The Council of Europe Convention on Cybercrime, commonly called the Budapest Convention, is the first binding international treaty addressing crimes committed via computer networks. It was opened for signature in Budapest on 23 November 2001 and entered into force on 1 July 2004. Although drafted under the auspices of the Council of Europe, it is open to non-member states, and parties include the United States, Japan, Canada, Australia, and many Latin American and African countries.
The Convention pursues three main objectives:
- Harmonising substantive criminal law on offences such as illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery and fraud, child pornography offences, and certain copyright infringements.
- Providing domestic procedural tools, including expedited preservation of stored computer data, production orders, search and seizure of stored data, and real-time collection of traffic and content data.
- Establishing international cooperation mechanisms, including extradition, mutual legal assistance, and a 24/7 contact network for urgent cross-border requests.
An Additional Protocol adopted in 2003 criminalises acts of a racist and xenophobic nature committed through computer systems. A Second Additional Protocol, opened for signature in May 2022, addresses enhanced cooperation and direct disclosure of subscriber information by service providers across borders, responding to the challenges of cloud evidence.
The treaty is monitored by the Cybercrime Convention Committee (T-CY), which issues guidance notes interpreting provisions in light of new technologies. The Council of Europe also runs the C-PROC capacity-building office in Bucharest, supporting implementation worldwide.
Russia has consistently rejected the Convention, objecting in particular to Article 32(b), which permits trans-border access to stored data with the lawful consent of the person authorised to disclose it. Moscow has instead pushed for a UN-led alternative, which culminated in the negotiation of the UN Convention against Cybercrime adopted by the General Assembly in 2024. Despite this competition, the Budapest Convention remains the most widely ratified and operational framework on cybercrime.
Example
In 2023, Brazil deposited its instrument of accession to the Budapest Convention, becoming the first South American G20 state fully bound by its mutual legal assistance provisions.