In March 2026, all 193 UN member states convened in New York to launch the first permanent Global Mechanism for cybersecurity governance — the culmination of twenty-five years of multilateral negotiation. The same month, state-linked actors were actively conducting offensive cyber operations against critical infrastructure on three continents. Both things are simultaneously true. Understanding why they are not contradictory is the beginning of an honest account of what digital diplomacy has and has not achieved.
By Vladimir Tsakanyan, PhD · Center for Cyber Diplomacy and International Security · cybercenter.space
Take inventory. The Paris Call for Trust and Security in Cyberspace, launched by Emmanuel Macron at the UNESCO Internet Governance Forum in November 2018, has attracted more than twelve hundred signatories — states, international organisations, civil society groups, and technology companies — committed to nine common principles for securing cyberspace. The United States never signed it. Russia never signed it. China never signed it. The three states whose cyber operations pose the greatest systemic risk to global digital stability declined, politely or otherwise, to endorse the principles their operations most directly violate.
The Tallinn Manual — the most authoritative attempt to apply international humanitarian law to cyber operations — has now reached its third edition. It is a sophisticated, rigorously argued document produced by some of the finest international lawyers working on this problem. It is also not a treaty, not binding on any state, and routinely ignored by the states conducting the operations it purports to govern. The GGE process, which between 2004 and 2021 produced five consensus reports affirming that international law applies to cyberspace and establishing eleven voluntary non-binding norms of responsible state behaviour, has now been succeeded by a permanent Global Mechanism whose first organisational session in March 2026 ran to two days, adopted procedural rules, and scheduled future meetings. The norms remain voluntary. The behaviour they address continues.
This is not a counsel of despair about multilateral diplomacy. It is a description of a structural gap between the form and the function of the digital diplomacy enterprise — one that needs to be named clearly before it can be addressed honestly. The gap is not between good intentions and bad outcomes. It is between an institutional architecture designed to generate consensus and a security environment that is shaped by the absence of the binding commitments that consensus processes systematically avoid.
The Inventory of Frameworks — and the Gap Between Ambition and Effect
The architecture of digital diplomacy in 2026 is, by any measure, extensive. The UN First Committee runs the permanent Global Mechanism. The Third Committee has negotiated the UN Convention on Cybercrime. The Security Council has increasingly taken up cyber issues. The Paris Call coordinates a multi-stakeholder community of twelve hundred-plus signatories. The G7 has a Cyber Norm Initiative. The G20 addresses digital economy governance. The OSCE has confidence-building measures for cyberspace. The Council of Europe administers the Budapest Convention. NATO has its cyber defence commitments. The EU operates the Cyber Diplomacy Toolbox — its mechanism for attributing and sanctioning significant cyberattacks. The Pall Mall Process, led by France, is developing norms around commercial spyware and offensive cyber tools.
Each of these instruments exists. Each has produced something — reports, principles, declarations, working groups, and in a handful of cases, concrete operational tools. The Budapest Convention has enabled genuine international law enforcement cooperation on cybercrime. The OSCE confidence-building measures have produced communication channels used, if inconsistently, during incidents. The EU Cyber Diplomacy Toolbox has been invoked, albeit sparingly, to impose sanctions on actors responsible for significant operations against member states. The UN’s new Points of Contact directory allows states to communicate directly with designated national authorities during a cyber crisis — a modest but genuine operational advance that has moved faster than the normative debates surrounding it.
The question is not whether these instruments have produced nothing. It is whether what they have produced is proportionate to the threat environment they were designed to address — and whether the gap between the two is a temporary condition of institutional immaturity or a structural feature of the political interests that shape what these instruments are allowed to become.
Analyst note
The concurrent GGE and OEWG processes of 2019–2021 — two parallel UN bodies with overlapping mandates, established by competing resolutions backed by the United States and Russia respectively — illustrated the structural problem with unusual clarity. The duplication was not a governance accident. It was a political achievement: the creation of a forum structure that allowed both major powers to claim ownership of the UN cyber governance process while ensuring that neither forum could produce outcomes that significantly constrained their operational freedom. The 2026 consolidation into a single permanent Global Mechanism resolved the institutional duplication. It did not resolve the political interests that produced it. The mechanism will operate in five-year cycles, discuss the same five pillars that prior processes discussed, and produce the same voluntary non-binding outputs — unless the states whose compliance matters most decide to accept constraints they have spent twenty-five years avoiding.
