What the UN Treaty on Cybercrime May Mean for You

In crimes such as robberies or kidnappings, both the criminals and victims must directly interact in person, so it is obvious that they must both be in the same country for the crime to be committed. Local and/or federal authorities address such crimes. But cybercrimes involving data theft and ransomware, for example, can be (and often are) committed by criminals based in other countries. How can local authorities address such crimes? The lack of a formal structure for cooperatively investigating these crimes is an important gap that the United Nations Treaty on Cybercrime is intended to address, at a time when global cyberattacks and related costs are increasing.

Adopted by the entire UN General Assembly in December 2024 after five years of negotiation, the treaty, formally known as the United Nations Convention Against Cybercrime, establishes the first universal framework for investigating and prosecuting offenses committed online — from ransomware attacks and financial fraud to the nonconsensual sharing of intimate images.

The multilateral treaty is the first of its kind. It opened for signature by individual member countries in October 2025 and will enter into force 90 days after the 40th country deposits its instrument of ratification, acceptance, approval, or accession. The United States has not signed the treaty as of now; the U.S. Senate would ultimately have to vote on a resolution of ratification. The treaty has some controversial aspects, particularly concerning data seizure and online privacy, that some countries might alter or reject (more on that below). In any case, it is expected that companies will have to deal with this treaty if they do business in countries that ratify it, as they have had to do with the European Union’s General Data Protection Regulation (GDPR) since it went into effect in 2018.

Based on several straw polls that we conducted at cybersecurity conferences in recent months, almost no one (and we polled cybersecurity professionals) has heard of the UN’s cybercrime treaty, despite its expected global impact. It is important for business and IT leaders to understand the treaty’s potential benefits and limitations — and new responsibilities that it imposes on all businesses. Organizations that prepare will be better positioned.

What Does the UN Treaty on Cybercrime Cover?

The treaty addresses two different but important issues: What is a cybercrime? And who is responsible for doing what, especially when it comes to law enforcement and companies?

What is a cybercrime?

Laws around the world differ in many ways. Given that cybercrimes are relatively new and happen in different countries in different ways, there has been no standard definition for what a cybercrime actually is. One goal of the treaty is to establish a baseline of agreed-upon cybercrimes.

A few examples:

• Article 7: Illegal access. Criminalizes unauthorized access to information and communications technology systems.
• Article 11: Misuse of devices. Prohibits the production, sale, or possession of devices designed primarily for committing cybercrimes.
• Article 14: Offenses related to online child sexual abuse or child sexual exploitation material. Criminalizes various online activities or materials related to child sexual abuse.

What are the new responsibilities for law enforcement?

Having a common understanding of what a cybercrime is can be helpful as educational material for everyone, but that doesn’t directly lead to action. The second goal of the treaty is to define responsibilities and develop means of collaboration to address the cybercrimes.

There are required forms of collaboration for law enforcement agencies. Two examples:

• Article 40: General principles and procedures relating to mutual legal assistance. Establishes a framework for international cooperation in cybercrime investigations.
• Article 41: 24/7 network. Establishes an around-the-clock network of contact points available for immediate assistance.

The articles designate new activities and responsibilities to law enforcement agencies in every country.

How Might the Treaty Impact You?

Probably the most important and significant aspect of the treaty is the responsibilities that victims and other players have in aiding in an investigation. For example:

• Article 25: Expedited preservation of stored electronic data. Allows authorities to order the preservation of specific electronic data.
• Article 28: Search and seizure of stored electronic data. Empowers authorities to search and seize electronic data.
• Article 31: Freezing, seizure, and confiscation of the proceeds of crime. Enables the confiscation of proceeds derived from cybercrimes.

This is where the treaty becomes controversial: Digging deeper into articles 25 and 28, the treaty empowers authorities to search or otherwise access and seize any “electronic data” in a computer system or digital storage medium. This could impact systems beyond those directly involved in a cybercrime, since it allows authorities to extend their search to other connected or remotely accessible systems if they believe that the relevant data is accessible from the targeted system. Furthermore, authorities can make and retain copies of data and may render it inaccessible in the targeted system.

Article 28(4) of the treaty requires countries to have laws that can compel any person with knowledge of the system’s functioning (such as employees of the targeted company or the technology companies that might have been deployed to aid in recovery from the cybercrime) to provide the information that will enable access and surveillance by cybercrime investigators. This could include forcing the disclosure of encryption keys or security vulnerabilities.

The scope of these powers is also broad, applying not only to the specific cybercrimes defined in the treaty but also to a wide range of “serious crimes” (generally, those punishable by four years of imprisonment or more) where evidence is in electronic form, including purely domestic offenses. In this regard, certain aspects of the treaty will ultimately need to be settled by the courts, especially controversial aspects that apply to the definition of “serious crimes”; for example, there is the possibility that LGBTQ+ people could be targeted in the 64 UN member states in which homosexuality is illegal.

