Key data
| Regulation | Council Decision (EU) 2026/1347, of 4 June 2026 |
|---|---|
| Publication | 19 June 2026 |
| Entry into force | 4 June 2026 |
| Affected parties | Technology companies, digital service providers, judicial and police authorities of the EU |
| Category | European Regulation |
| Year | 2026 |
| International instrument | United Nations Convention on Cybercrime |
Technology companies and digital service providers operating in Europe face a new legal framework that determines how they must respond to data requests from foreign authorities. The Council Decision (EU) 2026/1347, published on 19 June 2026, formalizes the European Union's accession to the United Nations Convention on Cybercrime, a multilateral treaty that establishes common standards for prosecuting computer crimes and obtaining cross-border digital evidence.
The impact is not merely institutional. For any company that stores, processes or transmits digital data and operates in more than one jurisdiction, this convention can translate into greater obligations to cooperate with authorities in the delivery of digital information.
What does this regulation establish?
The UN Convention on Cybercrime is a multilateral treaty that creates a common framework among signatory countries to:
- Prosecute computer crimes in a coordinated manner across jurisdictions.
- Obtain and transmit cross-border digital evidence in a standardized manner.
- Strengthen judicial and police cooperation between UN Member States.
- Investigate specific crimes such as online fraud, ransomware and digital exploitation.
With the Council Decision, the EU not only formally accedes to the treaty, but also requires Member States to align their national mechanisms of judicial and police cooperation with the convention standards. This means that the internal legal frameworks of each EU country must be adapted to comply with the treaty obligations.
| Area | What changes with the UN Convention |
|---|---|
| Judicial cooperation | Member States must align their mechanisms with the convention standards |
| Digital evidence | A common framework is established for obtaining and transmitting electronic evidence between countries |
| Crimes covered | Online fraud, ransomware, digital exploitation and other crimes committed through ICT systems |
| Obligations for companies | Possible greater requirements for cooperation in the delivery of data and digital information |
| Geographic scope | Multilateral: applies between all signatory countries of the UN convention |
Economic and operational impact
The direct impact for companies is not a fine or a new fee, but an increase in the operational and legal complexity of managing data requests from authorities in different countries.
Until now, many technology companies managed these requests on an ad hoc basis, with little standardized internal protocols. With the new framework, the pressure to have formalized and auditable procedures increases significantly, especially for:
- Companies with users or infrastructure in multiple EU and non-EU countries.
- Cloud service providers, digital platforms and telecommunications operators.
- Companies that store data of European users and receive requests from non-European authorities.
The operational costs associated include the review and update of internal legal protocols, the training of legal and compliance teams, and potentially the hiring of specialized advice on international judicial cooperation.
Who does it affect?
- Technology companies operating in the EU or providing services to European users.
- Digital service providers: platforms, SaaS, cloud services, marketplaces.
- Telecommunications operators and internet access providers.
- Companies operating in multiple jurisdictions and may receive international legal requirements regarding data.
- Legal and compliance departments of any company with significant digital presence.
- Judicial and police authorities of the EU, which must adapt their procedures to the new framework.
Practical example
A Spanish software-as-a-service (SaaS) company with clients in several EU and non-EU countries receives a cooperation request from a police authority of a third country signatory to the UN Convention, investigating a ransomware case in which its servers were allegedly used.
Before this convention, the company could manage that request with its own criteria and without a clear framework of obligations. With the new framework ratified by the EU, Member States must have aligned their cooperation mechanisms with the convention standards, which can result in the company receiving formalized requests with defined deadlines for the delivery of evidence in electronic form.
If the company does not have an internal protocol that defines who authorizes data delivery, what data can be delivered, in what format and under what legal guarantees, it is exposed to breaches of both the convention and European data protection regulations.
What should companies do now?
- Audit current protocols for responding to international legal requirements: Identify whether there is a documented procedure for managing requests for data from foreign authorities and whether it covers the new convention standards.
- Review contracts with cloud service providers and third parties: Verify that data delivery clauses and cooperation with authorities are up to date and compatible with the new multilateral framework.
- Train legal and compliance teams: Ensure that those responsible for legal matters understand the implications of the convention and know how to act when faced with an international request for digital evidence.
- Evaluate jurisdictional exposure: Companies operating in multiple countries should map which jurisdictions they have a presence in and which of them are signatories to the convention, to anticipate possible requests.
- Coordinate with the DPO or data protection officer: Any delivery of data to international authorities must be compatible with the GDPR. It is essential that the privacy team is involved in the design of the response protocol.
Frequently asked questions
What exactly is the UN Convention on Cybercrime that the EU has ratified?
It is a multilateral United Nations treaty that establishes common frameworks among signatory countries to prosecute computer crimes and obtain cross-border digital evidence. The EU has formally ratified it through Council Decision (EU) 2026/1347, of 4 June 2026, published on 19 June 2026. It covers crimes such as online fraud, ransomware and digital exploitation.
What specific obligations does this convention generate for technology companies?
The convention can result in greater obligations to cooperate with authorities in the delivery of data and digital information. Companies operating in multiple jurisdictions must review their response protocols to international legal requirements regarding data. No direct fines are established in the decision, but failure to comply with formalized requests can have legal consequences.
When does this regulation come into force and how much time do companies have to adapt?
The Decision came into force on 4 June 2026, the date of its adoption by the Council, although it was published in the Official Journal on 19 June 2026. No specific adaptation period for companies is established in the published decision, so it is recommended to begin reviewing internal protocols immediately.
Does this convention affect companies that only operate in Spain or in a single EU country?
The impact is greater for companies operating in multiple jurisdictions, but any digital service provider can receive international requests if its services are accessible from other countries. Member States, including Spain, must align their judicial and police cooperation mechanisms with the convention standards, which can affect how Spanish authorities process and forward requests to national companies.
How does this convention affect the GDPR and data protection?
Any delivery of data to international authorities under the convention framework must be compatible with the General Data Protection Regulation (GDPR). Companies must ensure that their protocols for responding to international requests include validation by the DPO or privacy officer, and that international data transfers comply with the guarantees required by European data protection regulations.
Official source
Consult full regulation in official source
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=OJ:L_202601347