Issuu

APAC FOCUS INSIGHT

II. Weaknesses of Applying Cyber-Enabled Crimes Under Existing Rome Statute Articles: A Legal Analysis

The ICC Draft Policy on Cyber-Enabled Crimes (2025) seeks to prosecute cyber-enabled atrocities under the Rome Statute’s existing framework of genocide (Article 6), crimes against humanity (Article 7), war crimes (Article 8), and aggression (Article 8bis). While this approach avoids statutory amendments, it introduces significant legal and practical challenges.

The Rome Statute of the ICC is the international treaty that founded the Court. Comprising a Preamble and 13 Parts, it establishes the governing framework for the Court. Adopted at the Rome Conference on 17 July 1998, it entered into force on 1 July 2002, thereby creating the ICC

The Statute sets out the Court's jurisdiction over genocide, crimes against humanity, war crimes and – as of an amendment in 2010 – the crime of aggression. In addition to jurisdiction, it also addresses issues such as admissibility and applicable law, the composition and administration of the Court, investigations and prosecution, trials, penalties, appeal and revision, international cooperation and judicial assistance, and enforcement.

First, the fundamental jurisdictional structure of the Rome Statute is ill-suited to the borderless nature of cybercrime. The Statute’s reliance on territorial and nationality-based jurisdiction (Article 12) presumes that crimes have a clear geographic locus or can be attributed to the nationals of a particular state. However, cybercrimes routinely transcend national boundaries, often involving perpetrators, victims, infrastructure, and effects that are distributed across multiple jurisdictions. This creates significant ambiguity in determining which state’s territory is implicated or whether a perpetrator’s nationality can be reliably established, especially given the widespread use of anonymization and proxy services in cyberspace

This analysis critiques the current strategy, highlighting jurisdictional ambiguities, doctrinal overstretch, and procedural inconsistencies through direct references to the Rome Statute, ICC jurisprudence, and the draft policy itself.

a. Elaboration on Territorial and Nationality-Based Jurisdiction for Cyber-Enabled Crimes Under the Rome Statute

The ICC jurisdiction over cyber-enabled crimes fundamentally depends on Article 12(2) of the Rome Statute, which provides that the Court may exercise jurisdiction when either the crime occurs on the territory of a State Party (territorial jurisdiction) or the accused is a national of a State Party (nationality-based jurisdiction). While these jurisdictional principles are well-established and straightforward in the context of physical crimes, their application to cyber operations-which frequently transcend

borders and involve decentralized actors-presents unique and complex challenges. This analysis examines these jurisdictional frameworks in the context of cyber-enabled crimes, drawing on the ICC’s draft policy, relevant legal commentaries, and case law.

Regarding territorial jurisdiction, Article 12(2)(a) grants the ICC jurisdiction if a crime is committed on the territory of a State Party. The Court has interpreted the phrase "conduct in question occurred" broadly, holding that jurisdiction exists if at least one element or part of a crime occurs on a State Party’s territory.

For instance, a cyberattack launched from a non-Party State targeting infrastructure located within a State Party would fall within the ICC’s jurisdiction if the effects of the attack, such as disruption of hospital systems, occur in the territory of the State Party.

However, cyberspace complicates this principle in several ways. The ICC’s draft policy distinguishes between subjective territoriality, which refers to jurisdiction based on where the cyber conduct originated (for example, a hacker physically located in a particular State), and objective territoriality, which is jurisdiction based on where the effects of the cyber conduct are felt (such as a power grid failure in another State). For example, if a cyber operation originates in a non-Party State but causes a hospital’s systems to fail in a State Party, the ICC may assert jurisdiction over the latter under the doctrine of objective territoriality.

infrastructure (like water or power supplies) could inflict such conditions, this stretches the traditional understanding.

It raises questions about the required severity and directness of causation – how significant must a cyber disruption be to equate to the deliberate infliction of conditions leading to physical destruction? Furthermore, while the policy notes cyber means can prove genocidal intent, attributing the specific intent to destroy a group based solely on digital communications or acts can be highly ambiguous. The crime of incitement to genocide might seem more applicable to online speech, but even here, distinguishing direct and public incitement intended to provoke genocide from hate speech requires careful interpretation that pushes the boundaries of existing jurisprudence when applied to the scale and nature of online communication platforms.

Crimes Against Humanity (Article 7): These crimes require underlying acts (like murder, extermination, persecution) committed as part of a "widespread or systematic attack directed against any civilian population" pursuant to a State or organizational policy.

Applying this to cyber conduct faces challenges. While cyber operations can be part of such an attack, defining what constitutes a "widespread or systematic" cyber attack lacks clear precedent. How many cyber incidents, over what period, targeting whom, qualify? For the underlying crime of persecution (Article 7(1)(h)), the acts must involve a severe deprivation of fundamental rights and be of equal gravity to other Article 7 crimes.