Pushback and Concerns About the Treaty

International governance frameworks face inherent challenges in regulating a wide range of digital activities. A central difficulty lies in distinguishing harmful conduct from legitimate behavior, given that online interactions rarely fit neatly into fixed legal categories. As a result, enforcement mechanisms in the UN treaty that were designed to address genuine threats may unintentionally constrain lawful activities that resemble prohibited ones. For example, cybersecurity researchers conducting ethical testing to locate vulnerabilities may trigger “illegal access” provisions. Whistleblowing platforms and online advocacy initiatives that disclose discovered vulnerabilities (with the intention that they be fixed) could face restrictions under broadly framed enforcement powers.

This tension is most evident in the treaty’s handling of child sexual abuse material (CSAM), which represents one of its primary regulatory priorities. While there is universal agreement on the need to combat CSAM and protect children, implementing safeguards remains complex. Automated detection technologies often struggle to distinguish abusive material from legitimate educational, research, or prevention-oriented content. Content moderators and platforms operating in good faith may also face heightened scrutiny despite their protective role. Notably, existing legal frameworks — such as the Children’s Online Privacy Protection Act in the U.S., the U.K.’s Sexual Offenses Act, and EU Directive 2011/93/EU on combating sexual abuse of children — have required continuous refinement to balance child protection with lawful online activity.

Beyond these operational challenges, the treaty has also raised broader concerns related to privacy and civil liberties. Critics argue that expansive investigative and cross-border enforcement powers, if coupled with vague definitions and limited safeguards, could disproportionately affect journalists, human rights defenders, nongovernmental organizations, and other civic organizations. Analyses by the Global Campus of Human Rights warn that such mechanisms may enable excessive surveillance, censorship, or data sharing, particularly in jurisdictions with weak oversight. Therefore, stronger privacy and due-process protections will be crucial to ensuring that the treaty upholds the rights and freedoms that it seeks to protect.

How to Plan Ahead

To a certain extent, leaders can think of the current status of the UN Treaty on Cybercrime somewhat like the GDPR law introduced about a decade ago. The exact details of how the treaty will impact businesses and society are not yet fully known, but in our view, several important consequences seem highly likely.

1. Law enforcement authorities will have new global tools to address the increasingly global spread of cybercrime. That will ideally help all of us in our fight against cybercrime. These powers will be exercised by national authorities, such as the FBI in the U.S. and the EU’s European Cybercrime Centre, with 24/7 networks enabling immediate international cooperation. Even companies operating in a single country could face coordinated cross-border investigations. Planning now can prevent costly disruptions when such investigative actions occur.

2. Individual companies will have additional new responsibilities, especially regarding data retention and sharing. Since changing such corporate policies and procedures is rarely quick and easy, it is best to start addressing these new responsibilities sooner rather than later. As many companies, even those outside the EU, learned from GDPR, ignoring such regulations can be very costly. GDPR’s extraterritorial scope applies to any business, regardless of location, that processes personal data of people within the EU by offering goods or services to them or monitoring their behavior. This means that non-EU companies must comply with the regulation to avoid fines and protect their EU-based customers’ data. (The law also influenced many other countries to adopt similar privacy laws.) Tech giants, including Meta, Amazon, and Google, have faced significant GDPR fines, while even smaller businesses faced fines for unsolicited marketing calls or emails. 

3. The treaty’s extraterritorial reach will create complex jurisdictional challenges for multinational corporations. Similar to how GDPR applies to any company processing EU citizens’ data regardless of the company’s location, the UN cybercrime treaty will likely extend enforcement capabilities across borders. For instance, a U.S.-based cloud provider might face simultaneous legal requests from authorities in multiple jurisdictions, each with different procedural requirements and timelines. We saw this jurisdictional complexity emerge with the CLOUD (Clarifying Lawful Overseas Use of Data) Act of 2018, where Microsoft found itself caught between U.S. demands for data stored in Ireland, and EU data protection requirements.

4. Technical infrastructure investments will be necessary to ensure compliance. Companies should evaluate their logging capabilities, data access controls, and ability to quickly isolate and preserve digital evidence. Much like GDPR required organizations to implement appropriate technical measures, the UN treaty will demand similar capabilities but will focus on evidence preservation rather than data protection. When the EU NIS2 (Network and Information Security) Directive came into force in 2023, organizations that had already implemented robust security monitoring faced significantly lower compliance costs than those starting from scratch.

5. Corporate governance structures may need reorganization. Consider establishing a cross-functional task force with representatives from legal, IT, security, and compliance teams. This approach echoes how GDPR drove the creation of privacy teams and data protection officers in many organizations. When the California Consumer Privacy Act went into effect in 2020, multinational companies that had already established GDPR-compliant governance frameworks found that they could use their existing compliance structures to address CCPA requirements. Additionally, clear lines of responsibility and communication channels will be essential for rapid response to international requests. Many of these actions would be beneficial to companies even if the treaty did not exist. Compliance with the treaty would provide a near-term data governance benefit as well as a longer-term benefit for the organization.

The ideal time for companies to deal with the changes outlined in the treaty is not during a cybercrime event. Planning and testing these new processes and procedures should be started now, to give you the time needed to sort out the complexities that are likely to arise.