Author: Joanna Kulesza

The July 2025 adoption of the UN Permanent Mechanism for Responsible State Behavior in Cyberspace marks a significant step in codifying international cooperation in the digital domain. As cyber threats grow and digital interdependence increases, reaffirming the applicability of international law and operationalizing cyber norms is more urgent than ever. This paper analyzes the legal, strategic, and institutional significance of the Permanent Mechanism, focusing on the European Union’s leadership, France’s 2020 initiative, and Poland’s role during its presidency. It assesses how the mechanism strengthens the international framework for responsible state behavior and its implications for future cyber governance. The analysis draws on primary UN documents, including the OEWG Final Report and related resolutions, and integrates policy analysis with legal interpretation. It also includes insights from EU cyber diplomacy and multistakeholder practices. The mechanism reaffirms that international law applies in cyberspace, institutionalizes 11 voluntary norms of responsible state behavior, and establishes a platform for capacity-building, transparency, and cooperation. It introduces structured engagement with civil society, industry, and academia, and promotes practices for protecting critical infrastructure and securing ICT supply chains. The Permanent Mechanism represents a strategic advancement in multilateral cyber governance. It offers a foundation for norm implementation, legal clarity, and cooperation. The EU’s diplomacy has positioned it as a system shaper in this evolving field of digital international relations.

The Role of International Law in Cyberspace: A New Era of Global Governance

Digital technologies now underpin essential functions across societies—from infrastructure and financial systems to governance and security. The global and interconnected nature of cyberspace, combined with increasingly complex cyber threats, highlights the need for a coherent international legal framework. Existing rules, including those in the UN Charter, international humanitarian law, and human rights law, remain applicable, but their interpretation in cyber contexts has raised questions around sovereignty, attribution, due diligence, and proportionality.

Despite divergent views, there is growing agreement that international law applies to cyberspace and that states must act responsibly to maintain stability [i]. A significant milestone came in July 2025, when the United Nations adopted a Permanent Mechanism for Responsible State Behaviour in Cyberspace [ii]. Initiated by the UN Open-Ended Working Group (OEWG), this mechanism follows five years of negotiations. It formalizes existing UN agreements on cyber norms, reaffirms the role of international law, and creates a standing forum for cooperation, technical support, and accountability.

This paper examines the legal and political importance of the mechanism. It explores how international law informs state behaviour in cyberspace, tracks the evolution of UN cyber diplomacy, and evaluates the mechanism’s potential to enhance global stability. Particular attention is given to the European Union’s role, including its 2020 initiative with France, which laid the foundation for these developments [iii].

Cyber threats such as attacks on infrastructure, ransomware, disinformation, and espionage have become widespread, often crossing national boundaries. The COVID-19 pandemic accelerated digital reliance while exposing vulnerabilities. In the absence of binding agreements specific to cyberspace, voluntary norms emerged through the UN’s Group of Governmental Experts (GGE) [iv] and were later taken up by the OEWG [v]. These norms promote restraint, cooperation in incident response, and respect for rights online.

The OEWG, created in 2019, expanded participation beyond the GGE’s limited format. Over several years, it gathered input from states, civil society, and the private sector. Its final report, adopted in 2025, reaffirms the relevance of international law and endorses 11 voluntary norms [vi].

The Permanent Mechanism, as part of this outcome, ensures continued monitoring and support for implementation [vii]. It also facilitates dialogue, transparency, and capacity-building without creating new legal obligations.

The European Union has taken a leading role in this field. Through diplomacy, capacity-building, and engagement with global partners, it has supported the creation of inclusive and rules-based digital governance. Its internal regulatory model—such as the GDPR and Cybersecurity Act—offers a basis for cooperation beyond Europe.

The creation of a permanent mechanism reflects a broader shift from informal commitments toward institutionalized global governance. It clarifies how international law applies in cyberspace and supports practical implementation. For the EU, France, and Poland, this development also offers new avenues to align external policy with strategic digital priorities.

2. Reaffirming the Applicability of International Law in Cyberspace

One of the key outcomes of the July 2025 agreement is the reaffirmation that international law applies fully to cyberspace. This principle, long supported by the European Union and its Member States, is now embedded in the framework of the Permanent Mechanism. It reinforces the view that cyberspace is not beyond legal regulation but is governed by the same rules that apply offline, including the UN Charter, international humanitarian law, and international human rights law [viii].

This reaffirmation has symbolic and practical significance. Symbolically, it challenges efforts—often led by authoritarian governments—to promote sovereignty-based models that prioritize state control over individual rights. Practically, it provides a legal foundation for evaluating state conduct, assigning responsibility, and responding to harmful cyber operations.

