OEWG’s tenth substantive session: Entering the eleventh hour

The discussions at this session revealed a range of national perspectives on cybersecurity threats. Malicious use of AI, critical infrastructure attacks and ransomware remained central concerns.

Collective solutions for cyber threats

The consensus remained clear throughout the discussions: cyber threats are a shared challenge requiring collective solutions. 

Nigeria underscored the importance of a comprehensive international framework to harmonise responses to cyber threats. Collaboration between state Computer Emergency Response Teams (CERTs), strategic planning, and continuous monitoring of emerging threats were highlighted as essential components. Albania reinforced the value of cooperative approaches in incident management, warning that cyberattacks could escalate tensions if misattributed. Albania also advocated for robust diplomatic dialogue through strengthened communication channels among CERTs and intelligence-sharing agreements. Uruguay and Argentina underscored the need for knowledge transfer and shared expertise in identifying and responding to cyber threats. Malaysia and South Africa further emphasised that fostering collaboration among technical experts, academia, and government officials would enhance cybersecurity preparedness. Bosnia and Herzegovina emphasised resilience-building through strategic communication and public awareness. 

Capacity building remained a priority for developing nations. Mauritius and Malawi stressed the urgent need for technical assistance, funding, and training to strengthen cybersecurity frameworks in regions facing resource constraints. Indonesia echoed this sentiment, advocating for increased knowledge sharing and technical cooperation to collectively address evolving threats. Nigeria advocated for capacity building in developing nations to reduce technological dependency and improve cybersecurity defences. Ghana called for greater investment in cybersecurity research and innovation to bolster national defences. 

Australia pointed to cyber sanctions as a means to deter malicious actors and impose tangible consequences on cyber criminals. Switzerland, focusing on the increasing threat of ransomware, stressed the need for states to uphold international law, reinforce resilience, and enhance international cooperation.

A particular concern was the spread of misinformation and disinformation, which Nigeria suggested should be countered through the circulation of accurate information without infringing on freedom of expression.

Final Report: How to best reflect discussions on threats

Several delegations emphasised key issues for inclusion in the OEWG final report. The EU, Croatia, New Zealand, and South Korea supported continued references to ransomware. 

China’s concerns for the final report include the risks of politicizing cybersecurity and ICT, which threaten global cooperation and digital integrity. It also highlights the rising cyber tensions conflict, particularly with offensive strategies and attacks on critical infrastructure. China stresses the importance of addressing false claims about cyber incidents, which harm trust between nations. It calls for secure ICT supply chains and the prevention of backdoors in products. 

China advocated for a comprehensive, evidence-based approach to data security in the AI era, focusing on data localisation and cross-border transfer issues. Malaysia supported China on the importance of addressing data security which should be included in the final report. 

El Salvador urged that the annual reports reflect the importance of safe and transparent data management throughout the whole life cycle with practices that protect privacy, particularly relevant for generative AI models, which Malaysia supported. 

El Salvador also believes that it’s essential that the report includes a reference to the development of cryptographic standards that are resistant in the quantum era, which Czechia echoed.

The future permanent mechanism: How to tackle discussions on threats

As discussions moved toward the future of global cybersecurity governance, the EU proposed a dedicated thematic group under the Program of Action (PoA) to systematically assess threats, enhance security, and coordinate capacity-building efforts. The USA and Portugal reinforced the urgency of this initiative, calling for a flexible yet permanent platform to address cyber threats, particularly ransomware.

Several countries stressed the importance of sector-specific security measures. Malaysia highlighted the need to tailor protections for different industries, while Mexico advocated for harmonised cybersecurity standards and multistakeholder cooperation across the digital supply chain. Mauritius and Malawi reaffirmed the importance of upholding international cyber norms, with Malawi emphasising continued dialogue within the UN Open-Ended Working Group (OEWG).

Australia and Canada pushed for linking emerging threats to responsible state behaviour under international law, with Canada calling for thematic groups to enable deeper discussions beyond general plenary meetings. Switzerland and Germany agreed, underscoring the need to first establish a shared understanding of threats before implementing coordinated responses. France called for shifting from merely identifying threats to actively developing solutions, proposing that expert briefings guide working group discussions.

AI security also emerged as a key concern. Malaysia stressed the role of AI developers in cybersecurity, while Argentina highlighted the private sector’s responsibility in addressing AI-related threats. Italy pointed to the recent Joint High-Level Risk Analysis on AI, which provides recommendations for securing AI systems and supply chains.