Equating cyber acts like doxxing, targeted disinformation campaigns, or digital surveillance with acts like murder or enslavement risks trivializing the high gravity threshold of crimes against humanity unless the cyber acts demonstrably and severely deprive fundamental rights on a comparable scale. The definition of an "attack" itself, defined in the Elements of Crimes as a "course of conduct involving the multiple commission of acts", may be difficult to apply consistently to diffuse, potentially uncoordinated cyber activities.

War Crimes (Article 8): War crimes are violations of international humanitarian law (IHL) committed during armed conflict. Many Article 8 provisions explicitly refer to physical violence or destruction (e.g., "violence to life and person," "destruction and appropriation of property"). While the OTP policy adopts an effects-based approach, suggesting a cyber operation causing death or injury (e.g., hacking a hospital system) constitutes an "attack" similar to a kinetic one, this remains debated.

IHL traditionally defines "attacks" as acts of violence against the adversary. Classifying data destruction or system disruption as equivalent to physical violence requires interpretation that may conflict with the principle of strict construction. Furthermore, assessing principles like proportionality (balancing military advantage

against civilian harm) becomes exceptionally complex when the "harm" is digital disruption with cascading, indirect, and potentially non-physical effects, unlike the more quantifiable effects of conventional weapons. Applying rules designed for physical battlefields directly to cyberspace risks legal uncertainty and misapplication.

Crime of Aggression (Article 8 bis): This crime involves the planning, preparation, initiation, or execution of an act of aggression which, by its "character, gravity and scale," constitutes a manifest violation of the UN Charter. The listed acts of aggression (Article 8 bis(2)) predominantly involve the use of armed force in a conventional sense (e.g., invasion, bombardment, blockade).

While a cyber operation could facilitate such acts, whether a standalone cyber operation can constitute an act of aggression is highly contested. Significant debate exists on whether cyber operations that do not cause physical damage can meet the threshold of a "use of force" under international law, which informs the definition of aggression. Applying the crime of aggression to cyber operations risks extending the definition beyond its established scope, particularly for acts causing purely economic or political disruption, potentially creating law rather than applying existing law, contrary to Article 22(2).

In summary, applying these established crime definitions to novel forms of cyber conduct forces interpretations that may lack sufficient clarity, predictability, and grounding in the original intent of the Rome Statute, thereby creating significant legal uncertainty and risking violations of the principle of legality.

to the borderless nature of cyber operations, a new article could assert universal jurisdiction for the most serious cyber-enabled crimes, such as cyber-facilitated genocide or aggression.

This approach, inspired by the Budapest Convention’s framework for crossborder cooperation, would ensure that perpetrators cannot evade accountability by exploiting jurisdictional loopholes or operating from non-State Parties. Furthermore, the article could clarify the principle of data sovereignty, asserting jurisdiction over cyber operations routed through a State Party’s digital infrastructure, and thereby resolving ambiguities about “mere data transit” that persist in the ICC’s draft policy.

Enhanced international cooperation is another key benefit. A dedicated article could mandate standardized procedures for real-time evidence sharing and mutual legal assistance, modeled after the Budapest Convention’s 24/7 Network. This would address one of the most significant barriers to prosecuting cybercrimes identified in the ICC’s draft policy: “fragmented and inconsistent cooperation between states”. By establishing binding obligations for evidence preservation and cross-border investigative support, the new article would facilitate more effective and timely prosecutions.

Procedural modernization would also be achieved through a dedicated cybercrime article. It could set digital evidence standards-such as blockchain verification, cryptographic hashing, and metadata authentication-ensuring the admissibility and integrity of electronic evidence. This would address the ICC’s current reliance on physical evidence rules, which are inadequate for handling ephemeral or AIgenerated digital data. The article could also authorize specialized investigative tools, including remote searches of networked devices and preservation orders for volatile digital evidence, drawing on best practices from the Budapest Convention and the emerging UN Cybercrime Treaty.

Another significant benefit of developing a new article specifically for cybercrime under international criminal law is the enhanced feasibility and flexibility to amend and update the law in response to the rapidly evolving nature of technology-related offenses from a long-term perspective.

Unlike the static and sometimes cumbersome process of interpreting or retrofitting existing articles, a dedicated cybercrime provision can be crafted with builtin mechanisms or language that anticipate technological change and emerging criminal methods. The experience of the Rome Statute’s amendment process demonstrates that, while amendments to core crimes like genocide or war crimes require substantial consensus and can take years to enter into force, the adoption of new or supplementary articles-such as those addressing the crime of aggression or specific weapons-has

proven both possible and effective when the international community recognizes new threats.

