1. The EU signs the UN Cybercrime Convention in Hanoi: A moment to celebrate
At the official – yet “contradictory” (Cf. Tennant, 2025) – ceremony held in Hanoi (Viet Nam) on the 25th-26th October 2025, the European Union (EU) signed the United Nations Convention against Cybercrime (UN Cybercrime Convention or UNCC). By doing so, the EU became the first «regional economic integration [organisation]» to join what stands as the first «comprehensive international convention on countering the use of information and communications technologies for criminal purposes» (see Article 64(2), UNCC; UNGA Res. 74/247, op. para. 2.).
At first glance, the joint statement released by the EU and its Member States on that occasion projects a strong “celebratory vibe”. This development emerged as a «welcome […] collective success» aligned with existing EU and Member States’ priorities and commitments (Cf. EU Declaration, 2025). Yet, this enthusiasm clashes with the EU’s more cautious – and at times openly sceptical – stances characterising the entire negotiation process.
When the UN General Assembly (UNGA) adopted the final text of the UNCC in late 2024, while the EU once more welcomed this «unprecedented» convention, it simultaneously issued a pointed “warning”: it will remain vigilant with regard to the UNCC’s future interpretation and implementation, particularly concerning the protection human rights, and its Member States will «refuse any request for cooperation that does not respect [the Convention’s]safeguards» (Cf. EU Explanation of Position, 2024). This “watchdog approach” appears, in practice, more consistent with the EU’s original opposition to this convention.
In light of this tension and the several questions it raises, this post analyses some dynamics characterising the evolution of the EU’s position, the reasons behind its initial resistance, its strategic engagement during negotiations, and its ambivalent acceptance of a final instrument that significantly diverges from the outcome the EU advocated for.
2. The UN Cybercrime Convention as a “trojan horse” for digital authoritarianism?
From its early stages, the UN Cybercrime Convention has been surrounded by controversies. Non-governmental organisation (NGOs) – in particular – have been vocal about the human rights implications of the obligations descending from it. Several states and private companies likewise warned that the proposed instrument risked becoming a “trojan horse” at the service of forms of “digital authoritarianism”, thus enabling the targeting of dissidents, minorities, journalists, or political opponents under the guise of combating cybercrime (see EFF timeline; Pavlova, 2025; Stradner & Hester, 2025).
These fears were not completely unfounded. In fact, the UNCC’s design draws heavily on earlier “suppression conventions” – such as the 2000 UN Convention against Transnational Organised Crime and the 2003 UN Convention against Corruption (Tennant & Oliveira, 2024) – while integrating elements of the Council of Europe’s (CoE) 2001 Budapest Convention on Cybercrime and other regional initiatives (Cf. Tropina, 2024).
Suppression conventions generally require states to criminalise defined conducts, establish associated procedural powers, and facilitate international cooperation (Boister, 2002). Although they usually include some safeguards, they are not “human rights treaties” (Tropina, 2024). Their relationship with human rights is therefore inherently ambivalent. As the “shield and sword” metaphor well illustrates, the protection of human rights constitutes the foundation of criminal justice while their respect constitute the corresponding limit (Tulkens, 2011).
In this context, the UNCC magnifies these tensions. For instance, compared to the Budapest Convention, the UNCC contains a broader catalogue of offences, grants intrusive procedural powers (applicable not only to “criminalised cybercrime offences” or serious offences, but to any offence involving electronic evidence or an ICT component), and establishes cooperation mechanisms that may operate in the absence of equivalent fair trial and rule-of-law standards. In particular, it introduces a broadly designed passive personality clause for the exercise of jurisdiction (Scher-Zagier, 2025).
However, while the combination of these elements has fuelled fears that the UNCC may be exploited to legitimise repressive practices, including intrusive surveillance and the silencing of dissent, this is only part of the story behind EU scepticism. A strictly related “detail” that cannot escape notice concern, in fact, the primary sponsors and the political origins of the resolutions that gave impetus to this process.
3. The EU and its less celebrative reactions to the UN Cybercrime Convention’s proposal
The initiative to negotiate a UN Cybercrime Convention emerged from draft resolutions originally sponsored by Russia and a coalition involving «Belarus, Cambodia, China, the Democratic People’s Republic of Korea, Myanmar, Nicaragua and Venezuela». These were then further supported by a broader coalition of states (UNGA Third Comm., 74th Session, Agenda Item 107, paras. 6-7). At that time, EU Member States were neither among the first group of sponsor states nor among the second group of supporters. In particular, they voted against the draft resolution supported also by this second coalition of states. (ibid., para. 10).
