• Homepage
  • Blog
  • General
  • Jurisdictional Questions Arising from the Office of the Prosecutor’s Draft Policy on Cyber-Enabled Crimes at the International Criminal Court

Symposium | Symposium on the ICC Office of the Prosecutor’s Draft Policy on Cyber-Enabled Crimes

Jurisdictional Questions Arising from the Office of the Prosecutor’s Draft Policy on Cyber-Enabled Crimes at the International Criminal Court

By Kenneth Chan Yoon Onn
Published on 14 May 2025

A concept image of a hacker at work in a dark room. The image was created for a piece of content but has since been released for use under a Creative Commons License.

Just shy of two years since the Office of the Prosecutor (OTP) first published its Strategic Plan 2023-2025 expressing its intention to address ‘cybercrime[s]’ as part of a renewed policy framework, we now have a better sense of what this will entail. In March 2025, the OTP released a new Draft Policy (currently open to public submissions until 30 May) dealing with what is now referred to as ‘cyber-enabled crimes’ (emphasis added). In light of the scope and scale of cyberattacks already taking place in situations under investigation by the Court – most notably in context of the conflict in Ukraine, where such operations have allegedly expanded to include targeting of civilian infrastructure – the clarity this document offers is very welcome.

There are numerous objectives driving this policy as listed in its third paragraph. Practically speaking, however, its goals are essentially two-fold. First, it serves as a statement of intent, describing the manifest ways in which the OTP intends to engage its mandate to confront the use of new technologies in the commission of atrocities. The majority of the objectives listed read like a catalogue of strategic aspirations that the OTP intends to pursue and be guided by as it navigates the challenges of the modern digital age. They include, for example, a desire to ‘encourage and support national efforts to repress cyber-enabled crimes under the Statute’ (para. 3.e) potentially through the OTP’s positive complementarity program, and ‘[to] contribute to the development of international jurisprudence and best practices concerning the prosecution of cyber-enabled crimes at the ICC and beyond’ (para. 3.g). While these goals are generally uncontroversial, the policy’s second objective may require further interrogation. In contrast to the other goals listed, paragraph 3.b. adopts a more defensive postulate. Recalling ICC Prosecutor Karim A. A. Khan’s previous observation that ‘no provision of the Rome Statute is dedicated to cybercrimes’, the OTP argues that under this policy, it intends ‘[to] emphasise the Office’s view that numerous crimes under the Rome Statute may be committed or facilitated by cyber means, and that the Court’s jurisdictional framework can apply to them’. The second purpose of the policy, in other words, is not to present the OTP’s strategic vision, but to justify its existence.

Indeed, the viability of the policy as a whole rests on the validity of this claim. The OTP’s assertion that the Rome Statute can be applied directly to cyber-enabled crimes was not arrived at in a vacuum. It finds support, for instance, in ‘The Council of Advisers’ Report on the Application of the Rome Statute of the International Criminal Court to Cyberwarfare (2021)’, which the policy acknowledges has had a direct influence on its drafting. This report asserts that ‘[m]align cyber operations […] do not occur in a law-free domain but are subject to various bodies of international law, including the Rome Statute. Realizing this potential of the Rome Statute means such crimes could currently be prosecutable at the ICC (subject to jurisdictional and other requirements), without the need for any statutory amendment’. The policy underlying this position is clear. If the ICC is unable to confront new means and methods of atrocity perpetration under the existing framework of the Statute, it risks serious institutional obsolescence. By contrast, if the Statute is interpreted to allow the OTP to investigate and prosecute cyber-enabled crimes, this ensures that ‘[…] the Office’s mandate will not be outpaced by technology, and that the Statute remains relevant to the criminal conduct of persons within the Court’s jurisdiction irrespective of the technological means they might employ’ (para. 3.c). How then does the OTP set about establishing the ICC’s jurisdiction over such situations? The answer to this question is not so straightforward. The policy deals with a number of jurisdictional grounds relevant to the Court (territorial, personality, and subject-matter) in varying levels of detail and (arguably) to differing degrees of success. Some observations on its approach to these matters follows.

