On 25 October 2025, sixty-five countries signed the United Nations Convention against Cybercrime in Hanoi, marking the first universal treaty to combat offences such as ransomware, online child abuse, and the non-consensual sharing of intimate images. The treaty, adopted by the UN General Assembly in December 2024 and now open for signature until December 2026, will enter into force after 40 ratifications. While UN Secretary-General António Guterres hailed the agreement as a historic step toward a safer digital world, civil society organizations warn that its broad definitions could enable state surveillance and threaten journalists and activists. The European Union has authorized its institutions and member states to sign but must still navigate internal ratification procedures and ensure the treaty aligns with existing EU laws and human-rights standards.
Milestone treaty signed in Hanoi
The Convention against Cybercrime – also known as the UN Cybercrime Convention – was adopted by the UN General Assembly in December 2024 after five years of negotiation. It opened for signature on 25 October 2025 in Hanoi, where sixty-five countries signed the treaty. The agreement establishes the first global framework for investigating and prosecuting cyber-dependent and cyber-enabled crimes, including phishing, ransomware, online financial fraud, and the non-consensual dissemination of intimate images. It also requires signatories to share electronic evidence across borders and creates a 24/7 cooperation network, with entry into force triggered 90 days after the fortieth ratification.
At the signing ceremony, UN Secretary-General António Guterres hailed the treaty as a “powerful, legally binding instrument” to strengthen collective defenses, warning that “every day, sophisticated scams defraud families, steal livelihoods and drain billions of dollars from our economies.” He called the Convention a victory for victims of online abuse and urged countries to ratify swiftly, stressing that technology’s benefits come with new vulnerabilities.
EU ratification process and harmonization
The treaty allows regional organizations like the European Union to sign and ratify once at least one member state has ratified. On 13 October 2025, the Council of the EU authorized the European Commission and member states to sign the Convention. However, EU participation is not automatic: the Council still must adopt decisions to sign and conclude the treaty, and the European Parliament must give its consent. Each member state will launch its own procedures for signature and ratification in accordance with national law. Only after these steps can the EU formally become a party.
While the Convention aims to harmonize criminalization of cybercrime, the EU already has robust legislation. For example, offences such as online child sexual abuse, grooming, and non-consensual dissemination of intimate images are criminalized under EU directives, though not all jurisdictions worldwide have equivalent laws. The Convention therefore complements existing EU law but does not erase national differences; implementation may still vary among states.
Debate over safeguards and definitions
The treaty contains human rights and data-protection safeguards: signatories can refuse cooperation if requests are used to commit human-rights abuses or contradict domestic laws. It also stipulates that human rights must be respected during investigations. UNODC, which led the negotiations, says the agreement promotes legitimate security research and protects privacy.
Civil society groups and tech companies argue that these safeguards are insufficient. A coalition led by ARTICLE 19 warns that the draft convention remains over-broad, requiring states to criminalize cyber-enabled offences and referencing other international conventions without clarity. They caution that vague definitions could criminalize legitimate online expression, deepen gender inequality, and fail to protect security researchers, whistleblowers, and journalists. Global Voices notes that authoritarian regimes have promoted ambiguous definitions of cybercrime, which could encompass criticism and human-rights advocacy, and that the treaty lacks clear safeguards to protect exiled defenders and journalists. Critics also highlight that the treaty makes dual criminality optional, potentially allowing states to prosecute conduct abroad that is not illegal at home.
In an interview with Reuters, the Cybersecurity Tech Accord – which includes Meta and Microsoft – labelled the agreement a “surveillance treaty,” warning that it could facilitate state data sharing and criminalize ethical hackers. They urge governments to ensure definitions are narrow and safeguards enforceable.
Balancing cooperation and rights
Supporters argue that the Convention is a necessary response to a surge in cybercrime costs and a lack of global coordination. It criminalizes emerging offences like non-consensual intimate-image sharing and provides tools for cross-border collaboration, areas where gaps currently exist. Proponents also emphasize that the treaty builds on the Council of Europe’s Budapest Convention and integrates privacy safeguards.
Yet critics maintain that the broad scope could normalize surveillance and suppress dissent unless robust amendments are introduced. They call for stronger references to international human-rights law, explicit protections for journalists and researchers, and clear limits on information sharing. As debates continue, EU lawmakers will scrutinize the treaty to ensure alignment with the EU’s General Data Protection Regulation and Charter of Fundamental Rights.
Looking ahead
The Convention is open for
Leave a Reply