After several years of contentious negotiations, late last year the United Nations General Assembly adopted the UN Convention against Cybercrime (the “UNCC”)the most significant international agreement on cybercrime and electronic evidence in more than two decades. Following a signing ceremony in Hanoi, Vietnam in October 2025, where seventy-two states indicated their intent to ratify the agreement, the UNCC—with its broad application and expansive mutual assistance obligations—is poised to significantly reshape cross-border cooperation on cybercrime.
This Data Blog post provides an overview of the UNCC, summarizes its key provisions, and identifies steps companies should consider taking as the UNCC is gradually incorporated into domestic laws.
Background on the UNCC
The UNCC is intended to provide a global framework for cooperation against “cybercrime”—broadly defined. It has a similar purpose as the Council of Europe’s Budapest Convention, which to date has been the primary international instrument in this area, harmonizing “cyber” offenses across its State Parties and creating procedures to support cross-border investigations and evidence-sharing. But whereas Budapest is only open to Council of Europe members and invited countries, such as the United States, the UNCC is open to all UN Member States. It is also broader in scope than Budapest, potentially extending to a wider array of cyber-related crimes, as well as “serious crimes” punishable by at least four years’ imprisonment.
Despite concerns from civil society and the private sector about the UNCC’s breadth, the General Assembly adopted the final text in December 2024. For the initial group of signatories—including China, Russia and the EU—the next step is ratification and implementation through domestic law. That process will be key in shaping the exact contours of the new mutual assistance framework and will likely take several years, as many jurisdictions will need to pass new legislation to give effect to the UNCC’s obligations. Other States who have not yet signed, such as the United States, may also begin this process over the next year. Once forty States have ratified the UNCC, it will enter into force.
Key Provisions
Depending on how States Parties implement the UNCC, companies who qualify as “service providers” could be saddled with new obligations to collect, preserve, and disclose certain categories of data—including in real-time—to law enforcement agencies upon request. Key provisions include:
1. Scope of Application.
Covered entities: The powers given to States Parties under the UNCC, including the power to require preservation or access electronic evidence, could potentially cover any evidence held by any “service provider”—i.e., any public or private entity that “[p]rovides to users of its service the ability to communicate by means of an information and communications technology system” or “[p]rocesses or stores electronic data on behalf of such a communications service or users of such a service”.
Covered crimes and activities: These powers apply to (i) designated criminal offenses established under the UNCC, (ii) other “criminal offences committed by means of an information and communications technology system”, (iii) “any serious crime”—defined as any offense punishable under domestic law by at least four years’ imprisonment—and even to (iv) “the collection of evidence in electronic form of any criminal offence.”
Covered data: States Parties may compel production of various defined types of evidence, including “content data”, “traffic data”, and “subscriber information”.
2. Procedural Powers. States Parties must adopt procedures to investigate and prosecute covered crimes, including measures requiring service providers to preserve and share electronic evidence and collect content and traffic data in real-time. They can also impose confidentiality obligations on service providers who receive investigative orders.
3. International Cooperation. The UNCC sets out procedures for mutual assistance in preserving and accessing evidence, including how a State Party should vet and execute incoming requests for assistance. It also requires each State Party to establish a 24/7 contact point to process requests and encourages prompt sharing of relevant evidence and communications.
4. Safeguards and Human Rights. Safeguards for human rights provided under domestic law—including judicial review, the right to remedy, and the protection of personal data—must extend to UNCC-related obligations.
5. New Substantive Crimes. Where not already criminalized under domestic law, States Parties must enact laws criminalizing a range of cyber-dependent and cyber-enabled conduct, including illegal access and interception, interference with electronic data and information and communications technology systems (“ICT”), online child sexual abuse material, and non-consensual dissemination of intimate images.
What Service Providers Can Expect
The UNCC’s impact on service providers will depend on how each jurisdiction implements its provisions and how authorities interpret the UNCC. At a high-level, however, service providers might expect the following:
1. Increased volume or breadth of data production orders, particularly as non-Budapest jurisdictions sign onto the UNCC and the scope of eligible crimes likely broadens;
2. Potentially broad or onerous requests, and / or requests that conflict with other applicable laws, internal company policies, or human rights standards (notwithstanding the requirement that States Parties implement safeguards);
3. New technical and operational demands, including collection of data in real time or on an expedited basis—in light of the 24/7 network of assistance established under the UNCC—as well as confidentiality requirements regarding law enforcement orders; and
4. Potentially discrepant standards for processing requests across jurisdictions, depending on how the mutual assistance obligations are implemented between States Parties, creating complexities in how to assess and respond to government demands.
What Service Providers May Want to Do to Prepare
1. Monitor Implementation in Key Jurisdictions. Identify the jurisdictions most relevant for your business, including where covered data is stored. Track the status of the UNCC’s implementation into local law, as well as any related regulatory guidance.
2. Maintain Relationships with Law Enforcement. Consider proactively engaging with cybercrime authorities in key jurisdictions, including the authority designated as the State Party’s “central authority” for coordinating requests under the UNCC, to understand how they intend to implement the UNCC framework.
3. Assess Internal Systems for Processing Requests. Consider whether internal systems for compliance, vetting, and escalation are equipped to handle a potential influx of new government data requests, including urgent requests issued under the UNCC’s expedited preservation and disclosure provisions.
* * *
To subscribe to the Data Blog, please click here.
The Debevoise STAAR (Suite of Tools for Assessing AI Risk) is a monthly subscription service that provides Debevoise clients with an online suite of tools to help them fast-track their AI adoption. Please contact us at STAARinfo@debevoise.com for more information.
The cover art used in this blog post was generated by ChatGPT-5.