Need for new norms vs. implementation of existing ones

The divide persists between states that prioritise implementing the agreed norms (e.g. Japan, Switzerland, Australia, Canada, South Korea, Kazakhstan) and those advocating for new, legally binding rules (e.g. Russia, Pakistan, Cuba). The former group argued that introducing new norms without fully implementing current ones could dilute efforts, while the latter believes that voluntary norms lack accountability, particularly in crises. Italy specifically called for full implementation of existing cyber norms before introducing new ones. 

Among the new norms proposed, Kazakhstan proposed a ‘norm-on-zero trust’ approach, emphasising continuous verification and access controls, although it acknowledged the need to prioritise implementing agreed norms. El Salvador repeated its proposal to update norm E regarding privacy and personal data. China highlighted that existing norms do not cover data security, while Vietnam called for new norms to address emerging technologies and the digital divide.

Some states didn’t propose new norms but sought fresh perspectives on existing ones. The UK suggested categorising the 11 norms into three themes: Cooperation (Norms A, D, H), Resilience (Norms G, J), and Stability (Norms B, C, E, F, I, K). France and the UK also reiterated the need for Norm I to address the non-proliferation of malicious tools. Portugal emphasised the importance of a common understanding of due diligence. Italy prioritised supply chain security, advocating for measures like ICT supply chain security assessments, Software Bills of Materials (SBOMs), national security evaluation centres, and cybersecurity certification schemes.

Some countries (e.g. Malaysia and Brazil) proposed a balanced approach, supporting both the implementation and development of norms. The EU and the USA stressed that negotiations on binding agreements could be resource-intensive and counterproductive. Iran counter-argued that a uniform approach to norm implementation is impractical due to each nation’s unique circumstances. Nicaragua and Pakistan contended that non-binding norms fail to address emerging threats effectively, while China pointed out that the 2015 UN GGE report allows for developing additional norms over time.

Capacity-building as a critical component for cyber norms implementation

Many states, particularly Singapore, Indonesia, Pakistan, and Mauritius, emphasised that implementing cyber norms requires bridging the technical gap between developed and developing nations. Iran and Cuba noted that resource constraints hinder developing countries. Kenya and South Africa advocated for integrating long-term capacity-building into the future UN cyber mechanism to improve norm implementation. Kenya highlighted the challenges posed by varying technical expertise among states. For example, Norm C, which prohibits allowing territory for wrongful acts, requires specific tools and skills not all countries possess.

Singapore argued that each norm has policy, operational, technical, legal, and diplomatic aspects, and developing the capacity to implement these norms is essential for identifying gaps and determining the need for new norms. In this context, the ASEAN-Singapore Cybersecurity Centre of Excellence will launch a series of capacity-building workshops called ‘Cyber Norms in Action.’ 

Voluntary checklists: Cyber norms implementation 

The voluntary checklist is broadly supported as a tool for operationalising agreed cyber norms. Countries (e.g. Colombia, Japan, and Malaysia) view it as a ‘living document’ that should evolve with the evolving landscape of cyber threats. Kazakhstan suggested incorporating best practices for incident response and public-private collaboration.

Despite this support, some countries remain sceptical. Cuba and Iran cautioned against using the checklist as a de facto assessment tool for evaluating states’ cybersecurity performance. China insisted that the checklist remains within the UN information security framework to maintain neutrality. Iran proposed delaying negotiations on the checklist until a broader consensus is reached under a permanent UN cyber mechanism.

An important aspect of the checklist is its potential to promote inclusive cybersecurity governance. The UK, Brazil, and the Netherlands stressed the need to integrate a gender perspective, ensuring that the implementation of cyber norms considers the disproportionate impact on women and vulnerable communities. 

The discussions on international law have shown little progress in drawing closer between the positions. The states have made suggestions on how to capture the progress of the OEWG 2021-2025 in its Final Report and shared opinions on the structure and content of discussions on international law within the future permanent mechanism.

The persistent rift: The need for a new legally binding framework

In the substantive positions of the states on international law, the rift remains between the states that do not see a need for a new legally binding framework and those that do. 

The majority of states (Sweden, the EU, the Republic of Korea, the UK and others) do not see the need for a new legally binding framework and emphasise the need to discuss the application of existing international law in cyberspace. In rushing to discuss new legally binding obligations, the UK sees the risk of undermining the application of core, foundational rules of international law, including the UN Charter.

