Budapest Convention on Cybercrime

What It Is

The Budapest Convention on Cybercrime (formally the Council of Europe Convention on Cybercrime) is the 2001 Council of Europe treaty that is the principal international framework for cooperation on cybercrime, with 76 parties as of 2024. Adopted in November 2001 and entered into force in 2004, it is the first international treaty addressing computer-related crime.

What the Convention Requires

The Budapest Convention requires parties to criminalize a range of cyber offences:

• Illegal access to computer systems.
• Illegal interception of computer communications.
• Data interference: unauthorized alteration or destruction of data.
• System interference: serious hindering of computer system functioning.
• Computer-related fraud.
• Computer-related forgery.
• Child sexual abuse material: production, distribution, possession through computer systems.
• Copyright offences: certain copyright violations through computer systems.

The Convention also requires parties to establish procedural measures for investigating and prosecuting these offences, including preservation of stored computer data, production orders, search and seizure of stored data, and real-time collection of traffic data.

The Second Additional Protocol

The Second Additional Protocol (2022) updates the treaty for cross-border evidence collection and direct cooperation with service providers. The Protocol addresses one of the persistent gaps in international cybercrime cooperation: how to obtain evidence located in foreign jurisdictions quickly enough to be useful.

The Protocol provides:

• Direct cooperation between authorities and service providers in another jurisdiction.
• Expedited cross-border procedures for stored computer data.
• Conditions and safeguards for these expedited procedures.

Open to Non-CoE States

The Convention is open to non-Council-of-Europe states; many have joined including the US, Japan, Canada, Australia, Senegal, and others across Latin America, Africa, and Asia. The non-CoE state membership reflects the Convention's role as the de facto global framework for cybercrime cooperation among Western and aligned states.

The Russia-China Alternative

Russia and China have notably refused to join the Budapest Convention, instead pushing for a UN-based alternative treaty. This led to the 2024 UN Cybercrime Convention (the 'Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes'), whose final text drew civil society criticism over:

• Scope: the UN Convention covers a broader range of offences than Budapest, including some that could criminalize legitimate online speech.
• Human-rights safeguards: critics argue the UN Convention's human-rights safeguards are weaker than Budapest's.
• Surveillance authority: the UN Convention's procedural authorities could enable expansive surveillance with insufficient checks.

The split between the Budapest and UN Conventions reflects the broader fragmentation of international cyber governance.

Why the Budapest Convention Matters

The Convention has been the practical framework for cybercrime cooperation among most Western-aligned states for two decades. Investigation of major cybercrime cases — ransomware operators, dark-web marketplaces, child-exploitation networks — typically relies on Budapest Convention cooperation channels.

The Convention's success has been partly responsible for the geopolitical contest over the UN Convention: Russia and China have wanted to displace Budapest's primacy precisely because the framework has proven effective.

Real-World Examples

The 2021 Hydra Market takedown (the largest dark-web marketplace) relied heavily on Budapest Convention cooperation. The 2024 LockBit takedown — the largest ransomware operator at the time — was coordinated through Budapest Convention channels. The adoption of the UN Cybercrime Convention in 2024 marked a new chapter in international cyber governance whose practical effects will play out over years.