Why Major Powers Participate in Processes They Do Not Intend to Be Bound By
This is the question that diplomatic politeness consistently avoids and strategic honesty requires. The major cyber powers — the United States, China, Russia, and to a lesser extent the United Kingdom, France, and Israel — participate actively in international cyber norm processes while simultaneously conducting, enabling, or tolerating the operations that those processes are ostensibly designed to prevent. This is not hypocrisy in the conventional sense. It is a rational strategy whose logic is not difficult to reconstruct.
Participation in norm processes serves several functions that have nothing to do with the norms themselves. It allows a state to demonstrate its commitment to rules-based order in contexts where that demonstration has diplomatic or commercial value. It provides intelligence about the positions and red lines of other states that would otherwise require more costly collection methods. It creates a platform for shaping the normative agenda in ways that advantage the participant’s preferred operational posture — ensuring, for example, that norms address the other side’s preferred methods more than one’s own. And it allows a state to claim the legitimacy costs of non-participation while reserving the operational freedom that binding commitment would foreclose.
France’s National Cybersecurity Strategy for 2026–2030 is an instructive case study in how a state navigates this tension with more candour than most. The strategy explicitly frames cyberspace as a “theatre of power” and commits France to developing credible offensive cyber capabilities as a deterrence instrument — while simultaneously committing France to the Paris Call principles, to the UN Global Mechanism, and to leadership of the Pall Mall Process on commercial spyware norms. These commitments are not contradictory in France’s strategic framework. They reflect a sophisticated understanding that norm-building and capability-building are complementary rather than competing activities: norms constrain adversaries, capabilities deter them, and the combination — if the norms are credible and the capabilities real — produces stability that neither alone can achieve. The problem is that this logic, applied symmetrically by all major powers, produces a normative environment in which every state advocates for the norms that constrain others most and reserves the capabilities it needs for itself.
Major powers participate in norm processes not despite continuing their operations, but alongside them. The forum is not a substitute for operational restraint. It is a diplomatic environment in which operational freedom is maintained while the language of restraint is cultivated.
The Civil Society Illusion — Inclusion Without Influence
One of the genuine innovations of the Paris Call model — and of the OEWG process that followed it — was the structural inclusion of non-state actors: civil society organisations, technology companies, academic institutions, and the private sector more broadly. This was a departure from the GGE model, which confined participation to government experts, and it reflected a genuine recognition that cyberspace governance could not be conducted exclusively by states when the infrastructure in question was owned and operated primarily by private actors.
The inclusion has been real. Civil society organisations have participated in Paris Call working groups, OEWG consultative sessions, and the preparatory meetings for the new Global Mechanism. Technology companies have signed the Paris Call, joined the Tech Accord, and contributed expertise to norm-development processes. The diversity of voices in the digital diplomacy space in 2026 is genuinely greater than it was a decade ago.
What has not followed from inclusion is influence over the decisions that matter. The normative outputs of the Paris Call — its nine principles — were drafted primarily by French diplomatic officials and Microsoft, and adopted by signatories who were invited to endorse rather than negotiate. The OEWG’s consultative sessions with civil society produced inputs that were noted, summarised, and largely set aside when states negotiated the final text. The Carnegie Endowment’s assessment of the norm process identified a recurring structural problem: some participants suggested the United States would have been more likely to join the Paris Call had it been allowed a voice in its formulation. The instrument was designed for adoption, not co-authorship. The same dynamic characterises most multi-stakeholder cyber diplomacy: civil society is present at the table, but the decisions about what goes on the menu are made elsewhere.
This is not a failure of goodwill. It is a consequence of the structural asymmetry between the states that bear sovereign responsibility for security outcomes and the non-state actors whose inclusion enriches the process but whose accountability for those outcomes is limited. Civil society cannot be sanctioned for a cyber incident. It cannot commit state resources to compliance. Its inclusion in norm processes is valuable for the legitimacy and expertise it provides, and insufficient as a substitute for the binding state commitments that legitimacy and expertise alone cannot produce.
Analyst note
The most consequential practical achievement of twenty-five years of UN cyber diplomacy is not a norm. It is a Points of Contact directory — a list of designated national authorities that states can call during a cyber crisis to communicate intent, seek clarification, and reduce the risk of miscalculation escalating to conflict. It is modest, operational, and used. The lesson it offers is not that norm processes are useless but that their most durable products tend to be practical infrastructure for communication and coordination rather than political declarations of principle. The Helsinki Process — the model that produced the most significant confidence-building achievements of the Cold War — succeeded not primarily because states agreed on norms but because it created channels through which adversaries could communicate in real time. Digital diplomacy has spent twenty-five years building the declaration. It is only beginning to build the channel.