Cuba, China, Russia, Pakistan, and the Islamic Republic of Iran reiterated their positions, stating that the new legally binding mechanism is necessary to prevent interstate conflicts in cyberspace and to contribute to strengthening cooperation in this area. China has supported the Russian Draft Convention on International Information Security as a good basis for discussions. At the same time, Pakistan and Iran stated that there are gaps in international law that need to be addressed by binding rules.

Despite the Chairs’ call to states to find flexibility in their statements in December 2024 and time pressure, the statements on both sides are repeats of the positions voiced in the past substantive sessions. 

These differences directly translate to the language that the states were proposing to be included in the 2021-2025 OEWG Final Report, as well as positions on how to structure the Future Permanent Mechanism. 

Final Report: How to best reflect progress

States have discussed the proposals on how to best reflect the progress in the 2021-2025 OEWG on international law in its Final Report, as it will serve as a summary of the efforts, positions, and basis for the negotiations within the future permanent mechanism. 

The states predominantly concluded that the OEWG was a successful process and contributed to a greater understanding of international law in cyberspace. Specifically, states (Austria, Sweden, Brazil, Senegal, Canada, Thailand, Czechia, EU, Vanuatu, Switzerland, Australia, Germany and others) saw progress in a number of published national and regional positions on the applicability of international law in cyberspace in the course of the 2021-2025 OEWG. 

There were also specific wording suggestions for inclusion in the Final Report. The Joint Statement on International Law (Australia, Chile, Colombia, the Dominican Republic, El Salvador, Estonia, Fiji, Kiribati, Moldova, the Netherlands, Papua New Guinea, Thailand, Uruguay and Viet Nam) gained support from Czechia, Canada, Switzerland, United Kingdom, Republic of Moldova, Ireland, and others. The re-published paper, now with more co-sponsors, offers a convergence language for the Final Report that includes peaceful settlement of disputes, respect for international human rights obligations, the principle of state responsibility, and application of international humanitarian law to ICT activities during armed conflicts.

Another wave of proposals was focused on including a clear reference to the applicability of international humanitarian law and the fundamental legal principles of humanity, neutrality, necessity, proportionality, and distinction in the Final Report, supported by Sweden, the USA, the Republic of Korea, Malawi, Senegal, the EU, Tonga on behalf of the Pacific Island Forum, Australia, Germany, Republic of Moldova, Ireland, Ghana, Austria, and others. Just like in the 9th OEWG substantive session in December 2024, the Resolution on protection for the civilian population against the humanitarian consequences of the misuse of digital technologies in armed conflict within the framework of the 34th International Red Cross and Red Crescent Conference resonated with the states. 

Brazil has referred explicitly to the Operative Paragraph 4 of that Resolution (‘states recalled that in situations of armed conflict, international humanitarian law rules and principles serve to protect civilian populations and other protected persons and objects, including against the risks arising from ICT activities’) to be included in the Final Report. Canada, France, Netherlands, Czechia, and others supported this proposal. 

Switzerland, which sees the inclusion of the applicability of international humanitarian law as a priority, has also proposed a specific wording for the Final Report that builds on the 34th ICRC resolution and includes medical and humanitarian facilities.

States also called for stronger wording on the applicability of human rights law (Australia, Albania, Malawi, Mexico, Mozambique, Moldova, North Macedonia, Senegal, Switzerland, Thailand, and Germany) in the Final Report.

Cuba and Iran believe the Final Report should include references on setting up a legally binding instrument, and definitions of terms and technical mechanisms.

The future permanent mechanism: How to tackle international law

States further discussed ways that the discussions on international law would be incorporated and framed within the Future Permanent Mechanism. 

States reflected on Annex C of the Chair’s Discussion Paper on Draft Elements on Stakeholder Modalities and Dedicated Thematic Groups of the Future Permanent Mechanism, which proposed a dedicated thematic group on rules, norms and principles of responsible state behaviour and on international law. Mexico, Colombia, Indonesia, and Algeria endorsed the thematic group dedicated both to norms and international law, as they see these as complementary and contributing to safety and security.

Others, such as Sweden, the EU, Czechia, Brazil, and the USA, did not support the Chairs’ proposal to create one thematic group for norms and international law due to the voluntary nature of norms and binding nature of international law and combining these discussions posing a risk conflating distinct legal and policy concepts, that could hinder progress in both areas. 