The Application of the Court’s Subject Matter Jurisdiction to Cyber-Enabled Crimes

What role do cyber-operations play in the perpetration of atrocity crimes? To answer this question, it is necessary to clarify what the OTP understands ‘cyber-enabled crimes’ to be. For the purposes of the policy, it explains that such acts take place when ‘crimes within the jurisdiction of the Court […] as set out in article 5 of the Rome Statute […] are committed or facilitated with the use of cyber means’ (emphasis original) (para. 21). They do not include acts commonly categorised as ‘cybercrimes’, which are offences ‘criminalised under domestic law, but not under the Statute’ (and include, for example, ‘illegal access to a computer system, illegal interception, data interference’ and so on (para. 28)). What is notable about the OTP’s definition is how it situates the concept of ‘cyber-enabled crimes’ within the Statute’s pre-existing definitional framework rather than separating it into its own special category of criminality, essentially dismissing their distinctive qualities as irrelevant to the categorisation of the requisite conduct. In so doing, the OTP seeks to reinforce its position that cyber-enabled crimes are already accommodated within the existing definitions provided by the Statute, thus sidestepping the need to trigger a cumbersome legislative process that would require the Assembly of States Parties (ASP) to ultimately decide whether to make amendments to the Statute to accommodate such activities. As the OTP pointedly asserts, the Statute is ‘technology-neutral’, which means that ‘[a]s a matter of law’, the crimes subject to the Court’s jurisdiction ratione materiae can already ‘be perpetrated or facilitated by cyber means.’ (para. 10).

This expanded application of the Court’s jurisdiction ratione materiae to cyber-enabled crimes, the OTP suggests, is arrived at using ‘ordinary, long-established means of interpretation, without impermissibly stretching existing criminal law by analogy and violating the nullum crimen sine lege principle’ (para 10). This claim is not dwelt upon, and thus raises questions about the interpretative methodology employed to arrive at this conclusion. The policy does not explain, for example, why the property of being ‘technolog[ically]-neutral’ should be understood as an invitation to broadly interpret the Court’s jurisdiction to include forms of conduct clearly not envisioned when the Statute was first negotiated. One reason for this, perhaps, rests on policy rather than legal grounds. It can be argued that if acts of digital misconduct are indeed truly amongst ‘the most serious crimes of concern to the international community’ (per the preamble of the Rome Statute), then justice should not be contingent on the previous foreseeability of the technology being used to execute the relevant conduct (para. 148). To a certain extent, this argument relies on the view that the Statute and the Court applying it are ‘living instruments’ that must adapt to changes in the world around it. However, insofar as the implications of new technologies are genuinely considered, it is submitted that it would also be in the spirit of progress to refuse efforts to force cyber-enabled crimes into the scope of the definitions of established core crimes on the grounds that they are too different in nature from traditional modes of perpetration involving explicit kinetic acts. This reading would at least acknowledge that the ASP should be allowed to consider whether such conduct falls under the Court’s mandate, as well as which amendments are necessary to ensure the Statute best reflects member States’ understanding of the issue. Given these concerns, it would be helpful for the OTP to explain why an expansive interpretation of jurisdiction should be favoured over a more cautious reading.

This matters because any time the Statute’s jurisdiction is expanded beyond the scope of what its drafters originally envisioned, this comes at the expense of the rights of defendants, which are strictly enshrined in the Statute. Article 22 of the Rome Statute, for instance, preserves the principle of legality or nullum crimen sine lege, a guarantee that only acts already prohibited by law when they were committed can be punished. One aspect of this principle, per Article 22(2) Rome Statute, is the prohibition on extension by analogy, which (as previously noted) the OTP fleetingly acknowledges as irrelevant to the present situation (para. 10). This blithe dismissal fails to acknowledge the uncomfortable proximity of its reasoning to the mechanisms of analogy. In his 2023 article for Foreign Policy’s Digital Front Lines, for example, Khan speculated that cybercrime could amount to violations of the Statute because ‘[t]he digital front lines can give rise to damage and suffering comparable to what the founders of the ICC sought to prevent’. While this analogy does not appear in the policy, it does in fact make a structurally similar comparison to explain the operation of a multi-jurisdiction cyber-enabled crime. Although the argument does not rely exclusively on analogy, the OTP argues that a cyber-attack across borders is ‘simply no different here than with a kinetic attack—if a ballistic missile was launched from the territory of State A at civilians on the territory of State B, the potential war crime would be committed in both of these States’ (para. 39). This is perhaps one area where further consideration would be beneficial.