Before that vote, speaking for the EU, Finland stressed the absence of consensus «on the need for a new [cybercrime convention]», while other states highlighted risks of duplication with the CoE’s Budapest Convention (Cf. UNGA Third Comm., 74th Session, 49th and 50th Meetings, 2019).
Why, then, did certain states feel the need to propose and embark upon negotiations for the development and adoption of an instrument alternative to the Budapest Convention?
Part of the answer concerns some dynamics surrounding the Budapest Convention itself. Although it has been adopted under the auspices of the CoE, this convention is one of the most successful and powerful examples of the so-called “Strasbourg effect” (Cf. Bygrave, 2021): a regional multilateral treaty that now includes 81 parties, including 35 non-CoE states (see Budapest Convention Ratification Status). All EU Member States are parties to this Convention. And although the EU itself is not a Party (since the convention’s design predated the post-Lisbon EU institutional framework), in 2013 its core standards were incorporated into EU law through Directive 2013/40/EU. The latter described the Convention as «the legal framework of reference for combating cybercrime» and aimed at «[c]ompleting the process of ratification of that Convention by all Member States as soon as possible» (Cf. Recital 15, Directive 2013/40/EU).
However, this strong “European narrative” surrounding the Budapest Convention’s success also generated some resistance, with Russia considering it “too European” (see Pavlova, 2025). While it is true that the Budapest Convention contains several references to the European Convention on Human Rights, these are substantively limited and, as a matter of “inclusivity”, European human rights standards are accompanied by equal references to the International Covenant of Civil and Political Rights (ICCPR). This criticism therefore appears largely unpersuasive, as factually testified by number of non-CoE states that are parties to the Budapest Convention.
Within this complex scenario, the EU’s initial opposition to the UNCC appears grounded in three interrelated concerns: the UNCC’s “political origins”; the fear that a “universal treaty” drafted and adopted within a highly polarised environment could weaken the promotion and protection of EU founding values under the banner of the fight against cybercrime; and the EU’s corresponding interest in preserving and further advancing the “Budapest acquis”. These same concerns simultaneously explain why the EU eventually participated in the negotiations, seeking to shape their outcome from within rather than cede influence to states with divergent preferences.
4. The UN Cybercrime Convention’s final text vs EU’s expectations: “Signing with care”
Re-examining the EU’s initial 2022 negotiating position reveals a striking tension between that blueprint and the final text signed in 2025. At that time, the EU advocated for a compact convention focused on narrowly defined “cyber-dependent” offences, complementary to existing frameworks and accompanied by strong human rights safeguards (Cf. EU Contribution, 1st Session, 2022). The UNCC’s final text, however, largely diverges on each of these points.
First, from a substantive perspective, while the UNCC partly overlaps with the Budapest Convention, it also departs from its understanding of “cybercrime” by broadening its scope (Articles 7-17, UNCC). Second, from a procedural perspective, intrusive investigative measures apply to any offence involving electronic evidence and not only to those criminalised by the UNCC or to serious crime (Articles 23, 25-30, UNCC). Third, Article 22 on jurisdiction includes a broad passive nationality basis (Scher-Zagier, 2025), only partially tempered by a reference to respect for states’ sovereignty (Article 5, UNCC). Fourth, while Article 6 UNCC affirms that “human rights must be respected” and «[n]othing in th[e]Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms», it does so against the background of widely diverging human rights standards among the wide array of possible parties.
In addition, what catches the attention in relation to the illustrative list of “rights at risk” contained in Article 6 UNCC is that the right to privacy is not explicitly mentioned – despite being one of the most directly affected. In this connection, two separate opinions by the European Data Protection Supervisor (EDPS) stressed the importance of taking the right to privacy and the protection of personal data into due consideration given the nature of this convention (Cf. EDPS, 2022; 2025).
These elements show that the UNCC’s final text only partially aligns with the EU’s desired outcomes. In this light, its signature in Hanoi cannot be read as an endorsement full of satisfaction. Rather, it reflects the EU’s strategic effort to remain engaged in increasingly fragile and polarised multilateral fora.
Although the agreed regime is “imperfect” and does not reflect what the EU originally advocated for, the EU’s explanatory position on the adoption of the UNCC’s final text is clear: once the treaty enters into force, the role of the EU and of its Member States will be one of vigilance, upholding existing safeguards, and actively contributing to the “life” of this newborn instrument (Cf. EU Explanation of Position, 2024).
Taken together, these dynamics point to an interesting parallel. In this process, the EU has in fact assumed at the UN level a role akin to that long exercised by the CoE within “broader Europe”, acting as a custodian of fundamental rights and freedoms that seeks to promote and stabilise effective standards for a heterogeneous community of states (Cf. Levantino & Paolucci, 2025).