The mechanism does not create new legal obligations but helps interpret and apply existing ones [ix]. It supports the principle of due diligence, which requires states to ensure their territory is not used for cyber operations that harm others [x]. It also reinforces prohibitions on the use of force and the principle of non-intervention, increasingly relevant given cyber operations that target infrastructure and democratic processes [xi].

2.1. Operationalizing Norms of Responsible State Behaviour

The Permanent Mechanism builds on the eleven voluntary norms of responsible behavior endorsed by the UN General Assembly in 2015 and reaffirmed by both the GGE and OEWG [xii]. These norms reflect broad agreement that states should refrain from targeting critical infrastructure, cooperate in responding to incidents, respect human rights online, and prevent the misuse of ICTs.

Before the mechanism, these norms lacked formal implementation structures. The new platform introduces processes for monitoring, reporting, and capacity-building. States are encouraged to submit national reports, participate in peer review, and engage in dialogue to support implementation. This builds transparency and mutual trust and provides a path for refining future norms and legal standards.

The mechanism also provides a space to address new challenges not yet reflected in existing frameworks, including artificial intelligence in cyber operations, protection of the digital public sphere, and the role of private actors. Through inclusive multilateral dialogue, it may help shape the next generation of cyber norms.

2.2. Strengthening Multilateralism and Institutional Resilience

Creating a permanent mechanism within the UN framework is a notable step for multilateralism. It shows that, despite geopolitical tensions, states can cooperate on shared challenges. The mechanism also addresses the lack of continuity seen in previous processes like the GGE and OEWG by establishing long-term institutional memory.

This continuity is vital for effective capacity-building, particularly for states with limited technical capabilities. The mechanism supports national implementation, regional cooperation, and knowledge sharing, contributing to a more inclusive global digital order.

The EU’s commitment to a rules-based digital order is reflected in its longstanding support for international law, norm development, and capacity-building. The 2025 outcome builds on France’s 2020 initiative and was advanced by coordinated EU diplomacy. Poland played a key role during its presidency by fostering consensus and facilitating agreement on the final text.

3. Multistakeholder Engagement and the Role of Civil Society, Industry, and Academia

The success of the UN’s Permanent Mechanism for Responsible State Behaviour in Cyberspace reflects not only intergovernmental consensus but a broader evolution toward inclusive cyber governance. The integration of civil society, the private sector, and academia into this framework signifies institutional recognition that cyber stability requires the coordinated participation of actors with distinct normative, technical, and epistemic capacities.

3.1. Practice of multi-stakeholder cyber governance in the EU and Member States

Cyberspace is a domain where operational control, innovation, and norm entrepreneurship lie largely outside state institutions [xiii]. Internet infrastructure, cybersecurity incident response, and technological development are frequently led by industry and academic actors, while civil society provides essential oversight in defense of human rights and democratic values. The July 2025 OEWG report explicitly acknowledged that the implementation of norms and international law in cyberspace demands sustained and structured engagement across these stakeholder groups.

In contrast to earlier UN processes marked by exclusivity, the Permanent Mechanism institutionalizes multistakeholder participation through accredited observer status, consultative forums, and collaborative capacity-building programs. These modalities are supported by transparency measures, including open reporting and inclusive review procedures, which enhance legitimacy and trust.

Poland’s presidency of the Council of the European Union in early 2025 played a decisive role in shaping this inclusive design [xiv]. By facilitating cross-sectoral consultations and advocating for non-state actor participation within the OEWG negotiations, Poland ensured that stakeholder engagement was embedded not only in principle but also in the operational architecture of the mechanism.

3.2. Multistakeholder governance in practice: how to protect sustainability and inclusivity?

The multistakeholder governance model, while widely recognized as more open and inclusive than traditional intergovernmental approaches, entails specific challenges. Major technology companies—armed with substantial resources and influence—may, in practice, shape the course of discussions and influence decision-making outcomes. At the same time, the voices of civil society actors—particularly from the Global South—are often constrained due to limited resources, restricted access to international forums, or political pressure. To mitigate these risks, various safeguarding mechanisms are employed, including transparent participation rules, regional representation, and the protection of independent voices. The European Union and its Member States, drawing on their experience in reconciling diverse stakeholder interests, are well-positioned to support these safeguards and promote a more balanced approach to global cyberspace governance. In this context, the role of the European Union becomes particularly crucial in addressing asymmetries in participation and capability.

