March 2026 marked a milestone in international cybersecurity governance: representatives from all 193 member states of the United Nations convened in New York to launch the first permanent Global Mechanism on Information and Communication Technology (ICT) Security. After more than 25 years of largely ad hoc discussions, the international community now has a standing body to turn years of agreed language into concrete action.
The success of the new forum, however, will largely depend on how states address two familiar challenges from the outset: balancing consensus with efficiency and focusing on implementation rather than adding new commitments.
A mechanism built on accumulated consensus
Over the past two decades, states have built a substantial acquis on responsible state behavior in cyberspace, including voluntary norms, international law, confidence-building measures, capacity-building activities, and a list of existing and potential threats to international peace and security. Yet while there has been important political progress such as agreement on 11 norms and eight global confidence-building measures, implementation has often lagged due to capacity gaps, persistent substantive disagreements, and rising geopolitical tensions.
The new global mechanism, agreed upon in the 2021-2025 Open-ended Working Group (OEWG), enables states to address this challenge by accelerating implementation through the establishment of a standing forum. This forum includes new informal dedicated thematic working groups – one on challenges of ICT security as it relates to international security and another on capacity building – complemented by plenary sessions with decision-making authority.
New forum, familiar fault lines
The establishment of the mechanism builds upon general parameters agreed upon by states in the OEWG in July 2024 and July 2025 – a very solid foundation. Yet before substantive work can fully begin, states must further specify how the forum’s work is organised in practice. Because these modalities are being set out for the first time, the permanent nature of the global mechanism means that they will shape not only the initial five-year cycle of work but also become part of the mechanism’s institutional memory.
The March organisational session exposed two key, interrelated roadblocks: consensus versus efficiency and implementation versus expansion. These reflect long-standing divergences between two camps in UN cybersecurity negotiations – a state-centric, authoritarian vision of international information security spearheaded by Russia and China and a Western vision of an open, rules-based cyberspace. This division renders even procedural matters deeply political.
The first challenge: Consensus versus efficiency
At the heart of discussions lies a defining feature of UN cyber diplomacy: decision-making by consensus. Intended to ensure inclusivity and legitimacy, consensus can also function as a de facto veto mechanism, allowing any state to block progress.
While states agreed in 2024 on consensus as the guiding principle for decisions under the mechanism, interpretive differences remain as to whether it applies equally to procedural and substantive matters. Some states interpret this strictly, guided by the fear that relinquishing it would mean losing a de facto veto right and, consequently, political influence and power. Others, by contrast, advocate greater flexibility in order to preserve the body’s ability to function effectively.
At the organisational session, this tension became visible during debates over the mechanism’s leadership and who holds institutional control. The appointment of El Salvador’s permanent representative to the United Nations in New York, Ambassador Egriselda López, as Chair of the global mechanism’s first two years was one of the few concrete outcomes of the session.
Particularly given the emergence of a last-minute contender to El Salvador’s leadership in the weeks preceding the organisational session, Russia criticised informal consultations held by the mechanism’s secretariat, the United Nations Office for Disarmament Affairs, ahead of the mechanism’s first meeting, arguing that such processes should take place only in formal settings to comply with the consensus principle.
The competing candidacies, and the resulting inability for a chair-designate to convene informal deliberations ahead of the organisational session, limited expectations from the outset for what agreements could be reached during the 12 hours of meetings beyond the chair election. Had the approach advocated by Russia been pursued, it would have further slowed the mechanism’s ability to move beyond procedural issues and quickly transition into substantive work.
While Ambassador López’s appointment ultimately stood, similar tensions emerged in three further areas.
First was the appointment of co-facilitators for the dedicated thematic working groups. In addition to the chair, the mechanism provides for facilitators responsible for guiding the groups. López emphasised that the UN General Assembly’s rules of procedure apply mutatis mutandis – that is, with the necessary modifications – since the mechanism is a body operating within the purview of the UN General Assembly. She also signaled her intention to appoint two co-facilitators per group, balancing representation between developing and developed states.