The Application of the Court’s Territorial Jurisdiction to Cyber-Enabled Crimes

As the OTP acknowledges (para. 36), the application of the Court’s territorial jurisdiction to deterritorialised digital crimes is a challenge that has loomed large over their efforts (and international criminal justice more generally). While the position of the policy is that cyberspace is merely another domain through which international crimes may be committed (para. 10), it is not always clear how this can be articulated in practical terms, particularly in context of the actus reus or conduct element of such crimes. Cyber-activity typically takes the form of data manipulation occurring within the digital realm, untethered from a specific kinetic action that can directly connect it to a physical space associated with a State Party to the Statute. Consequently, how territorial jurisdiction (jurisdiction ratione loci) is established in circumstances involving cyber-attacks is not immediately apparent. 

Despite the complexity of this premise, the OTP’s handling of this issue is relatively straightforward. Its position is based on a ruling by the Court’s Pre-Trial Chamber in the Situation in Bangladesh/Myanmar where it is asserted that if even ‘one element’ or ‘part of’ a crime occurs anywhere on the territory of a State Party, this is sufficient to establish territorial jurisdiction. This reading is quite reasonable, and in its phrasing, helpfully addresses the territorial idiosyncrasies associated with cyber-enabled crimes. It explains that the perpetration of the actions necessary to facilitate such crimes usually takes the form of a multi-part process in which the relevant actions can begin in one State (referred to as subjective territoriality), be processed or passed through another (for example, where a server is hosted), and be completed in a third (objective territoriality), where its consequences are ultimately felt (para. 38). In such instances, the criminal conduct would be understood to have taken place in both the executing and completing locations, with the Court being permitted to seize jurisdiction if either territory is a State Party. The OTP gives the example of an individual launching a cyber operation (such as sending malware) from one State that then completes in another by destroying a medical database ‘[intentionally] causing death or injury to [a hospital’s] patients’ (para. 38). This would lead to the physical elements of ‘the war crimes of intentionally directing attacks against civilians or medical facilities’ being committed in both the applicable States (para. 38). As such, the Court would only need to establish its jurisdiction in one territory to be able to investigate the crime.

The flexibility of this modular approach to the synthesis of conduct and location in the determination of territorial jurisdiction allows the Court to enjoy a broader scope of coverage that serves the interests of substantive justice and the rule of law while still operating within a reasonable understanding of territorial jurisdiction. Still, it is good that the OTP recognizes that caution must be taken not to overextend the principle of territoriality to the point of arbitrariness. As it asserts, the principle of ratione loci is applied to situations of objective territoriality – that is, where the results of cyber-conduct are felt, ‘even if no legal “element” took place there’ (para. 38) – because the consequences felt represent an intrinsic part of the crime. Following from this logic, it follows that it would not regard ‘the mere transit of data through a State Party’s territory as a sufficient basis to assert the Court’s territorial jurisdiction’ (para. 42) as the factual nexus formed would be superficial at best. Thus, if there is no jurisdictional link between the Court and the executing and completing States, this cannot be arbitrarily established by claiming a connection arising from the transiting terrain, even if it is part of the only State in that situation that is party to the Statute. The imposition of this limitation on what would otherwise be an overly broad exercise of interpretation is a wise choice that should be rigorously observed.

Conclusion

The OTP’s efforts to clarify its approach to digital misconduct should be commended. Its agenda is ambitious, and as current events demonstrate, much needed. However, for its interventions to be meaningful, the application of the policy must be beyond reproach. It must rest on firm legal foundations, and this must include a clear understanding of the applicable jurisdictional rules. In this, deeper reflection will greatly benefit the finalised policy.

Kenneth Chan is a post-doctoral legal researcher at the Walther Schücking Institute of International Law and the Managing Editor of the German Yearbook of International Law.