Convention on Cybercrime
The Convention on Cybercrime (CETS No. 185), commonly known as the Budapest Convention on Cybercrime, is the first binding international treaty to harmonize domestic criminal laws on offenses committed via computer systems and networks, while establishing procedural mechanisms and extradition rules for cross-border investigations and prosecutions of such crimes.[1]Opened for signature in Budapest, Hungary, on 23 November 2001 by the Council of Europe, the treaty entered into force on 1 July 2004 following ratification by five member states, and it remains open to accession by non-European countries, with over 70 parties as of 2025, including the United States (which signed but has not ratified), Japan, Australia, and South Africa.[2][3]
Its substantive provisions criminalize core cyber-dependent offenses such as illegal access to computer systems, data interference, system interference, misuse of devices, computer-related forgery and fraud, and child sexual exploitation material, alongside targeted content offenses like those involving racist and xenophobic materials via computer systems under a related 2003 protocol.[4]
Procedurally, it mandates powers for expedited preservation of stored computer data, real-time collection of traffic data, search and seizure of electronic evidence, and mutual legal assistance, with emphasis on 24/7 networks for urgent cooperation; these elements have facilitated thousands of cross-border operations through the Cybercrime Convention Committee (T-CY), which interprets and updates implementation guidelines.[1][2]
While enabling effective responses to evolving threats like ransomware and online fraud, the convention has drawn criticism from civil liberties advocates for provisions enabling broad surveillance and data sharing that could enable state overreach, suppression of dissent, or inadequate privacy safeguards, as highlighted in early U.S. Senate reservations and analyses from groups like the American Civil Liberties Union, though proponents argue its safeguards—such as dual criminality requirements and human rights compatibility clauses—mitigate misuse when implemented domestically.[5][3]
Historical Development
Origins and Initial Motivations
The rapid expansion of information and communication technologies in the 1990s facilitated the emergence of novel criminal offenses, such as unauthorized access to computer systems and data interference, while enabling traditional crimes like fraud through digital means.[6] These developments threatened the confidentiality, integrity, and availability of computer systems and data, often transcending national borders due to the interconnected nature of global networks, rendering unilateral domestic responses inadequate.[4] In response, the Council of Europe's European Committee on Crime Problems (CDPC) recommended in November 1996 the establishment of an expert committee to address computer-related crime, marking the initial institutional push toward a coordinated international framework.[7] Work formally commenced in April 1997 with the creation of the Committee of Experts on Crime in Cyber-space (PC-CY), tasked with drafting a convention to harmonize substantive criminalization, procedural investigative powers, and mechanisms for international cooperation.[3] The primary motivations included deterring cyber-dependent offenses—such as hacking and malware distribution—and cyber-enabled crimes, including computer-related forgery and child exploitation material dissemination, which evaded prosecution due to jurisdictional gaps and inconsistent national laws.[6] Negotiators emphasized the volatility of digital evidence, necessitating expedited tools for preservation and cross-border access to combat perpetrators who exploited technological anonymity and rapid data flows.[6] To ensure broad applicability, the process incorporated input from non-European observers, including the United States, Canada, Japan, and South Africa, recognizing that effective countermeasures required global alignment rather than regional isolation.[6] This inclusive approach stemmed from the recognition that cybercrime's economic and societal harms—evident in proliferating viruses and online fraud—demanded a pioneering multilateral treaty to supplement existing extradition and mutual assistance pacts, prioritizing practical law enforcement efficacy over ideological constraints.[1] The resulting instrument, adopted by the Council of Europe's Committee of Ministers on November 8, 2001, reflected a pragmatic consensus on safeguarding critical infrastructure against evolving digital threats.[1]Negotiation and Adoption Process
The negotiation process for the Convention on Cybercrime originated from concerns over the inadequacy of existing legal frameworks to address emerging computer-related offenses, prompting the European Committee on Crime Problems (CDPC) of the Council of Europe to establish a specialized body in November 1996.[6] This led to the formation of the Committee of Experts on Crime in Cyberspace (PC-CY), which commenced work in April 1997 with a mandate to draft a binding international instrument harmonizing substantive criminal laws, procedural powers, and mechanisms for international cooperation.[6] Initial terms of reference targeted completion by December 1998, but extensions to June 2000 accommodated iterative consultations and revisions to refine definitions of offenses such as illegal access, data interference, and system interference, while balancing investigative needs with safeguards against abuse.