By establishing a separate cybercrime article, States Parties can more readily propose, debate, and adopt targeted amendments as new forms of cyber-enabled harm emerge, without the risk of distorting the interpretation of existing crimes or undermining legal certainty. This modular approach ensures that international criminal law remains responsive and relevant, allowing the ICC and States Parties to address novel challenges such as artificial intelligence-driven attacks, quantum computing vulnerabilities, or unforeseen digital tactics. This flexibility is essential for maintaining the effectiveness, legitimacy, and deterrent value of international criminal law in the face of the accelerating pace of technological innovation and the ever-changing landscape of cyber threats.

Finally, the adoption would enhance global deterrence and legitimacy. It would send a clear message that the international community is committed to confronting cyber-enabled atrocities with seriousness and rigor, deterring both state and non-state actors. By avoiding the doctrinal overstretch that comes from forcing cyber conduct into ill-fitting legal categories, the new article would also bolster the ICC’s legitimacy and ensure that prosecutions are grounded in clear, predictable law.

V. Bibliography

Aldoghmi, H. S. (2023). The Role of International Efforts in Combating Cybercrimes. The International Journal of Humanities & Social Studies, 11(11): 85-92.

Arnell, P. and Faturoti, B. (2022). The prosecution of cybercrime – why transnational and extraterritorial jurisdiction should be resisted International Review of Law, Computers & Technology, 37: 29-51.

BUÇAJ, E. (2017). The Need for Regulation of Cyber Terrorism Phenomena in Line With Principles of International Criminal Law. Acta Universitatis Danubius Journal, 13(1): 141-162.

Bucaj, E. and Idrizaj, K. (2024). The need for cybercrime regulation on a global scale by the international law and cyber convention Multidisciplinary Reviews

Budapest Convention on Cybercrime. (2001). Council of Europe Treaty Series No. 185 https://www.coe.int/en/web/cybercrime/the-budapest-convention

Council of Europe. (2001). Convention on Cybercrime. ETS No. 185. https://rm.coe.int/1680081561

Elements of Crimes. (2002). International Criminal Court. https://www.icccpi.int/resource-library/documents/ele

Elements of Crimes. (2002). International Criminal Court. https://www.icccpi.int/resource-library/documents/element-of-crimes.pdf

European Union. (2022). Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act). Official Journal of the European Union, L 277/1.

European Union Agency for Cybersecurity (ENISA). (2023). ENISA Cybersecurity Training Framework. https://www.enisa.europa.eu/publications/cybersecuritytraining-framework

European Union. (2024). Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts.

International Criminal Court, Office of the Prosecutor. (2025, March 6). Draft Policy on Cyber-Enabled Crimes Under the Rome Statute. [Consultation Document]. International Criminal Court.

International Criminal Court. (n.d.). Rules of Procedure and Evidence. ICC-ASP/1/3. https://www.icc-cpi.int/resource-library/documents/rules-of-procedure-andevidence.pdf

Kpae, G. (2020). Cyber threat to critical infrastructure and defending national security in Nigeria. International Journal of Economics, Business and Management Studies, 7(2): 214-223.

Le Nguyen, C., & Golman, W. (2021). Diffusion of the Budapest Convention on cybercrime and the development of cybercrime legislation in Pacific Island countries: ‘Law on the books’ vs ‘law in action’. Computer Law & Security Review, 40, 105521.

Nagarathna, A. (2020). Cybercrime regulation through laws and strategies: A glimpse into the Indian experience. International Journal of Digital Law, 1(1), 53- 64.

Prosecutor v. Bosco Ntaganda, ICC-01/04-02/06, Judgment (TC VI, July 8, 2019).

Sumadinata, W. S. (2023). Cybercrime and Global Security Threats: A Challenge in International Law Russian Law Journal, XI(3): 438-444

United Nations Office on Drugs and Crime. (n.d.). Cybercrime Module 3: Legal Frameworks. https://www.unodc.org/e4j/en/cybercrime/module-3/index.html

United Nations University Centre for Policy Research. (2023). Analysis of the UN Cybercrime Treaty. https://cpr.unu.edu/publications/articles/analysis-of-theun-cybercrime-treaty.html

United Nations. (1998). Rome Statute of the International Criminal Court. UN Doc A/CONF.183/9. https://www.icc-cpi.int/resource-library/documents/rs-eng.pdf

United Nations. (2024). UN Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes [UN Cybercrime Treaty]. https://www.unodc.org/unodc/en/cybercrime/ad_hoc_committee/home

United Nations. (n.d.). United Nations Convention against Transnational Organized Crime and the Protocols Thereto. [Note: General reference, specific relevance to cybercrime depends on interpretation].

Wu, T. (1997). Cyberspace Sovereignty? The Internet and the International System. Harvard Law Review, 110(5).

Yuliia, Y., & Lyudmyla, H. (2020). International aspects of legal regulation of information relations in the global internet. Law, 11.

VI. Appendix: Rome Statute of the ICC

A u t h o r

P r o g r a m D i r e c t o r & R e s e a r c h L e a d

A P A C F o c u s I G C S