This role is especially significant for developing countries, many of which face structural barriers to sustained engagement in international cyber diplomacy. Academic partnerships—particularly those supported by EU-funded initiatives such as EU Cyber Direct [xv] and Horizon 2020—help mitigate these disparities by providing research infrastructure, expert networks, and tailored capacity-building. In doing so, they foster a more inclusive and resilient knowledge ecosystem that supports the long-term implementation and refinement of cyber norms at global scale.

The EU’s internal digital governance—evident in instruments like the GDPR and Digital Services Act—has long relied on structured consultation with academia, civil society, and industry. Externally, the EU promotes this model through cyber diplomacy, development cooperation, and multilateral engagement. Poland’s 2025 Council presidency successfully projected this normative approach into the OEWG’s final framework, aligning EU digital values with international commitments.

Multistakeholderism, while normatively desirable, is not without risk [xvi]. Dominant private actors may disproportionately influence agendas, and civil society voices may be constrained by political pressures. To mitigate these risks, the mechanism incorporates safeguards such as transparent accreditation, regional representation, and protections for independent voices—particularly from the Global South. The EU and its Member States are well-positioned to reinforce these safeguards, ensuring that multistakeholder engagement remains inclusive, balanced, and normatively anchored.

4. The Applicability of International Law to State Behaviour in Cyberspace

The OEWG reaffirmed during its ninth through eleventh sessions, along with dedicated intersessional meetings, the centrality of international law—especially the Charter of the United Nations—in governing state conduct in cyberspace. This ongoing dialogue reinforces the cumulative and evolving framework for responsible State behaviour in the use of information and communication technologies (ICTs), underscoring the indispensability of legal norms to maintaining international peace, security, and stability, as well as fostering an open, secure, stable, accessible, and peaceful ICT environment.

States engaged in focused discussions guided by recommendations from the first Annual Progress Report (APR), which identified priority topics for legal deliberation [xvii]. These include sovereignty, sovereign equality, non-intervention, peaceful dispute settlement, state responsibility and due diligence, respect for human rights, and potential gaps in legal understanding regarding ICT use. The OEWG process sought to identify areas of convergence and consensus while recognizing the diversity of perspectives among States on these complex issues.

Notably, the 2021 OEWG and GGE reports were pivotal reference points, reflecting broad participation and varied views on potential additional legally binding obligations [xviii]. The GGE specifically emphasized the applicability of international humanitarian law (IHL) in armed conflict scenarios, reiterating established principles such as humanity, necessity, proportionality, and distinction, while cautioning against any interpretation that would legitimize conflict in cyberspace [xix].

In reaffirming foundational legal principles, States reiterated the applicability of sovereignty and sovereign equality to ICT-related activities, including jurisdiction over digital infrastructure within national borders. This affirms States’ rights to establish relevant policies and mechanisms to protect such infrastructure against ICT threats. The OEWG also reaffirmed obligations under Articles 2(3) and 33(1) of the UN Charter, mandating peaceful dispute resolution through negotiation, mediation, arbitration, or judicial settlement. Likewise, the prohibition of the threat or use of force under Article 2(4) was reiterated, emphasizing consistency with the purposes of the United Nations.

In advancing the normative architecture of cyberspace governance, the OEWG issued key recommendations aimed at sustaining legal clarity and fostering inclusive participation. First, States are encouraged to continue discussions within the future Permanent Mechanism on how international law applies to ICT use. This ongoing deliberation is essential to address emerging challenges and refine common understandings.

Second, States are urged to voluntarily share national views and practice regarding the application of international law in cyberspace, including official statements and jurisprudential interpretations. The UN Secretariat is requested to facilitate transparency and accessibility by making these materials publicly available on the Permanent Mechanism’s website, thereby supporting shared knowledge and reference.

Third, capacity-building efforts remain critical. States with the resources and expertise to do so should continue supporting neutral and objective initiatives—particularly within the UN framework—that enhance global understanding and consensus on international law’s applicability to ICT use. Such efforts must adhere to established principles of inclusivity, transparency, and respect for diverse regional contexts, as articulated in the 2021 OEWG report and reflected in subsequent APRs.

These recommendations acknowledge persistent gaps in capacity among developing States and underscore the importance of equitable participation in normative development. By embedding these principles in the Permanent Mechanism, the international community aims to strengthen a rules-based order in cyberspace, anchored in established international law and sustained through collaborative engagement.

5. Strategic Outlook and Policy Recommendations

The adoption of the Permanent Mechanism for Responsible State Behaviour in Cyberspace represents a milestone in global cyber governance. Yet its long-term success hinges on effective implementation, sustained political support, and institutional adaptability in the face of evolving threats. The European Union—and notably Poland, whose Council presidency coincided with the mechanism’s adoption—has a critical role to play in shaping its future trajectory.

