- The UN’s new Hanoi Convention against Cybercrime, adopted in December 2024, creates a global framework to criminalize key cyber offences and streamline cross-border cooperation.
- It mandates 24/7 national contact points, expedited preservation of digital evidence, and stronger public-private cooperation, aligning with cybersecurity industry priorities.
- Over 70 states and the EU have signed, but the treaty will only enter into force after 40 ratifications and will require significant legal and institutional reforms.
- Civil society and companies like Kaspersky warn that vague offence definitions, weak human rights safeguards, and unclear protections for white-hat hackers pose serious risks and demand supplementary protocols and standards.
Read More
The United Nations Convention against Cybercrime—the “Hanoi Convention”—marks a landmark in international law. Adopted on 24 December 2024 after five years of negotiation, it provides a comprehensive framework for states to criminalize certain cyber-dependent and cyber-enabled offences, improve cross-border legal cooperation, and enhance digital evidence sharing. Significantly, the treaty obligates states to establish 24/7 points of contact and expedited procedures for preserving digital data, reflecting operational priorities of cybersecurity practitioners.
The signing ceremony in Hanoi on 25-26 October 2025 represented both political momentum and diplomatic complexity. Seventy-one states plus the EU signed at the ceremony, and additional signatures bring the count to 72. The treaty requires ratification by 40 states (through ratification, approval, acceptance or accession) to enter into force, likely in 2027. States now face the task of aligning domestic laws with treaty obligations—often involving legislative reform, infrastructural investment, and judicial training.
Operationally, corporate actors like Kaspersky welcome aspects such as public-private cooperation, mechanisms for evidence preservation, and standards that harmonize international investigations. However, the framework’s effectiveness will depend heavily on how states address gaps: notably, the treatment of white-hat hackers, establishing globally accepted forensic standards, and building legal channels for threat intelligence sharing while safeguarding civil liberties. [Primary Article]
Yet, the Convention has drawn criticism. Civil society and technology companies warn that vague terms (e.g., defining offences or cross-border data requests), hasty or uneven implementation, and weak human rights language may allow for misuse—especially in jurisdictions with poor rule of law. For signatory states, satisfying treaty obligations without undermining democratic norms will be a balancing act and could affect international trust.
Strategically, there are investment implications: cybersecurity firms are likely to benefit from increased demand for forensic tools, compliance technologies, secure data-sharing platforms, and consultancy services in legal alignment. States in developing regions may require capacity-building and foreign assistance; international organizations like UNODC are central. However, regulatory risks and geopolitical divides could complicate which jurisdictions can operate freely under the new norms. Key open questions include the timeline and pace of ratifications, concrete protocols and supplementary agreements, how states codify human rights protections, and how private sector actors navigate participation without incurring legal exposure.”
Supporting Notes
- UN General Assembly adopted the treaty on 24 December 2024, after five years of negotiation chaired by an Ad-Hoc Committee.
- The treaty establishes 24/7 national points of contact and expedited preservation of computer data to address urgent cross-border cybercrime cooperation.[Primary]
- Signing ceremony held in Hanoi, Vietnam on 25-26 October 2025; 71 states plus the EU signed at the ceremony; total signatures number between 71-72.
- Entry into force requires 40 ratifications, acceptance, approval, or accession; treaty remains open for signature until 31 December 2026.
- Convention criminalizes both cyber-dependent crimes (e.g., hacking) and cyber-enabled crimes (e.g., online fraud, terrorism), and explicitly addresses non-consensual dissemination of intimate images.[Primary]
- Key critiques cite the treaty’s vague definitions and risks of human rights abuses, particularly with data sharing and definitions of core offences; concerns about surveillance in authoritarian contexts; potential penalty for ethical hackers under unclear legal protections.[Primary]
- Kaspersky emphasizes missing protections for penetration testers (“white-hat hackers”), and calls for supplementary protocols and common forensic standards. [Primary]
Sources
- www.ungeneva.org (UN Geneva) — 24 December 2024
- www.interpol.int (INTERPOL) — 23 December 2024
- www.ungeneva.org (UN in Viet Nam) — 25 October 2025
- www.unodc.org (UNODC) — 2025
- vietnamnews.vn (Vietnam News) — 26 October 2025
- www.reuters.com (Reuters) — 22 October 2025
- en.wikipedia.org (Wikipedia) — accessed January 2025