Cyberspace: Council approves declaration on a common understanding

The Council approved a declaration by the EU and its member states on a common understanding of the application of international law in cyberspace.

The declaration signals that international law remains fit for purpose in this digital domain and reiterates that states must abide by certain rules and obligations when conducting activities in cyberspace.

The declaration acknowledges that malicious behaviour in cyberspace, including ransomware, is increasing in scale, severity, sophistication, and impact, presenting a major challenge and threat to the functioning of European societies, economies, and way of life. However, cyberspace is not a lawless domain.

The respect for and adherence to the UN framework of responsible state behaviour in cyberspace remain essential to maintaining international peace, security, and stability. The EU and its member states therefore reaffirm their full commitment to the implementation of the UN framework of responsible state behaviour in cyberspace, adopted by consensus and repeated on several instances by the UN General Assembly (UNGA), which affirms inter alia that international law, particularly the UN Charter, international human rights law, and international humanitarian law, fully applies to cyberspace.

The EU and its member states will continue working with international partners to establish one single, permanent, inclusive, regular, and action-oriented UN mechanism to implement and advance responsible state behaviour in cyberspace: the Programme of Action.

With this declaration, the EU and its member states show that it is possible to reach a common understanding on a set of fundamental principles and rules of international law applicable to cyberspace. A better global common understanding of how international law applies to cyberspace contributes to enhanced global cyber resilience and further transparency and predictability of, and accountability for, states’ conduct in cyberspace. In that vein, the EU and its member states continue to support third countries through training and capacity building on the implementation of the UN framework of responsible state behaviour in cyberspace, including on how to develop a national, regional, or international position on the application of international law to cyberspace.

Background information

It is the first time the EU and its member states adopt a declaration on this specific topic. The declaration follows the repeated UNGA endorsement of the framework of responsible state behaviour in cyberspace, grounded in the application of international law. The declaration is related to the efforts at UN level, specifically the ‘UN open-ended working group (OEWG)’ on the security of and in the use of information and communication technologies in 2021-2025, established by UNGA resolution UN A/RES/75/240 in 2021.

On April 2024, EEAS presented to the Horizontal Working Party on Cyber Issues (HWPCI) a non-paper on the application of international law to cyberspace. In close cooperation with the Working Party on public international law (COJUR), HWPCI reached an agreement on the text of the declaration on 4 November 2024. The permanent representatives committee (COREPER) confirmed this agreement on 13 November 2024.