[6] Negotiations involved representatives from all Council of Europe member states at the time, alongside observers from non-member countries including Canada, Japan, South Africa, and the United States, as well as international organizations such as the European Commission, Interpol, the International Telecommunication Union, and the Organisation for Economic Co-operation and Development.[6] This inclusive approach, spanning over 30 participating entities, facilitated cross-jurisdictional alignment on core provisions, with emphasis on extradition, mutual legal assistance, and real-time evidence collection to counter the borderless nature of cyber threats.[8] Debates focused on scope—excluding content-related crimes like child pornography from the main text to maintain consensus—while incorporating procedural tools like search and seizure of computer data, reflecting empirical evidence of rising incidents such as hacking and fraud in the late 1990s.[6] Following finalization in 2001, the Committee of Ministers of the Council of Europe adopted the Convention on November 8, 2001, marking it as the first multilateral treaty dedicated to cybercrime.[6] It opened for signature on November 23, 2001, in Budapest, Hungary—selected for its central European location and symbolic role in hosting the event—allowing immediate accession by non-Council members under Article 37, which requires compatibility with the Convention's principles.[1] The process underscored a pragmatic, evidence-driven effort to create enforceable standards amid technological evolution, without deference to ideological pressures, prioritizing operational efficacy for law enforcement.[9]Entry into Force and Early Implementation
The Convention on Cybercrime entered into force on 1 July 2004, following the deposit of instruments of ratification, acceptance, or approval by five states, including at least three member states of the Council of Europe, as stipulated in Article 74.[10] This threshold was met after ratifications by Albania (30 July 2002), Armenia (8 October 2002), Hungary (1 February 2004), Romania (28 June 2003), and Azerbaijan (22 April 2004), enabling the treaty's operationalization among initial parties.[11] At that time, the treaty had been signed by 30 Council of Europe member states and four non-members, but only these five had completed domestic ratification processes, reflecting deliberate legislative harmonization efforts to criminalize offenses such as illegal access to computer systems and data interference.[9] Early implementation emphasized domestic legal reforms to align national laws with the convention's substantive requirements, including the criminalization of core cyber offenses and the expansion of procedural powers for search, seizure, and real-time data collection.[1] Parties initiated mutual legal assistance mechanisms under Articles 27–31, facilitating cross-border investigations into cybercrimes, though initial cooperation was limited by disparities in technological infrastructure and investigative capacities among the small number of parties—growing to just 16 by the end of 2005.[11] The treaty's framework supported early casework, such as joint operations against international fraud networks, but reports from the period highlighted implementation gaps, including inconsistent definitions of "computer system" and reluctance in some states to grant expedited preservation orders due to privacy concerns.[2] In 2006, the Committee of Ministers of the Council of Europe established the Cybercrime Convention Committee (T-CY) to oversee implementation, monitor compliance, and promote capacity-building through technical assistance and best-practice exchanges.[12] This body conducted initial assessments, revealing that while European parties advanced legislative updates—such as the European Union's alignment via directives on attacks against information systems—non-European accessions, like that of the United States in 2006, introduced broader jurisdictional reach but also tested the convention's universality amid sovereignty debates.[9] By mid-2007, over 20 parties had ratified, enabling the first multilateral evaluations of extradition and evidence-sharing efficacy, though empirical data from T-CY plenaries indicated slower progress in developing regions due to resource constraints rather than ideological resistance.[1] These early phases underscored the convention's causal role in standardizing responses to evolving threats like botnets, predating widespread recognition of state-sponsored cyber operations.Legal Provisions
Substantive Criminalization Requirements
The substantive criminalization requirements of the Convention on Cybercrime, set forth in Title 1, Chapter II, obligate Parties to incorporate into domestic law penalties for specific offenses involving the unauthorized use or interference with computer systems and data. These provisions establish minimum standards for nine principal offenses across four categories, supplemented by rules on ancillary liability, corporate responsibility, and sanctions, to address threats to confidentiality, integrity, availability, property, and public morals posed by cyber-dependent conduct.[10] The requirements emphasize intentional acts performed "without right," a term interpreted to exclude authorized activities such as legitimate security testing or access to publicly available data, while allowing Parties flexibility through optional qualifiers like dishonest intent or limitations to connected systems.[10][6] Offenses against confidentiality, integrity, and availability (Articles 2–6) focus on core technical intrusions. Article 2 requires criminalization of intentional access to a computer system—or any part thereof—without right, with Parties permitted to condition liability on breaching security measures, intent to obtain data, dishonest intent, or applicability only to systems linked to others.