The immediate challenge lies in transitioning from consensus to execution. Establishing a functioning secretariat, defining a multi-year work plan, and launching early initiatives—such as national implementation reports and regional capacity-building hubs—will be essential in legitimizing the mechanism and demonstrating its value. The first two years are decisive: they will set precedents, reveal operational strengths and gaps, and influence state commitment.

The European Union should move from norm entrepreneurship to systemic stewardship. It must not only promote best practices but also invest in the institutional architecture of the mechanism. This includes financial and technical support for the secretariat, diplomatic backing for inclusive governance models, and the creation of coordination mechanisms within the EU to ensure coherence between internal digital policy and external engagement. Integrating cyber diplomacy more fully into the EU’s Common Foreign and Security Policy and Strategic Compass would further consolidate its leadership role.

Poland’s presidency of the Council of the EU in early 2025 was pivotal in finalizing the OEWG mandate. Poland played a convening role, ensuring that multistakeholder values and operational clarity were preserved in the final text. As the mechanism enters its implementation phase, Poland is well-positioned to continue as a strategic facilitator—mobilizing support within the EU, engaging with international partners, and advocating for sustained political and financial investment in the mechanism.

The mechanism must also remain aligned with adjacent governance frameworks, including the Global Digital Compact, the Budapest Convention, and the EU’s own Digital Decade agenda. Here, the EU can serve as a bridge-builder—ensuring policy coherence and minimizing fragmentation. Promoting synergies among institutions and reducing regulatory duplication are critical to building a sustainable cyber governance architecture.

Addressing emerging threats requires forward-looking mechanisms. Topics such as AI-enabled operations, hybrid warfare, and cyber threats to space infrastructure demand anticipatory governance. Thematic working groups and expert panels should be established to explore normative gaps and propose regulatory pathways. In this regard, European research institutions and academic networks can make vital contributions, particularly if supported through structured EU programs.

Enhancing trust and accountability remains essential. Confidence-building measures, attribution support tools, and transparent reporting can mitigate strategic ambiguity. Non-punitive approaches—such as peer review and norm promotion—should complement traditional diplomatic responses.

In sum, the EU, with Poland as a prominent driver, must invest in institutional development, diplomatic alignment, and knowledge production. Its support will be essential in consolidating the mechanism as a cornerstone of a stable, inclusive, and rights-respecting international cyber order.

6. Conclusion: A New Chapter for Cyberspace Governance

The adoption of the Permanent Mechanism for Responsible State Behaviour in Cyberspace at the United Nations in July 2025 marks a pivotal shift in international cyber governance. It reflects broad consensus that cyberspace must be governed by international law, supported by norms of responsible behaviour, and sustained through multilateral cooperation.

This outcome is the result of prolonged diplomatic engagement. France’s 2020 initiative provided initial momentum. The European Union consistently advocated for legal clarity and institutional coherence. Poland’s Council presidency in early 2025 played a critical role in finalizing the OEWG mandate, ensuring balanced outcomes and broad participation.

The mechanism provides a framework for operationalizing norms, institutionalizing multistakeholder engagement, and building capacity. It is structured to support implementation through voluntary reporting, peer dialogue, and regional cooperation. While non-binding, the reaffirmed norms carry political weight and provide actionable guidance on the use of ICTs in international relations.

Key reaffirmed norms include:

• Norm (c): States should not knowingly allow their territory to be used for internationally wrongful acts involving ICTs.
• Norms (f), (g), and (h): States should protect critical infrastructure (CI) and critical information infrastructure (CII), respond to assistance requests, and cooperate to mitigate malicious ICT activity.
• Norm (i): States should secure ICT supply chains, prevent the spread of malicious tools, and promote security-by-design through public-private partnerships and interoperable standards.

States acknowledged national discretion in identifying CI/CII but emphasized the value of transparency and cooperation. The Voluntary Checklist of Practical Actions remains a key implementation tool, offering guidance adaptable to national contexts.

Looking forward, the mechanism will address ongoing and emerging threats, foster cooperative responses, and assess the need for additional norms. Continued alignment with broader initiatives—such as the Global Digital Compact, the Budapest Convention, and the EU’s Cybersecurity Strategy—will be essential to maintain coherence and avoid duplication.

The European Union should consolidate its role by integrating cyber diplomacy into its Common Foreign and Security Policy, supporting the mechanism’s institutional structures, and aligning internal regulation with external engagement. Poland, as a central actor in the mechanism’s adoption, is well-placed to sustain momentum through regional coordination and diplomatic outreach.

