If your work entails data, investigations, platform governance or cross-border cooperation, the UN has cast a long shadow that will soon be relevant to you. In December 2024, the UN General Assembly adopted the UN Convention against Cybercrime (UNCC), following five years of deliberation. The convention opens for signature in Hanoi on 25 October 2025, and will enter into force for the first thirty ratifying states, 90 days after the 40th ratification.
If you like to think of the UNCC in a certain way, consider it a “plumbing” treaty: it harmonises core cybercrime offences, establishes investigative powers for seeking electronic evidence, and – but most importantly – it creates a “fast track”, treaty-based, cooperation process for obtaining electronic data across jurisdictions. That plumbing is powerful either way it goes, and whether it flows favourably or floods our rights is the debate.
WHAT THE CONVENTION IS (AND ISN’T)
The UNCC is not a content-removing tool, and does not replace the Council of Europe’s Budapest Convention wholesale. UNCC is a global treaty trying to reconcile very different legal systems. UNCC’s stated purposes are to: prevent and combat cybercrime; strengthen international cooperation; and provide technical assistance and capacity-building (especially to developing countries).
THE LAYOUT IS IN THREE TIERS
1. Criminalisation. (Chapter II). They are more than required to convert “cyber-dependent” offences when it comes to illegal access (hacking), illegal interception, data/system interference, and misuse of devices. These offences include computer-related fraud and computer-related theft, a taxonomy of sexual-exploitation offences (e.g., child sexual abuse material), and a process that prevents non-consensual dissemination of intimate images.
2. Procedural powers. (Chapter IV). They are more than required to obtain the preservation of electronic evidence (and prioritise preservation of traffic data, content data, and subscriber data). They need to have production orders, they need to be able to search and seize data, and to engage in arguably the most sensitive prescriptive power—real-time data collection of traffic and content data (also promulgated subject to domestic conditions and safeguards).
3. International cooperation (Chapter V). Beyond expected obligations of refined mutual legal assistance (MLA), the treaty provides the implementation of requests for the preservation of electronic data, operational assistance relating to stored data, to real-time traffic and content data interceptions, and the designation of a 24/7 communication point to process urgent cross-border requests.
TWO DESIGN CHOICES HAVE POTENTIALLY LARGE IMPLICATIONS:
Electronic evidence for “any offence.” While the offence list is limited, the procedural chapter applies to electronic evidence collection for “any criminal offence” and not just “cybercrime,” and several cooperation duties extend to the “serious offences” as defined by domestic maximum penalties (usually 4+ years). That is a pretty big funnel for surveillance and data-sharing.
Future protocols. After entering into force, each State Party may negotiate an additional protocol. If there is no consensus, a vote of two-thirds of the State Parties present can still be taken to adopt it, assuming at least 60 State Parties support tabling it. This keeps the door open to expand the treaty’s criminalisation chapter.
THE RIGHTS AND SAFEGUARDS PUZZLE
The Convention contains human-rights language (including a general clause and a dedicated conditions and safeguards article). It requires proportionality and respect for international human-rights obligations; the document references the data-protection principles outlined in the Council of Europe Convention 108.
Critics argue the devil is in the “optional.” Many safeguards (i.e., judicial review, grounds thresholds, effective remedies, provisions for research, journalism, etc.) are left to domestic law. Human-rights defenders argue that, in practice, mandatory surveillance powers coupled with optional safeguards lead to systemic instability—especially where cross-jurisdictional cooperation spans legal systems that are limited by accountability and oversight.
Civil-society analyses also flagged several pressure points,
• Open-ended evidence-sharing. Tools designed for cyber-dependent crimes enable law enforcement and judicial authorities to gather and share e-evidence for any serious offence as defined locally.
• Dual criminality flex. Although the treaty allows (but does not require) parties to refuse to act for acts that are not a crime at home, the status quo allows for refusals because of the risk of persecution—but the thresholds for each are high, and the treaty implementation is left entirely to the national level.
• Reservations risk. Some states signalled in the negotiating phase that they might consider reserving against any human-rights clauses—setting arguments relating to the ILC Guide on Reservations relating to the compatibility of a treaty’s object and purpose in the short order.
To be fair, proponents of the treaty reply that demanding stricter uniform safeguards would have doomed consensus; that proportionality plus domestic safeguards are enough; and that the treaty at least gives states without MLATs an avenue to help with real harms, like CSAM, ransomware, and mass fraud.
RELATIONSHIP TO THE BUDAPEST CONVENTION
For twenty years, the Budapest Convention has been the main treaty on cybercrime and has an active practitioner community. Many states will be parties to both treaties and will choose the most effective channel on a case-by-case basis. The Budapest Convention’s narrower focus on cyber-dependent offences and specific procedural toolbox influenced a lot of the fundamentals of the UNCC, but the UNCC is global and broader in its cooperation scope.
Negotiating the treaty was also politically-charged, with Russia historically opposing the Budapest Convention and advocating for a UN process. The UN document is a compromise: a broad architecture for cooperation, a limited number of offences (for now), and many of the safeguards remain under national law.
HOW THE CROSS-BORDER PLUMBING WORKS (AND WHY IT MATTERS)
Preservation first, access second. First, a requesting state can request a counterpart to preserve certain data (stop it from being deleted) while preparing a formal MLA request for access. The treaty dictates the necessary content of preservation requests and the 90-day integrity period (extendable under domestic law).