Canada proposed integrating international law into each of the first three thematic working groups set out in the Chairs’ discussion paper (building resilience, enhancing cooperation in the management of ICT-related incidents, including through CBMs, and preventing conflict and increasing stability in the ICT sphere) to build common understandings on how international law applies to practical policy challenges. Thematic group meetings could include expert briefings on technical and legal topics and scenario-based discussions.

The states have deepened discussions on the Program of Action proposed by France, which seeks to incorporate discussions on international law in a cross-cutting manner in three action-oriented thematic groups: on building resilience, cooperation in the management of ICT-related incidents, and prevention of conflict and increasing stability in cyberspace. This approach was supported by Sweden, Portugal, Czechia, the UK, the EU, Albania, Australia, Germany, Ireland and others. The PoA also foresees the inclusion of non-state experts in cybersecurity, to which the EU and North Macedonia specifically expressed their support. 

In addition to the two proposals above, several states have voiced additional proposals.  

Switzerland generally supported the thematic and cross-cutting working groups as proposed by France but voiced concern that it might not be sufficient for in-depth discussions on international law. Switzerland considers it better if the discussion on the implementation of norms would occur in the cross-cutting working groups. In contrast, the discussion on the application of international law would benefit from a specific forum. 

The USA believes that the states are ready to integrate discussion into practical, thematic working groups oriented toward addressing specific, real-world concerns to international peace and stability and focusing on practical tools. 

Senegal recalled the equal importance and relevance of the five pillars of the OEWG mandate and would be willing to discuss adding a pillar on the application of international law. 

Iran, China and Russia see as a priority within the future permanent mechanism to initiate a substantive discussion on developing legally binding obligations in the ICT field and have a dedicated thematic group on international law. These states do not support the participation of non-state experts in the discussions. 

Ireland does not consider a thematic group on international law necessary or desirable. Their concern would be that such a group could be stifled by being overly outcome-focused and that it would duplicate efforts and divert resources and attention from more dynamic engagement on legal issues within the other thematic groups. Conversely, Egypt sees the need for a dedicated platform on international law in the future permanent mechanism and is sure that the modalities, mandate, structure, and types of discussions can be agreed on by consensus. Egypt sees the discussion as reshaping the content of international law and underscores the need to have a place within the UN to have a multilateral conversation with the participation of stakeholders.

The role of capacity building in fostering a better understanding of states on how international law applies to cyberspace and contributes to promoting peace, security, and stability in cyberspace was underscored by Tonga on behalf of the Pacific Island Forum, Viet Nam, Kenya, Ghana, Canada, Thailand, UK, France, Colombia, and many others.

A more subdued CBMs discussion at this session seems to suggest that states now anticipate the future permanent mechanism to serve as the forum for detailed CBMs discussions. Kazakhstan suggested that addressing subtopics, such as standardised incident response procedures, would be more effective within thematic groups engaged in detailed discussions rather than plenary sessions. Some states voiced a cross-cutting approach to discussing CBMs more efficiently in the permanent mechanism, such as Germany proposing to address CBM 3, 5 and 6 under the single umbrella of the resilience of critical infrastructures.

While the previous session had already seen a decline in the discussion of additional CBMs, only Iran circulated a working paper proposing a new CBM to ensure unhindered access to a secure ICT market for all, aiming to foster global trust and confidence. No other state engaged with this proposal; Germany merely remarked that it might be more appropriately framed as a norm, given its reference to expectations or obligations.

The deliberations on standardised templates further exemplify the subdued nature of this session’s CBM discussions. South Africa, with Brazil‘s support, reiterated its proposal for a template encompassing a brief description of the assistance required, details of the cyber incident, acknowledgement of receipt by the requested state, and indicative response timeframes. Thailand emphasised the necessity for a flexible template, while Korea underscored that it should serve as a communication reference without imposing constraints on interactions. Finally, Kazakhstan reiterated its proposal to have specific templates for different scenarios, such as incident escalation, threat intelligence sharing and cyber capacity-building requests. The Secretariat is anticipated to produce such a standardised template by April 2025. In related matters, Mauritius proposed the development of secure communication platforms for exchanging information on cyber incidents.

This contrasts with the dynamic CBM landscape at the regional level, where numerous states shared their CBM implementations (the United Kingdom, Albania, Korea, Canada, Ethiopia, North Macedonia, Kenya, and the OSCE) often linked to regional initiatives and best practices (Tonga, Bosnia and Herzegovina, Thailand, Ghana, Brazil, Dominican Republic, Philippines). This further illustrates states’ eagerness to advance the operationalisation of CBMs.

