The Organization for Security and Co-operation in Europe (OSCE) Cyber/ICT Confidence-Building Measures are voluntary, politically binding commitments designed to enhance transparency, predictability, and cooperation among the 57 OSCE participating States in cyberspace. They aim to reduce the risks of misperception, escalation, and conflict that could arise from incidents involving information and communication technologies (ICTs).
The first set of 11 CBMs was adopted by Permanent Council Decision No. 1106 on 3 December 2013, making the OSCE the first regional organization to agree such measures. A second set of 5 additional CBMs was adopted by Decision No. 1202 on 10 March 2016, bringing the total to 16.
The measures fall broadly into two categories:
- Posture and transparency CBMs (the 2013 set), which include voluntary exchanges of national views on ICT threats, sharing of national strategies and terminology, and nomination of points of contact at policy and technical levels.
- Cooperative CBMs (the 2016 set), which focus on practical collaboration, such as protecting critical infrastructure, responsible reporting of ICT vulnerabilities, and public-private partnerships.
A key operational element is the OSCE Communications Network, used to transmit cyber-related communications between designated national points of contact, helping de-escalate incidents in near real time. Implementation is coordinated through an Informal Working Group (IWG) established under Permanent Council Decision No. 1039 (2012), chaired on a rotating basis.
The CBMs are voluntary and non-attributional—they do not assign blame for cyber incidents, nor do they create new international legal obligations. Instead, they complement the normative work of the UN Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG) on ICTs in the context of international security. They are frequently cited as a regional model that other bodies, including the ASEAN Regional Forum, have studied when developing their own cyber transparency frameworks.
Example
In 2016, OSCE participating States adopted Decision No. 1202, expanding the original 2013 cyber CBMs with five additional measures focused on critical infrastructure protection and vulnerability disclosure.
Frequently asked questions
No. They are voluntary and politically binding commitments; they do not create obligations under international law and do not assign attribution for cyber incidents.
Keep learning