[10] Article 3 mandates punishment for intentional interception, without right, of non-public transmissions of computer data within or between systems, using technical means; optional elements include dishonest intent or restriction to connected systems.[10] Under Article 4, Parties must penalize intentional unauthorized damage, deletion, deterioration, alteration, or suppression of computer data, though a reservation permits requiring serious harm.[10] Article 5 targets intentional serious hindering of a computer system's functionality without right, through input, transmission, or damage to data causing impairment.[10] Article 6 addresses tools of cybercrime by requiring sanctions for intentional production, sale, procurement for use, importation/exportation, distribution, or possession of devices—including computer programs or passwords—designed or adapted primarily for committing offenses under Articles 2–5; reservations allow exclusion of certain non-password acts, and liability may hinge on possessing multiple items.[10] Computer-related offenses (Articles 7–8) extend traditional crimes to digital contexts. Article 7 obligates criminalization of intentional input, alteration, deletion, or suppression of computer data without right, resulting in inauthentic data intended for legal recognition or use; Parties may add a requirement of intent to defraud.[10] Article 8 requires punishment for intentional unauthorized data manipulation or system interference that causes—in whole or part—wrongful economic loss or intended economic gain for the offender or a third party, with fraudulent intent.[10] These provisions target acts analogous to forgery and fraud but adapted to computer-mediated execution, preserving the Convention's technology-neutral approach to protect property interests without over-criminalizing minor errors.[6] Content-related offenses (Articles 9–10) address harms amplified by digital dissemination. Article 9 compels comprehensive criminalization of child pornography offenses via computer systems, including intentional production, offering, distribution, transmission, procurement, possession, or access of material depicting sexually explicit conduct involving children under 18 (or at least 16).[10] Reservations are permitted for possession or procurement alone, or for depictions of lawful sexual activities with 16–18-year-olds lacking exploitation, reflecting efforts to balance child protection with varying national age-of-consent laws.[10] Article 10 mandates penalties for willful infringement of copyright or related rights on a commercial scale through computer systems, consistent with Parties' international obligations; a reservation allows non-applicability or limitation to cases lacking effective civil remedies.[10] Ancillary provisions (Articles 11–13) ensure robust enforcement. Article 11 requires criminalization of intentional attempts and aiding or abetting offenses under Articles 3–5 and 7–9, with a reservation option for attempt.[10] Article 12 imposes liability on legal persons for offenses committed for their benefit by persons in authority or under their supervision due to inadequate controls, punishable by effective, proportionate, and dissuasive non-criminal or criminal sanctions such as fines or business prohibitions.[10] Article 13 stipulates that all offenses in Articles 2–11 warrant effective, proportionate, and dissuasive sanctions, including deprivation of liberty raising serious penalties under national law, to deter misconduct while accommodating domestic sentencing norms.[10] These elements promote harmonization without mandating identical penalties, allowing Parties to exclude de minimis acts and adapt to constitutional frameworks.[6]Procedural and Investigative Powers
The procedural and investigative powers in the Convention on Cybercrime, detailed in Articles 16 to 21 of the treaty, compel parties to enact domestic laws granting law enforcement authorities effective tools to gather electronic evidence for offences covered by the convention, while incorporating safeguards against abuse.[10] These provisions apply to investigations of serious crimes under Article 2 (illegal access), Article 3 (data interference), Article 4 (system interference), Article 5 (misuse of devices), and content-related offences in Articles 6 to 11, ensuring measures are proportionate, necessary, and subject to judicial or independent oversight as per Article 15.[10] Article 14 specifies that procedural powers extend to any offence committed by means of a computer system where the accused or victim is in the party's territory, or the offence involves its computer systems, broadening applicability beyond purely cyber-specific crimes.[10] Article 16 requires parties to enable expedited preservation of stored computer data, permitting authorities to order non-content data (such as logs or records) from service providers to be retained for up to 90 days, preventing deletion during ongoing investigations; this measure targets volatile digital evidence and must be authorized by competent authorities without prior notice to suspects in urgent cases.[10] Article 17 empowers production orders for subscriber information and traffic data, allowing compelled disclosure from service providers of data identifying users or communication routing, applicable when linked to serious cyber offences; parties must ensure such orders respect data minimization principles and privacy protections.