM8).

States encouraged practical implementation steps such as dialogue, information-sharing, and best practices exchange. States reaffirmed the progress made so far and reaffirmed the need for continued discussions on the development and implementation of CBMs in the future mechanism.

States also welcomed the ‘Template for Communication – Example provided by the Secretariat pursuant to A/79/214’, annexed to the Final Report as Annex B.

Page, Text, File
Page, Text
Advertisement, Poster, Page, Text, Business Card, Paper
Page, Text

The report’s recommendations

  • States to continue exchanging views at the future permanent mechanism on the development and implementation of CBMs
  • States to continue the further development and operationalisation of the Global POC Directory at the future permanent mechanism
  • The UN Office of Disarmament Affairs, in its capacity as manager of the Global POC Directory, is requested to convene regular simulation exercises , to allow representatives from states to simulate the practical aspects of participating in a POC directory,
  • States agree to adopt the ‘Template for Communication – Example provided by the Secretariat pursuant to A/79/214’
  • States are encouraged, on a voluntary basis, to continue to share national views on technical ICT terms and terminologies to enhance transparency and understanding between states.

Capacity building

States reiterated their commitment to the ICT security capacity-building principles outlined in the 2021 OEWG report, stressing the need to further embed these principles into practical capacity-building programmes. They emphasised gender-responsive approaches, advocating for the integration of gender perspectives into national ICT policies and the development of tools to identify related gaps.

Recognising that capacity-building must be tailored to individual national contexts, states supported aligning efforts with a recipient country’s self-assessed ICT security status. 

Long-term sustainability was highlighted, with calls to invest in human resources, institutions, and infrastructure. Standardised training and curriculum development were proposed to ensure consistent technical capacity across states. Mentorship programmes were also suggested to provide ongoing support, especially in enhancing CERTs and CSIRTs’ expertise in areas such as forensic analysis and incident response.

States welcomed the UN Secretariat’s proposal for a Global ICT Security Cooperation and Capacity-Building Portal (GSCCP). States proposed that GSCCP could initially serve as: (a) the official website of the future permanent mechanism; (b) a central location for providing practical information on ICT security events to foster the active participation of States; and (c) a platform to facilitate the sharing of information relating to best practices and capacity-building. The Global POC Directory could also be integrated into the GSCCP. 

Additional proposals included a needs-based capacity-building catalogue and a UN CyberResilience Academy within UNIDIR to offer solution-focused support, particularly for less-resourced States.

The report’s recommendations

  • States to continue focused discussions on capacity-building efforts at the future permanent mechanism
  •  States to convene regular High-level Global Roundtables on ICT security capacity-building under the auspices of the future permanent mechanism to allow for strategic as well as action-oriented discussions on ICT capacity-building
  • States agree to establish a dedicated Global Information and Communication Technologies Security Cooperation and Capacity Building Portal.
  • States agree to establish a sponsorship programme administered by the UN Secretariat, funded exclusively by voluntary contributions to support the participation of developing countries in the meetings of the future permanent mechanism.
  • States agree to continue discussions at the future permanent mechanism on the development and operationalisation of a UN voluntary fund to support the capacity-building of states on the security of and in the use of ICTs.
  •  States in a position to do so are encouraged to continue to support capacity-building programmes, including in collaboration, where appropriate, with regional and subregional organisations and other interested parties and stakeholders.

Regular institutional dialogue

States continued to deliberate on the establishment of a regular institutional dialogue and reaffirmed their commitment to ensuring a smooth transition from the OEWG to the future permanent mechanism. They agreed that the new mechanism would support the ongoing implementation and further development of existing initiatives launched under the OEWG 2021–2025 and earlier processes. This includes, among others, the Global POC Directory and the Global Roundtable on ICT security capacity-building.

The report’s recommendations

  • States agree to establish the future permanent mechanism in accordance with (a) the elements as agreed in Annex C of the third APR and as endorsed in General Assembly Resolution 79/237.
AD 4nXfu 4l0 1fX0uIw Hl RSFkIq8sLCftrDQCH7gD2nPVZz6USitqDlBGZsPpJI NwFRvo guansGXNDhetaism51lIrc3bTJQHeEIfglKYpLcRmuuXLE gwxsIIejra5jfTOw M?key=LaEpXnSmI0Bp8IGF3zezQQ
  • States agree that the future permanent mechanism will be established according to the additional elements outlined in Annex III of the Final Report, which addresses thematic groups and stakeholder engagement. 

Additional elements regarding the dedicated thematic groups

The work of dedicated thematic groups (DTGs) will aim to build on and complement the discussions in the substantive plenary sessions by providing the opportunity for more detailed and action-oriented discussions.

Each DTG meeting may feature expert briefings, in-depth thematic discussions on a rotating agenda, and consideration of concrete measures to advance collective objectives.

At its organisational session in March 2026, the permanent mechanism would establish three DTGs. 

  • The first will focus on action-oriented measures to enhance state resilience and ICT security, protecting critical infrastructure, and promoting cooperative action to address threats in the ICT environment. 
  • The second group would continue the discussions on how international law applies to the use of ICTs in the context of international security. 
  • The third group would address capacity-building in the use of ICTs, with an emphasis on accelerating practical support and convening the Global Roundtable on ICT security capacity-building on a regular basis. 

Each DTG will be led by two co-facilitators, appointed by the Chair of the permanent mechanism in consultation with states, with a two-year term. The groups may meet jointly to foster holistic discussions across thematic areas. Co-facilitators will provide regular updates to the plenary sessions. Dedicated thematic groups could also agree by consensus to submit action-oriented draft recommendations, if any, to the permanent mechanism at its substantive plenary sessions.

DTGs will convene for at least one day per year, scheduled sequentially immediately prior to or immediately following substantive plenary sessions as plenary sessions to ensure coherence. Meetings will be held in a hybrid format to promote inclusivity, with in-person participation encouraged and proceedings broadcast via UN WebTV. These meetings will be considered informal. Additional sessions may also be held during intersessional periods if necessary.

The DTGs will operate until the first Review Conference, which will determine their continuation and scope for the following four-year cycle. The permanent mechanism may also establish additional ad-hoc DTGs for focused, time-bound discussions on specific topics, provided there is consensus among states.

Additional elements regarding stakeholders’ participation

The permanent mechanism will engage non-governmental stakeholders—such as businesses, NGOs, and academia—in a structured, ongoing, and meaningful way.

Accredited stakeholders will be able to attend key sessions, submit written inputs, and deliver oral statements during dedicated stakeholder sessions. They may also speak after member states, time permitting and at the Chair’s discretion. Participation is consultative only—stakeholders would engage in a technical and objective manner. Negotiation and decision-making are exclusive prerogatives of member states.

NGOs with ECOSOC consultative status may express their interest in participating in the mechanism’s plenary sessions and review conferences by informing the Secretariat. Other relevant and competent stakeholders (beyond those with ECOSOC status) can also apply for accreditation. Accreditation will be granted on a non-objection basis and remain valid for each five-year cycle, with applications accepted annually.

If a member state objects to accrediting a stakeholder, it must inform the Chair and may voluntarily share the general reason for the objection. The Chair will then consult informally with all member states for up to three months to try to resolve the concern and facilitate accreditation. After the consultations, if the Chair believes consensus has been reached, the Chair may propose confirming the accreditation. If consensus is not yet possible, the Chair will continue informal consultations.

The Chair will also hold informal or virtual meetings with stakeholders during intersessional periods. Finally, this stakeholder engagement model is unique to the permanent mechanism and does not set a precedent for other UN processes.