Research institutions within the EU can contribute by analyzing implementation practices, identifying normative gaps, and supporting policy development. Such contributions will be vital for maintaining the mechanism’s relevance and adaptability.

The mechanism’s credibility will depend on inclusive governance, transparency, and responsiveness to stakeholder input. Confidence-building measures, technical assistance, and voluntary peer reviews can enhance accountability and trust.

The July 2025 agreement is not the end of the journey—it is the beginning of a new chapter. A chapter in which international law is not just affirmed but applied. In which norms are not just declared but implemented. And in which cyberspace is not a battleground of competing sovereignties, but a shared domain of cooperation, innovation, and peace. History has indeed been written. Now, it must be lived.

 

Bibliography

[i] Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174 (22 July 2015), para. 24, available at: https://undocs.org/A/70/174.

[ii] Burhan , G. (2025). Letter from OEWG Chair. https://docs-library.unoda.org/Open-Ended_Working_Group_on_Information_and_Communication_Technologies_-_(2021)/Letter_from_OEWG_Chair_10_July_2025.pdf

[iii] Barbero, F. (2020). A New UN Path to Cyber Stability. Directions Blog. https://directionsblog.eu/a-new-un-path-to-cyber-stability/

[iv] United Nations Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (GGE), established by the UN General Assembly and culminating in consensus reports including the 2015 GGE report. Official GGE documents and resources available at: https://www.un.org/disarmament/ict-security/

[v] United Nations Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (OEWG), launched pursuant to UNGA resolution 73/27. OEWG documents and materials accessible at: https://www.un.org/disarmament/open-ended-working-group/

[vi] Hogeveen, B. (2022). The UN norms of responsible state behaviour in cyberspace. ASPI. https://www.aspi.org.au/report/un-norms-responsible-state-behaviour-cyberspace/

[vii] Burhan , G. (2025). Letter from OEWG Chair. https://docs-library.unoda.org/Open-Ended_Working_Group_on_Information_and_Communication_Technologies_-_(2021)/Letter_from_OEWG_Chair_10_July_2025.pdf

[viii] Kulesza, J., Delerue, F., & Pawlak, P. (2019). The application of international law in cyberspace: is there a European way? EU Cyber Direct. https://eucyberdirect.eu/research/the-application-of-international-law-in-cyberspace-is-there-a-european-way

[ix] Kulesza, J., & Tikk, E. (2020). The “Invisible” International Law in Cyberspace. Horizon. https://eucyberdirect.eu/blog/the-invisible-international-law-in-cyberspace

[x] Kulesza, J. (2016). Due Diligence in International Law. Queen Mary Studies in International Law, 26. https://doi.org/10.1163/9789004325197

[xi] Schmitt, M. (2015). In Defense of Due Diligence in Cyberspace. The Yale Law Journal Forum. https://www.yalelawjournal.org/pdf/Schmitt_PDF_g9pv96jc.pdf

[xii] United Nations Office for Disarmament Affairs. (2019). Developments in the field of Information and Communications in the context of International Security. Front.un-Arm.org. https://front.un-arm.org/wp-content/uploads/2019/07/Information-Security-Fact-Sheet-July-2019.pdf

[xiii] Kulesza, J. (2019a). Multistakeholderism – meaning and implications. In M. Susi (Ed.), Human Rights, Digital Society and the Law. Routledge.

[xiv] Internet Governance Forum (IGF). (2025). IGF2025 – Day 2 – WS 4 – Multistakeholder Governance & Int’l Law in Cyberspace. YouTube. https://www.youtube.com/watch?v=2Pl4t68KkJI

[xv] European Union. EU Cyber Direct | Supporting EU Cyber Diplomacy. EU Cyber Direct. https://eucyberdirect.eu/

[xvi] Pohle, J., & Santaniello, M. 2024. From multistakeholderism to digital sovereignty: Toward a new discursive order in internet governance? Policy & Internet, 16(4). https://doi.org/10.1002/poi3.426

[xvii] United Nations General Assembly. (2019). Oceans and the law of the sea: oceans and the law of the sea (A/RES/74/19). https://docs.un.org/en/A/RES/74/19

[xviii] United Nations General Assembly. (2019). Developments in the field of information and telecommunications in the context of international security (A/75/816). https://docs.un.org/en/A/75/816

[xix] United Nations General Assembly. (2021). Group of Governmental Experts on Advancing Responsible
State Behaviour in Cyberspace in the Context of International Security (A/76/135). https://dig.watch/wp-content/uploads/2022/08/UN-GGE-Report-2021.pdf