Production and search/seizure. States must have the ability to compel service providers or other custodians to produce stored data (subscriber, traffic, content). Where applicable, authorities may conduct a search and seizure of that data.
Real-time powers (hot zone). Collection of traffic data in real time and assistance with intercepting content are potential flash points. The treaty states that the parties to the treaty shall “endeavour” to assist in traffic data collection and may assist in content interception, consistent with domestic law and relevant treaties. It will be the nuances on this which will drive the final rights outputs.
24/7 contacts. Like Budapest, the UNCC creates 24/7 contacts for urgent cooperation. Expect these desks to become important triage nodes for ransomware, dark-web harm, and fast-moving fraud.
TIMELINES AND STATUS
• Adopted: UNGA, 24–25 December 2024 (A/RES/79/243, text attached).
• Signature: 25–26 October 2025 (Hanoi, Viet Nam), followed by UN Headquarters, New York, from then until 31 December 2026.
• Entry into force: 90 days after the 40th ratification/acceptance/approval/accession instrument is deposited.
For practitioners, the 2025–2027 period is when states will sign, enact, and implement laws and operationalise cooperation mechanisms. Expect capacity-building projects and model-law toolkits to be piloted.
IMPORTANT COMPLIANCE AND LITIGATION ISSUES TO CONSIDER
1. National law safeguards. Do the statutes implementing the treaties have judicial approval, necessity (not just proportionality), notice and remedies if possible, and targeting restrictions for real-time disclosures? How constrained are bulk or general requests?
2. Provider obligations. What data retention or technical assistance obligations do these requests create for providers? Will states require encryption backdoors to comply with a foreign request, and what checks are in place? Dual criminality and refusals. How does the state exercise its refusal grounds, especially if the request relates to political crimes, speech crimes, and security research?
3. Future protocols. Will a protocol attempt to add “content” crimes (e.g., extremism, “misinformation”)? Look at the procedure (60 sponsors; two-thirds could vote?) and the potential for democracies to block human-rights protections in add-ons.
4. Budapest interaction. For countries that apply to both sites, forum shopping and conflicts of law could arise, particularly where the Budapest best-practice has more rigorous, judicially-tested safeguards.
REGIONAL PERSPECTIVES (ONE EXAMPLE: INDIA)
India backed the United Nations process and has long been unwilling to join Budapest on account of their non-participation in the drafting of Budapest. The UNCC presents India a global cooperation chassis without that political baggage. Be prepared for India to be engaged in capacity-building and South-South cooperation, and updates to the domestic electronic-evidence toolkit in parallel. At the same time, India—and their partners—are going to have to calibrate the grounds for refusing requests carefully, to avoid legitimising cross-border requests that have a chill effect on speech or target dissent.
BOTTOM LINE
The UNCC is a landmark for multilateral criminal cooperation in the digital age. It will create rigid, but fast, channels to chase criminals across borders; it is a significant step forward for investigators and victims who have been asking for years. But the architecture of mandatory powers with flexible safeguards means the implementation phase will be crucial. The treaty could be a net positive if states enact strong, rights-respecting domestic protections and apply strict scrutiny of cross-border requests to collaborators. Otherwise, states could weaponise these same channels for transnational repression.
Regardless, the story has yet to be over. Keep an eye on Hanoi in October 2025, the first 40 ratifications, and the protocols docket. The law of cybercrime and the freedom of the open internet will be shaped here next.
REFERENCES
UN documents and official sources
UNODC, United Nations Convention against Cybercrime – Full Text (web version, information only) https://www.unodc.org/unodc/en/cybercrime/convention/text/convention-full-text.html accessed 5 September 2025.
UNODC, United Nations Convention against Cybercrime – Convention Home (Status) https://www.unodc.org/unodc/cybercrime/convention/home.html accessed 5 September 2025. UN General Assembly, Resolution 79/243, United Nations Convention against Cybercrime (31 December 2024) A/RES/79/243 (annexing the Convention text). United Nations Docs
United Nations in India, ‘UN General Assembly adopts landmark convention on cybercrime’ (Press Release, 25 December 2024) https://india.un.org/en/286669-un-general-assembly-adopts-landmark-convention-cybercrime accessed 5 September 2025. The United Nations in India
Civil-society and expert commentary
Electronic Frontier Foundation (Katitza Rodriguez), ‘The UN General Assembly and the Fight Against the Cybercrime Treaty’ (26 September 2024) https://www.eff.org/deeplinks/2024/08/un-general-assembly-and-fight-against-cybercrime-treaty accessed 5 September 2025. Electronic Frontier Foundation
Human Rights Watch, ‘New UN Cybercrime Treaty Primed for Abuse’ (30 December 2024) https://www.hrw.org/news/2024/12/30/new-un-cybercrime-treaty-primed-abuse accessed 5 September 2025. Human Rights Watch
Karine Bannelier and Eugenia Lostri, ‘Is Anyone Happy With the UN Cybercrime Convention?’ Lawfare (2 December 2024) https://www.lawfaremedia.org/article/is-anyone-happy-with-the-un-cybercrime-convention accessed 5 September 2025.
Comparative context (Budapest Convention)
Council of Europe, ‘About the Convention – Cybercrime (Budapest Convention)’ https://www.coe.int/en/web/cybercrime/the-budapest-convention accessed 5 September 2025.
Council of Europe, ‘Budapest Convention and related standards’ https://www.coe.int/en/web/cybercrime/the-budapest-convention-old accessed 5 September 2025.