The POC: Finally ripe for the picking?

As of the 10th session, 116 states have joined the Points of Contact (POC) Directory—an increase of five since December—registering nearly 300 diplomatic and technical POCs. The Secretariat shared conclusions from the December ping test and provided a detailed overview of the upcoming scenario-based exercise scheduled for March 10–11 and March 17–18, 2025. The Russian Federation actively encouraged remaining member states to participate in the POC Directory, promoting its guidelines on designating UN technical POCs and supporting a UNIDIR seminar aimed at achieving universal participation in the directory.

While most states remained silent regarding the ping test outcomes and their experiences with the POC Directory, three nations expressed dissatisfaction. Russia reiterated concerns about the inactivity of certain POCs and the insufficient authority of some technical POCs, which hampers their ability to respond to Russian notifications—echoing points raised during the 9th session’s CBM discussions. Germany and France jointly addressed issues with a specific state’s use of the POC Directory, noting that their technical POCs received notifications about malicious cyber activities linked to IP addresses in their respective countries. They recommended redirecting these requests to appropriate national authorities; however, identical requests continued to be sent to their technical POCs. This behaviour, they argued, contradicts the principle that the POC Directory should complement existing CERT-to-CERT channels designed for such requests. 

Without directly referencing these situations, China observed that, given the voluntary nature of the POC Directory, member states are free to determine the functions of their POCs, as well as the types and channels of messages they handle. This scenario highlights a broader lack of clear, consensual understanding regarding the POC Directory’s intended use. Mauritius emphasised the need to define clear thresholds for reportable incidents, while Cuba stressed the importance of detailing circumstances under which information exchange should occur. On a side note, the EU proposed that the private sector could participate in the POC directory.

Towards a more integrated approach: CBMs and capacity-building

Most states reaffirmed that capacity-building is a prerequisite to CBM implementation (Kazakhstan, Tonga, Russia, Thailand, Malawi, Laos, Ghana). Cuba and India voiced their interest in gathering the POC Directory in the global portal for capacity-building as a central access point and a core knowledge hub for resources. Pakistan argued that the POC Directory goes beyond crisis management but is a foundation for broader collaboration, including capacity-building. 

Just like CBMs, the capacity-building agenda item is resolutely oriented towards pragmatic discussions and the 10th session proved again to be a privileged forum for member states to share their national and regional practices and initiatives (the EU, Columbia, Singapore, Bosnia and Herzegovina, Poland, Korea, Thailand, Canada, Israel, Albania, Japan, Morocco, Oman, Ukraine, Russia).

Among these experiences, an important number of states specifically highlighted the benefits of various fellowships (Kuwait, Iran), among which the Women in International Security and Cyberspace Fellowship (Mauritius, Ghana, Albania, Kazakhstan, Democratic Republic of Congo, Samoa, Paraguay, El Salvador) and the UN-Singapore Fellowship (Mauritius, Ghana, Albania, Nigeria, Democratic Republic of Congo). In that vein, Nigeria and Kuwait proposed to hold new fellowship programs under the auspices of the UN, similar to other UN fellowships related to international security matters.

Cyber-capacity building on a budget

One main discussing item was the Secretariat’s paper about the Voluntary Fund. An important number of states expressed their support for the fund (El Salvador, Columbia, South Africa, Rwanda, Morocco, Zimbabwe, Brazil, Kiribati, Cote d’Ivoire, Ecuador, Fiji and the Democratic Republic of Congo) and consensus largely emerged on the need to not duplicate existing funding initiatives and reflect on its link with the World Bank Multi-Donor Trust Fund (Germany, European Union, Kuwait, Australia). France specifically questioned whether the UN was a fit structure to support such capacity-building activities, and argued that it could be better positioned to play a role in linking existing initiatives. 

Western countries shared their capacity-building initiatives and specifically addressed the issue of costs. The Netherlands voiced the need to consider the cost efficiency of this initiative, and Canada asked for a more detailed budget, given that the costs presented are higher than those for similar activities that Canada usually finances. Australia reminded the audience that a new trust fund does not mean new money and that it could not support the proposal under its current formulation.

