For the complete documentation index, see llms.txt.
Skip to main content
New

Programme of Action on cyber (PoA cyber)

Updated May 21, 2026

A 2025-launched UN framework consolidating cyber security cooperation — the institutional successor to overlapping GGE and OEWG processes.

What It Is

The Programme of Action to Advance Responsible State Behavior in Cyberspace (PoA cyber) was decided by the in 2024 to begin operation in 2025, replacing the parallel GGE and OEWG tracks that had previously dominated UN cyber diplomacy.

The formalizes regular institutional dialogue on , , and confidence building measures; provides for review conferences (the first scheduled for 2027); and is open to all UN member states.

Background and Context

The PoA was a French-led supported broadly across UN groupings as a way to end the inefficient parallel-track dynamic. For years, UN cyber diplomacy had been split between:

  • The Group of Governmental Experts (GGE): a small expert format with 15-25 states.
  • The Open-Ended Working Group (OEWG): an open-to-all-UN-members format.

The parallel tracks produced duplication, slowed progress, and reflected underlying disagreements (particularly US-Russia) about institutional approach. The PoA was designed to consolidate cyber dialogue into a single institutional framework.

Substantive Scope

The PoA's substantive scope continues the eleven voluntary norms framework from the 2015 GGE plus the 2021 OEWG outcomes. The eleven norms include:

  • States should cooperate in developing and applying measures to increase stability and security.
  • States should consider all relevant information in case of ICT incidents.
  • States should not knowingly allow their territory to be used for internationally wrongful ICT acts.
  • States should cooperate to ensure observance of international law.
  • States should consider how international law applies to ICT use.
  • States should not conduct or knowingly support ICT activity intentionally damaging critical infrastructure.
  • States should take appropriate measures to protect their critical infrastructure.
  • States should respond to appropriate requests for assistance from another state.
  • States should take reasonable steps to ensure the integrity of the supply chain.
  • States should encourage responsible reporting of ICT vulnerabilities.
  • States should not conduct or knowingly support activity to harm IT teams responding to incidents.

The PoA does not establish new norms but provides the institutional framework for continued development and implementation of existing ones.

Civil Society and Industry Engagement

and industry have advocated for stronger multi-stakeholder participation in the PoA than was permitted in GGE/OEWG. The case: cyber threats and responses involve actors well beyond states (technology companies, security researchers, bodies, civil society), and excluding them from official UN cyber dialogue limits the effectiveness of any framework.

The PoA's includes some multi-stakeholder engagement provisions, though less than civil society and industry preferred. Implementation will test whether the framework can incorporate non-state expertise effectively.

Implementation Stage

Implementation is in early stages as of 2025–26:

  • 2024: General Assembly decision establishing PoA.
  • 2025: Initial operational phase begins.
  • 2027: First review conference scheduled.
  • Ongoing: substantive work on norms, capacity building, and confidence building measures.

Whether the PoA can produce more progress than the GGE/OEWG tracks did will be tested over its first review cycle.

Why It Matters

The PoA matters as the consolidation of UN cyber diplomacy into a single framework. The previous parallel-track inefficiency had been a long-running concern, and the institutional rationalization is an important step.

The PoA is also a test of whether UN-level cyber diplomacy can produce substantive progress despite continued underlying disagreements between major powers on cyber norms application. If the PoA succeeds, it would provide a model for institutional consolidation in other contested multilateral areas.

Common Misconceptions

The PoA is sometimes assumed to create binding cyber obligations. It does not — the framework continues the voluntary-norms approach. Binding cyber obligations would require treaty negotiations, which have not been politically feasible at the UN level.

Another misconception is that the PoA replaces existing cyber treaties or initiatives. It complements them; existing instruments (the Budapest Convention, the 2024 UN Convention, regional frameworks) continue to operate in parallel.

Real-World Examples

The 2024 UN General Assembly decision establishing the PoA was the founding political moment. The 2025 PoA initial operational phase begins the substantive implementation. The 2027 first review conference will provide the first substantive assessment of PoA effectiveness.

Example

The PoA cyber's establishment was a multi-year French-led diplomatic effort consolidating the fragmented UN cyber framework — agreed in 2024 to begin 2025 operation.

Frequently asked questions

Yes — it consolidates the previously parallel GGE and OEWG tracks into a single institutional framework starting 2025.
Talk to founder