[10] Under Article 18, parties must authorize search and seizure of stored computer data, including hardware, software, and copies thereof, with provisions for remote searches across borders if consented to by the data holder or under mutual legal assistance; this facilitates access to encrypted or distributed data but requires warrants or equivalent judicial approval to balance investigative needs with property rights.[10] A 2024 Council of Europe assessment of 74 parties found widespread implementation of Article 18, though variations exist in handling cloud-stored data and cross-jurisdictional seizures, highlighting its role in combating ransomware and data breaches.[13] Article 19 mandates real-time collection of traffic data, enabling authorities to compel service providers to gather non-content routing information (e.g., IP addresses, timestamps) during live communications for tracking suspects in dynamic cyber threats like botnets; this power is restricted to serious offences and demands strict oversight to mitigate surveillance overreach.[10] Article 20 addresses interception of content data, requiring legal frameworks for wiretaps or equivalent real-time capture of communications content in computer systems, aligned with parties' existing interception laws for comparable traditional crimes; it explicitly excludes mass surveillance and ties applicability to offences punishable by at least four years' imprisonment in domestic law.[10] Article 21 stipulates that investigative authorities exercise these powers equivalently to those for non-cyber offences of similar gravity, ensuring no lesser standards for digital investigations while adapting to technological realities like encrypted traffic.[10] These powers emphasize expediency and technical adaptability, with parties required to furnish investigators with specialist expertise and tools; however, implementation reports note challenges in harmonizing safeguards across jurisdictions, particularly for data held by foreign providers.[14] The provisions have supported over 20,000 mutual legal assistance requests annually among parties as of 2020, demonstrating practical utility in cross-border cases despite criticisms from privacy advocates regarding potential expansions beyond enumerated offences.[14]Jurisdiction and International Cooperation Mechanisms
Article 22 mandates that each Party establish jurisdiction over the offenses criminalized in Articles 2–11 when such offenses are committed within its territory, on board a ship flying its flag or an aircraft registered under its laws, or by one of its nationals if the act is punishable under the law of the place of commission or is not subject to any State's jurisdiction.[15] Parties must also assert jurisdiction if the offender is present in their territory and extradition to a requesting Party has not been effected, typically due to nationality-based refusal.[15] This provision allows Parties to exercise broader jurisdiction under domestic law and encourages consultation among Parties with concurrent claims to determine the most appropriate jurisdiction for prosecution, aiming to avoid conflicts while ensuring accountability for cross-border cyber offenses.[6] Chapter III of the Convention establishes a comprehensive framework for international cooperation, requiring Parties to afford one another the widest measure of mutual assistance in investigations and proceedings related to cybercrime offenses and the collection of electronic evidence (Article 23).[15] Extradition is facilitated for offenses under Articles 2–11 punishable by deprivation of liberty of at least one year, with the Convention serving as the legal basis in the absence of bilateral treaties, subject to standard grounds for refusal such as dual criminality unless waived (Article 24).[15] Mutual legal assistance (MLA) under Article 25 extends to procedural measures like searches, seizures, and disclosure of data, with provisions for expedited requests and limited refusal grounds, including national security or ongoing investigations, to enable rapid response to the ephemeral nature of digital evidence.[15] Specific mechanisms enhance operational efficiency: Article 26 permits spontaneous sharing of relevant information to aid foreign investigations, while Article 35 requires designation of 24/7 points of contact for immediate assistance in urgent cases.[15] Provisional measures include expedited preservation of stored computer data for at least 60 days (Article 29) and expedited disclosure of preserved traffic data to identify service providers (Article 30), bypassing dual criminality requirements for these actions to preserve evidence before deletion.[15] Further tools encompass mutual assistance for searching and seizing stored data (Article 31), transborder access to publicly available data without formal request (Article 32), real-time collection of traffic data (Article 33), and interception of content data where domestic law permits (Article 34).[15] These provisions apply irrespective of the location of the offense or data, promoting seamless cross-border collaboration while respecting sovereignty and human rights safeguards.[16]Protocols and Amendments
Additional Protocol on Xenophobia and Racism
The Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS No. 189), extends the principal treaty by mandating parties to criminalize intentional dissemination of specified hateful content via digital means. Adopted by the Council of Europe's Committee of Ministers on 28 November 2002, it opened for signature on 28 January 2003 in Strasbourg and entered into force on 1 March 2006, following ratification by five states as required under Article 10.[17][18] The protocol's stated purpose is to harmonize domestic criminal laws against online racism and xenophobia while bolstering cross-border cooperation in detection, investigation, and prosecution, building on the Convention's frameworks for procedural powers and mutual assistance.[17] Article 1 defines racist and xenophobic material as written material, images, or other representations of ideas or theories that advocate, promote, or incite hatred, discrimination, or violence toward individuals or groups based on race, color, descent, national or ethnic origin, or religion when the latter serves as pretext for such factors. Central offenses include, under Article 2, the intentional public distribution or availability of this material through computer systems; Article 3, threats of violent acts motivated by these biases; Article 4, public insults on equivalent grounds; and Article 5, dissemination of content denying, grossly minimizing, approving, or justifying genocide or crimes against humanity (e.g., the Holocaust) when aimed at stirring hatred or discrimination. Article 6 penalizes aiding or abetting these acts, with sanctions calibrated to match gravity under domestic law.[17] To accommodate variations in free expression protections, parties may reserve application of Articles 2, 4, or 5, or impose additional intent requirements (e.g., exposure to hatred or lack of effective remedies), ensuring alignment with constitutional standards while pursuing non-criminal alternatives for milder cases.[17] The protocol applies only to acts post-entry into force for each party and excludes content solely for private use or non-public research/education, though these exemptions demand narrow construction to avoid undermining core prohibitions. As of 2023, 38 states have ratified it, with 47 signatories, predominantly Council of Europe members; non-European parties to the main convention, such as the United States, have refrained, citing irreconcilability with First Amendment safeguards against punishing non-inciteful offensive speech.[18][19] Implementation has encountered hurdles, including inconsistent national thresholds for "intent" and "incitement," jurisdictional gaps in anonymous or foreign-hosted content, and reliance on voluntary cooperation absent universal adoption. A 2023 Council of Europe study highlighted good practices like specialized training for prosecutors but noted persistent challenges in evidence preservation across borders, with limited empirical evidence of significant reductions in online hate incidents attributable to the protocol.[20] Critics, including legal scholars, contend its provisions foster a selective hierarchy of prohibited hatred—focusing on race/ethnicity while permitting analogous biases against other groups—and risk enabling state overreach against controversial opinions, as seen in reservations by states wary of chilling historical inquiry or political critique under Article 5.[21] Such concerns underscore tensions between combating verifiable harms like targeted online harassment and preserving robust debate, particularly where enforcement data shows uneven application influenced by prevailing institutional priorities.[22]Second Additional Protocol on Enhanced Cooperation and E-Evidence
The Second Additional Protocol to the Convention on Cybercrime, formally titled the Second Additional Protocol on Enhanced Co-operation and Disclosure of Electronic Evidence, was adopted by the Committee of Ministers of the Council of Europe on 17 November 2021 and opened for signature on 12 May 2022 in Strasbourg.[23] Limited to Parties to the original Budapest Convention, the Protocol seeks to address gaps in cross-border access to electronic evidence by establishing streamlined procedures for cooperation amid the jurisdictional challenges of globally operating service providers and the time-sensitive nature of digital investigations.[23] It entered into force on a provisional basis for ratifying states following individual ratifications, but requires five instruments of ratification, acceptance, or approval for full effect among all Parties; as of July 2025, it had garnered 51 signatures but only two ratifications.[23][24] The Protocol's core provisions focus on direct cooperation mechanisms to expedite e-evidence disclosure. Under Chapter III, competent authorities may issue direct requests to service providers in other Parties for compulsory production of subscriber information and traffic data, bypassing traditional mutual legal assistance channels for non-content data when domestic law permits and safeguards are met. Article 8 mandates Parties to adopt measures enabling service providers under their jurisdiction to comply with foreign preservation or production orders for electronic evidence, provided the requesting authority demonstrates necessity, proportionality, and compliance with human rights standards.[25] Chapter IV enhances mutual assistance by facilitating emergency procedures under Article 10, allowing rapid requests for data preservation or disclosure in cases of imminent serious harm, with responses required within 96 hours or as specified.[26] Additional tools include support for joint investigation teams, video conferencing for testimony, and real-time traffic data collection, all aimed at harmonizing investigative powers without mandating new criminalizations.[23] Safeguards are emphasized throughout to mitigate risks to privacy and due process. Requests must specify the offense, legal basis, and data sought, with Parties required to refuse execution if it violates jus cogens norms, double criminality applies, or fundamental rights are endangered; data minimization and deletion post-use are also mandated where feasible. Chapter VI promotes technical assistance and capacity-building, including information-sharing on service provider contacts and best practices for e-evidence handling.[23] The United States signed the Protocol on 12 May 2022 to bolster law enforcement access against cyber threats, while Canada's signature on 20 June 2023 underscored its potential for aiding prosecutions of cyber-related crimes.[27][28] However, implementation hinges on reconciling divergent national data protection regimes, with the European Union authorizing member states to ratify in its interest via a Council decision on 14 February 2023.[29]Ratification and Global Adoption