What Effective Digital Diplomacy Would Actually Require
The preceding analysis implies a positive agenda, and it would be evasive not to state it. Effective digital diplomacy — measured not by the sophistication of its institutional architecture or the breadth of its stakeholder inclusion, but by its capacity to reduce state-sponsored cyber operations against civilian infrastructure, protect the digital commons, and manage escalation in a crisis — requires three things that the current apparatus does not reliably provide.
The first is binding commitments from the states whose behaviour matters most. Voluntary non-binding norms signed by democratic governments and small states, while the major offensive cyber powers decline or participate without constraint, do not produce security. They produce the appearance of governance while leaving the underlying power dynamics unaddressed. A binding instrument need not cover every state simultaneously to be effective — the Budapest Convention demonstrates that a treaty with meaningful membership can produce genuine operational outcomes even without universal participation. The political cost of binding commitment is real. It is also the minimum price of an arrangement that changes behaviour rather than describes it.
The second is crisis management infrastructure that functions in real time. The Helsinki Process worked because it created communication channels that operated during crises, not after them. The UN Global Mechanism operates in five-year cycles, with formal plenary sessions and informal dedicated thematic groups. This architecture is well-suited to the deliberate development of norms over time. It is poorly suited to managing a cyber incident that escalates over hours. The Points of Contact directory is a first step toward the kind of real-time communication infrastructure that reduces escalation risk. It is an address book for an era that requires a hotline.
The third is an honest reckoning with the relationship between norm advocacy and capability development. France’s 2026–2030 strategy is the most candid public statement yet produced by a Western democracy about this relationship: cyberspace is a theatre of power, norms and capabilities are complementary instruments, and a state that has only one without the other is neither safe nor credible. The digital diplomacy community has spent twenty-five years building the normative side of this equation while the capability side has developed largely outside the diplomatic framework. A more honest integration of the two — acknowledging that deterrence requires demonstrated capability and that norms derive their credibility partly from the costs a state can impose for their violation — would produce a more realistic and ultimately more effective diplomatic architecture than one that treats capability development as a regrettable exception to the norms it is simultaneously shaping.
None of this is technically difficult to envision. All of it is politically expensive to pursue. The states that would need to accept binding constraints are the ones that currently benefit most from the absence of them. The crisis management infrastructure that would reduce escalation risk requires a degree of US-China-Russia cooperation that the current geopolitical environment does not support. The honest integration of norms and capabilities requires a candour about state behaviour that most foreign ministries are not institutionally configured to provide.
These are the costs of the alternative to the current arrangement — an arrangement that produces summits, declarations, and permanent mechanisms in abundance, and produces the security outcomes those instruments were convened to achieve in inverse proportion to their institutional sophistication.
Bottom line assessment
Twenty-five years of digital diplomacy have produced a rich institutional landscape — UN mechanisms, multi-stakeholder frameworks, confidence-building measures, and the most thoroughly documented set of voluntary non-binding norms in the history of international security. They have not produced binding constraints on the states whose operations pose the greatest risk to global digital stability, real-time crisis management infrastructure capable of preventing escalation, or an honest integration of the norm-building and capability-development sides of the security equation. The gap between what the architecture produces and what the threat environment requires is not a temporary condition of institutional immaturity. It is a structural feature of a diplomatic system designed to generate consensus among states with fundamentally incompatible interests in the outcome. The new UN Global Mechanism will hold its meetings, produce its reports, and advance discussions along its five pillars. The states that matter will attend, participate constructively, and continue their operations. Both things will be true simultaneously. Understanding why they are not contradictory is the prerequisite for building something that actually changes the second sentence.
This is the sixth and final article in the series “Digital Diplomacy & Power.” The series examined how digital technology is reshaping the practice, institutions, and power dynamics of international diplomacy — from tech company sovereignty and data embassies through algorithmic geopolitics, chip diplomacy, small-state strategy, and the institutional limits of cyber norm-building. All articles available at cybercenter.space.
Digital Diplomacy Cyber Norms UN Global Mechanism Paris Call GGE Cyber Governance International Security Vladimir Tsakanyan
Leave a comment