A large share of countries nevertheless positioned themselves in favour of open contributions from interested stakeholders other than member states, such as the private sector, NGOs, academia or philanthropic foundations (Argentina, Paraguay, Malawi, Mauritius, Nigeria, Mexico). Yet, Russia voiced its wariness concerning NGOs and companies sponsoring the fund as they may attempt to exert pressure.

Cuba and Iran warned against the constraining aspect of the fund. Iran specified that the principles guiding capacity-building mentioned in paragraph 10 did not enjoy consensus among member states and warned against attempts to condition capacity-building activities on the adoption of norms.

A portal, sure – but what for?

A second pivotal discussion item was the Secretariat’s paper about the development of a dedicated portal for cooperation and capacity-building based on a proposal made by India and member states’ views. Again, positions were consensual on the idea of a portal (Columbia, United Kingdom, Morocco, Oman, Zimbabwe, Ecuador, Nigeria, El Salvador, South Africa, Rwanda). Consensus also emerged around the fact that it should not duplicate the already existing portals and initiatives, such as UNIDIR Cyber Policy Portal and the Global Forum on Cyber Expertise (GFCE) Cybil Knowledge Portal (Fiji, Mexico, Tonga, Latvia, Mauritius, Germany, France, Samoa, Indonesia, Switzerland, Brazil, Mexico, Argentina, the Netherlands). 

Some delegations tackled the issue in a very pragmatic way. Korea questioned whether simply including direct links to existing portals was appropriate (supported by the UK) and proposed to have a technical review of the integration of the portal, including the POC directory into a new portal to establish an integrated platform (backed by Malaysia). Latvia reflected on potential existing administrative limitations and UN procurement rules about linkages with other websites, based on a previous IGF experience. 

The Secretariat wrapped up this discussion by specifying that the sections pertaining to the technical and administrative requirements were coordinated with ICT office in charge of UN-hosted platforms and websites and encouraged Member States to take a closer look at these sections. Still pertaining to pragmatic questions, Mauritius and India proposed that the portal be multilingual.

The level of publicity of the portal was also discussed. Korea and Kazakhstan proposed that the portal remain fully accessible to the public. Other states introduced nuance in the publicity. The Netherlands asked for the POC directory to remain accessible to member states only, whereas Cote d’Ivoire proposed that only modules 1 and 5 (respectively, the repository of documents and resources and the platform for exchange of information, including the potential participation of non-governmental entities) could be made public. India further suggested 3 levels of access: member states, stakeholders and the general public.

A major point of contention remains the exact content of this portal. Some states reaffirmed an incremental approach to the content of the portal (Kazakhstan, the EU, Australia), starting with basic functionalities, without necessarily specifying what those basic functionalities should be. China and Russia specifically warned against the use of the portal to facilitate information sharing regarding response to threats and incidents.

Indonesia suggested a specific section for stakeholders to share their own best practices, research papers etc., whereas Russia asked for NGO contributions to be published only for state information. On a side note, Cote d’Ivoire proposed to have a publication of an indicative quarterly or annual calendar along with the monthly publication of capacity-building initiatives and events.

The future permanent mechanism: How to tackle capacity building

States also tackled the structuration of capacity-building discussions within the future permanent mechanism. Iran, Argentina, Brazil and Paraguay supported the proposal to have a dedicated working group on capacity-building, as circulated in the chair’s discussion paper. A vast majority of states have defended a cross-cutting approach to capacity-building, with this agenda item being discussed across thematic groups (Tonga, Vanuatu, Canada, Kazakhstan, Kiribati, Ireland, Ukraine, Fiji). 

Some delegates proposed mixed approaches, such as the EU and Australia’s similar view that thematic groups can help identify gaps and specific challenges pertaining to capacity-building, and that these reflections can fuel a horizontal capacity-building discussion in plenary. Indonesia suggested that the thematic groups were the place to focus on technical recommendations rather than duplicating high-level policy discussions. In that vein, Indonesia also suggested establishing terms of reference to frame these discussions.

Finally, states expressed their support for the organisation of high-level panels such as the Global Roundtable on ICT Capacity Building held in May 2024 (the UK, Morocco, Zimbabwe, Kazakhstan, Ukraine, Germany). Thailand recommended that such high-panels be held on a biannual basis, and Australia suggested considering them as a ‘capacity-building exposition’. Canada argued that it should be held at other levels than the ministerial-level to distinguish it from plenary work. It further proposed that it could be a venue for beneficiaries to meet organisations deploying capacity-building activities. The chair recalled the initial scepticism around this initiative but recommends that in the Final Report a decision should be made about the next Global Roundtable.

