Key data
| Regulation | United Nations Convention against Cybercrime |
|---|---|
| Official reference | OJ:L_202601348 |
| Publication | June 19, 2026 |
| Entry into force | Not specified |
| Affected parties | Technology companies, digital service providers, telecommunications and judicial authorities |
| Category | Data Protection / Cybercrime |
| Source | Official Journal of the European Union |
Technology companies and digital service providers operating in Spain face a new international compliance scenario. The United Nations Convention against Cybercrime, published on June 19, 2026 in the Official Journal of the EU (reference OJ:L_202601348), establishes a binding legal framework that requires signatory States—and, by extension, companies under their jurisdiction—to actively collaborate in cross-border criminal investigations related to crimes committed through ICT systems.
The impact is not abstract: if your company receives, stores or transmits digital data, you may receive legal requests from authorities in other countries to deliver electronic evidence. And you must have procedures in place to respond.
What does this regulation establish?
The Convention creates a binding international legal framework structured around three main pillars:
- Criminalization of cybercriminal conduct: Signatory States are obligated to incorporate into their criminal legislation certain criminal conduct committed through information and communications technology (ICT) systems. This standardizes the catalog of crimes prosecutable at the international level.
- Obtaining, preserving and cross-border transmission of electronic evidence: Specific procedures are established for authorities in one country to request from another—and from companies under its jurisdiction—the preservation and delivery of digital evidence in investigations of serious crimes.
- Agile mutual legal assistance: The treaty requires States to establish rapid judicial cooperation channels, eliminating bureaucratic friction that has slowed international investigations until now.
For companies, the most relevant element is the obligation to collaborate with judicial authorities from multiple jurisdictions when required in the context of an international investigation. This applies especially to digital service providers and telecommunications operators.
Economic and operational impact
The regulation does not set direct economic sanctions on companies in its published text, but its operational consequences are significant:
| Area of impact | Concrete consequence |
|---|---|
| Data retention | Reinforced obligation to retain data in the event of ongoing or foreseeable international investigations |
| Response to requests | Need for internal protocols to manage requests from foreign judicial authorities |
| Multi-country compliance | Exposure to requests from any signatory State, not just the EU |
| Legal resources | Greater need for specialized legal advice in international criminal law and data protection |
| Contract review | Agreements with customers and suppliers must contemplate the possibility of data disclosure by international judicial mandate |
The cost of adaptation will depend on the size and business model of each company. The most exposed—digital platforms, cloud providers, telecommunications operators—will need to invest in legal protocols, digital evidence retention systems and training for legal teams. Companies that already comply with the General Data Protection Regulation (GDPR) have a solid foundation, but will need to expand their procedures to the international criminal sphere.
Who does it affect?
- Digital service providers: SaaS platforms, marketplaces, social networks, messaging and email services.
- Telecommunications operators: fixed-line, mobile and internet telephone companies that manage communications traffic.
- Technology companies with international presence: any company providing digital services to users in treaty signatory countries.
- Cloud and infrastructure service providers: hosting companies, cloud storage and data centers.
- Companies with large volumes of user data: any digital business that stores data on communications, transactions or online activity.
- Legal and compliance departments of any company in the technology or telecommunications sector.
Practical example
Imagine a Spanish company offering a cloud storage service with customers in several European and Latin American countries. Under the UN Convention against Cybercrime, judicial authorities in a signatory country—for example, in the context of an investigation into serious computer fraud—can request Spanish authorities to require this company to preserve and deliver digital data from a specific user stored on its servers.
Without defined internal protocols, the company would face a legal emergency: what data to retain? for how long? how to respond without violating the GDPR? who manages communication with authorities? The Convention requires these mechanisms to be operational beforehand, not improvised when the request arrives.
What should companies do now?
- Audit data retention protocols: Review how long communications and user activity data are retained, and whether systems allow selective and secure retention in response to judicial requests.
- Design a protocol for responding to international requests: Define who in the company receives and manages a request from foreign authorities, what steps to follow and in what timeframes, coordinating legal, technical and compliance departments.
- Review contracts with customers and suppliers: Ensure that service agreements contemplate the possibility of data disclosure by international judicial mandate, with appropriate liability limitation clauses.
- Assess compatibility with the GDPR: Delivery of data to foreign authorities may conflict with EU data protection obligations. A legal analysis is necessary to harmonize both obligations.
- Train legal and technical teams: Personnel managing data and the legal team must understand the implications of the treaty and know how to act in response to an international request.
- Monitor treaty ratification: Entry into force depends on State ratifications. Follow the accession process to anticipate when it will be enforceable and in which jurisdictions.
Frequently asked questions
What does the UN treaty require technology companies to do?
The Convention requires signatory States to establish mechanisms for companies under their jurisdiction—especially digital service providers and telecommunications—to preserve and transmit electronic evidence when required in the context of international investigations of serious crimes committed through ICT systems. This implies having internal protocols for data retention and response to judicial requests from multiple countries.
When does the UN Convention against Cybercrime enter into force?
The entry into force date is not specified in the text published on June 19, 2026. The effectiveness of the treaty will depend on the ratification process by signatory States. It is essential to monitor this process to anticipate when obligations will be enforceable.
Does this treaty affect small companies or only large tech companies?
It affects any digital service provider or telecommunications provider, regardless of size, operating under the jurisdiction of a signatory State. SaaS platforms, hosting services, applications with users in multiple countries or cloud providers of any scale may receive information requests in the context of international investigations.
How does this treaty affect GDPR compliance?
Delivery of data to foreign judicial authorities may create tensions with GDPR obligations regarding international data transfers and purpose limitation. Companies must conduct a specific legal analysis to harmonize both regulations, defining under what conditions and with what safeguards they can respond to international requests without violating European data protection regulations.
What types of crimes trigger the treaty's cooperation obligations?
The treaty covers two categories: crimes committed through ICT systems (cybercrimes that signatory States are obligated to criminalize) and serious crimes in general, for which mechanisms for cross-border transmission of evidence in electronic form are established. The Convention does not limit cooperation on digital evidence exclusively to cybercrimes, but extends it to the investigation of serious crimes in the broad sense.
Official source
Consult complete regulation at official source
Notice: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=OJ:L_202601348