Signatories and Ratification Status
As of October 26, 2025, 81 states are parties to the Convention on Cybercrime, having either ratified it as signatories or acceded following invitations extended by the Council of Europe's Committee of Ministers to non-member states.[11] The convention, opened for signature on November 23, 2001, requires five ratifications for entry into force, which occurred on July 1, 2004, after deposits by Armenia (October 2003), Azerbaijan (October 2003), Bosnia and Herzegovina (April 2002), Ukraine (December 2003), and Estonia (May 2004).[1] For each subsequent party, the convention enters into force three months after the deposit of the instrument of ratification, acceptance, approval, or accession. Of the 83 states that have signed the convention, two—Ireland and South Africa—have not yet ratified it.[11] Ireland signed on February 14, 2002, but legislative hurdles, including alignment with EU data protection standards, have delayed ratification despite repeated government commitments as recently as October 2025. South Africa signed on November 23, 2001, but has not proceeded to ratification, citing domestic legal reforms needed for implementation.[11] Parties encompass all 46 Council of Europe member states except Ireland and any laggards among observers, supplemented by 35 non-European accessions demonstrating the convention's extraterritorial appeal.[30] Key non-European parties include the United States (ratified September 29, 2006; entry into force January 1, 2007),[31] which became the 16th party and emphasized its role in harmonizing electronic evidence procedures; Japan (ratified February 2010); Australia (ratified 2013); Canada (ratified 2015); and Brazil (ratified 2019).[11] African parties number 11, including Nigeria (2022) and Senegal (2012), while Latin American adherents total seven, such as Colombia (2013) and Costa Rica (2021).[30] This distribution underscores the convention's function as a framework for cross-border cooperation beyond Europe, with accessions requiring demonstration of commitment to core principles like substantive criminalization and procedural safeguards.[1]| Region | Number of Parties | Notable Examples |
|---|---|---|
| Europe (CoE members) | 44 | Albania, Germany, United Kingdom (all ratified by 2006–2010) |
| Americas | 10 | United States, Canada, Brazil, Mexico (accession 2018) |
| Asia-Pacific | 12 | Japan, Australia, Philippines (ratified 2011) |
| Africa | 11 | Nigeria, Ghana (ratified 2020), South Africa (signed only) |
| Middle East | 4 | Israel (ratified 2009), Dominican Republic (as observer-aligned) |
Accession by Non-European States
The Convention on Cybercrime (ETS No. 185), also known as the Budapest Convention, permits accession by non-member states of the Council of Europe, including non-European states, upon invitation from the Committee's of Ministers. Invitations are issued following consultations, such as those at the Octopus Conferences, and remain valid for five years, allowing the invited state to deposit its instrument of accession with the Secretary General. The Convention enters into force for the acceding state on the first day of the month following the expiration of a three-month period after deposit.[11] This mechanism has enabled participation by non-European states, extending the treaty's framework for harmonized criminalization, procedural powers, and international cooperation beyond Europe to combat cyber threats originating from or affecting global jurisdictions.[1] Non-European states initially invited to participate in the Convention's elaboration—Canada, Japan, South Africa, and the United States—were permitted to sign in 2001 and ratify subsequently. Japan deposited its instrument of ratification on 3 July 2012, with entry into force on 1 November 2012. Canada deposited its ratification on 8 December 2014, entering into force on 1 April 2015. The United States and South Africa signed but have not ratified as of October 2025.[11] Subsequent invitations have led to accessions by additional non-European states, broadening the treaty's applicability to diverse regions including Asia, Africa, the Americas, and Oceania:| State | Accession/Ratification Date | Entry into Force Date |
|---|---|---|
| Australia | 30 November 2012 (accession) | 1 March 2013 |
| Israel | 9 May 2016 (accession) | 1 September 2016 |
| Dominican Republic | 15 September 2016 (accession) | 1 January 2017 |
| Mauritius | 18 December 2017 (accession) | 1 April 2018 |
| Argentina | 5 June 2018 (accession) | 1 October 2018 |
| Panama | 26 April 2019 (accession) | 1 August 2019 |
| Philippines | 5 December 2022 (accession) | 1 April 2023 |
| Senegal | 21 June 2023 (accession) | 1 October 2023 |
| Sri Lanka | 22 February 2024 (accession) | 1 June 2024 |
| New Zealand | 28 August 2025 (accession) | 1 December 2025 |