However, some states, including Russia and China, have challenged the chair’s prerogative to make these appointments, arguing instead that such decisions should be made by consensus. Others, including the European Union and the United Kingdom, reaffirmed that they view these appointments as the chair’s competence, consistent with established UN practice. Since co-facilitators will shape agendas, guide negotiations, and play a decisive role in determining outcomes within the thematic groups, this is fundamentally a question of influence.
The second area of concern was the definition of dedicated thematic working group topics. While states broadly agree on the need for focused thematic work, they diverge on whether specific topics for discussion in the working groups can be designated by the chair, a position supported, for example, by Germany, or must be decided collectively, a position supported, for example, by Iran.
States’ preferences also differed on whether both groups should strictly address the same focus topic from different angles, an approach supported by the European Union, or operate autonomously, with distinct thematic ownership and differing thematic priorities, as favored by countries such as Argentina and Brazil.
During the organisational session, proposals for focus topics by states were limited but included, for example:
- Group 1 (Challenges): critical infrastructure protection (many states), ransomware (many states), moving forward with a norms implementation checklist, the operationalisation of the points of contact directory, further discussion on international law (all three suggested by Brazil), and data and supply chain security (China)
- Group 2 (Capacity Building): a diagnostic assessment of the capacity-building landscape (Brazil), ransomware (France), or prevention, detection, and response capacities (Tonga)
The last general issue was the institutional linkage between the working groups and the plenary. The global mechanism’s general parameters do not lay out who provides which types of recommendations or outputs from the groups to the plenary sessions. Some see this as the prerogative of the chair and the co-facilitators, whereas others again do not want to yield this power to particular roles.
The second challenge: Implementation versus expansion
A second challenge concerns the mechanism’s core mandate: should it focus primarily on implementing existing commitments, on developing new language, or both in equal measure?
Like the issues surrounding consensus, this debate is not new. It reflects long-standing divergences between the same two broad camps that have already shaped the early days of UN cybersecurity governance. During the mechanism negotiations, many states argued that it should prioritise operationalising existing agreements, cautioning against adding to negotiated language. Others, including Russia, emphasised that the evolving threat landscape and, in their view, unique features of ICTs would require continued normative development, including the possibility of new legally binding commitments. This position is strongly opposed by Western powers, including the European Union, which favour implementation first and consider existing international law sufficient.
At the organisational session, this area of disagreement reemerged during agenda-setting discussions. This ultimately prevented agreement on an agenda for the plenary sessions proposed by López, which the OEWG had agreed in 2025 would be organised around the five framework pillars.
The core point of contention emerged from calls led by Iran and Russia to incorporate specific language from earlier consensus reports. However, this is not a simple semantic disagreement but rather a strategic move; their proposed changes would, for example, replace a neutral reference to ‘international law’ with more expansive language emphasising also the identification of gaps and the potential development of additional binding obligations.
This position was not acceptable to several parties, including the European Union, which deemed it an attempt to reinterpret and renegotiate the work of the OEWG. As a result, the chair concluded that the group was not yet in a position to adopt the provisional agenda and called for continued consultations ahead of the next session in July.
The real test awaits
Taken together, these divergences reflect a deeper structural divide: one group of states prioritises efficiency and rapid operationalisation of the mechanism, while another insists on strict consensus at every stage, even at the cost of delay.
This makes the working groups both the mechanism’s most promising innovation and its most fragile component. The ongoing intersessional period will be critical to building convergence, designating co-facilitators, and defining focused working group workstreams, including confirming how their outcomes will feed back into the plenary.
The chair has already invited further input and announced a series of informal and bilateral consultations starting on 28 April. It will be essential for states to grant the chair sufficient leeway to steer the process and avoid reopening procedural questions where UN practice already provides a clear way forward.
Settling these core elements by or during the July session will be key to enabling substantive work to begin as quickly as possible. It thus also represents the global mechanism’s most important test to date, signaling whether the mechanism can move toward delivering on its promise to accelerate the implementation of the framework of responsible state behavior in cyberspace.