The agenda item on the regular institutional dialogue captured the most attention of the 10th substantive session — more than 60 delegations in total spoke on this issue. This is not surprising: the current OEWG’s mandate ends in July, and the Chair still does not have a sense of general consensus on what the future permanent mechanism will be. The statements of the countries showed that few states are ready to make concessions and be flexible in discussing the modalities of multistakeholder participation in the future permanent mechanism as well as its architecture.

As the delegations began to repeat their positions from last year, a sharp intervention from the Chair warned them that there is very little time left until the OEWG’s mandate ends, and if states do not want to disrupt the process that has been going on for more than 20 years, then they must make an effort and think about where they can be flexible in their positions.

The Chair also cautioned against equating the future permanent mechanism with either the OEWG or the PoA, noting that some participants remain attached to these frameworks. Instead, the future permanent mechanism should be seen as a synthesis of various proposals, including elements from both the OEWG and the PoA. The Chair pointed out the high risk of not having a consensus on the future permanent mechanism in the end and ‘the risk is even higher than ever before in this 5-year process’. 

The long-running issue of multistakeholder modalities 

The problem of stakeholder participation remained to be the hottest one. A lot of European and South American states, as well as Canada, put together a joint proposal to make the accreditation a more transparent process with disclosure of the basis for objections, and mechanisms to provide participation to more stakeholders as possible. The main principle is ‘to have a voice, not a vote’. Their argument was that stakeholders can serve as experts, especially in thematic groups whose work requires a deeper dive into the issues on the table. Some states advocated for giving the floor to stakeholders during plenaries too.

On the contrary, Russia and other like-minded states were insisting on keeping the already agreed OEWG modalities. The non-objection rule must be in place, but this group of states see the option to disclose the reasons for objection as a violation of the sovereign right of a state. They are also opposed to letting the Chair discuss the accreditation of a particular stakeholder with other states to overcome a veto by voting or any other procedure. Additionally, they don’t like the idea that stakeholders who had received objections be designated as provisional participants.

Another point was to seek already existing modalities for participation, and states recalled the Ad-hoc committee on Cybercrime, but Iran said it was not suitable since it was a temporary body with a specific mandate and limited working period.

The many proposals for thematic groups

The topic that brought the most variations to the discussion was the number and scope of dedicated thematic groups. Some of the proposals were:

• to keep the ‘OEWG pillars’ structure and have the same groups, but that raised concerns about whether it will duplicate the plenaries. 
• to merge some groups and introduce new ones (Chair’s proposal)
• to have three thematic cross-cutting thematic groups on resilience, cooperation, and stability (France)
• to have three groups on threat prevention and response, application of IL and existing and future norms and capacity building (the African group of states).

The majority of states voiced the option to have a special group on capacity building or provide for practical discussions in capacity building across other groups that will be created. 

Also, there was a discussion on whether to create a dedicated group on international law or combine international law with norms. This idea was criticised by the USA, Russia, Israel, and Germany since it merges two distinct areas of binding and voluntary regulation. Switzerland suggested discussing international law as a cross-cutting issue though all groups similar to capacity building. 

Additionally there were thoughts on creating a dedicated group on prevention of conflicts and a dedicated group on critical infrastructure, but they didn’t meet a lot of supporters.

As for the French proposal, which was upheld by the EU member states, the ‘cross-cutting policy-issue-focused working groups’ would go deeper on each OEWG pillar in a balanced way and then would feed it back into the plenary, which is structured the same way as the current OEWG.

The Chair intervened in the middle of the discussion asking the delegates to stop thinking in a binary way: to have either pillars approach or cross-cutting for the thematic groups and contemplate how to combine them all together. 

Some states, as well as the Chair, reminded that the thematic groups do not have to be cemented right now, and there is an option to have shifting agendas, as well as the creation of ad-hoc ones, and rearrangement of the groups after the first review conference of the future permanent mechanism.

Overall, the general impression is that states are inclined to have three groups rather than five to meet the concerns of smaller delegations. 

The format of thematic groups: hybrid or in-person

Delegations also expressed concerns about whether the format will be hybrid or in-person only. Both options have advantages, but some states are worried about limited resources for delegations to attend group meetings and plenaries in New York. In contrast, others question whether the hybrid format will be suitable for formal meetings and provide for closer bilateral and group engagements.