The AU can help African countries adopt the UN cybercrime convention. But the challenges are significant

African countries have very different cybercrime legislation and previous treaties have not been widely adopted. The UN convention is an opportunity for a new approach.

Expert comment

Published 31 October 2025 — 4 minute READ

Image — Leaders and delegates at the signing ceremony of the UN Convention on Cybercrime in Hanoi on 25 October 2025. (Photo by NHAC NGUYEN/AFP via Getty Images)

Nnenna Ifeanyi-Ajufo

Associate Fellow, Africa Programme

The United Nations Convention against Cybercrime opened for signature in Hanoi, Vietnam on 25 October 2025, following adoption by the UN General Assembly in December 2024. African leadership played a key role, with Algeria chairing the ad hoc committee that drafted the convention. 

The convention seeks to ensure an effective and coordinated international approach to cybercrime prevention, and will come into force after it is ratified by 40 countries. The convention particularly favours African priorities, with its focus on international cooperation, and technical assistance and capacity building in developing countries.  

Less than a third of African countries have ratified the African Union’s own Malabo cybersecurity convention since its adoption in 2014.

Defining, understanding and tackling cybercrimes has remained a challenge for African states which rank low in global cybercrime assessments and suffer a combined loss of over $4 billion annually to cybercrime. Indeed, many African countries pushed for clearer obligations on capacity building initiatives throughout the negotiations.  

However, a mismatch persists between Africa’s global leadership on the convention, and its lack of commitment at the continental level. Less than a third of African countries have ratified the African Union’s own Malabo cybersecurity convention since its adoption in 2014 countries that led on the UN convention, Algeria and Nigeria, have yet to ratify Malabo. That lack of adoption should serve as a warning of how slow ratification can create fragmentation.

The AU must learn from the experience, taking advantage of the new UN convention to drive engagement by countries in creating more unified – and therefore more effective cybercrime policymaking. 

Africa and the road to the UN cybercrime convention

Africa’s leadership in the new UN convention marks a welcome break with the past. A preceding UN initiative adopted in 2015 – the UN Norms of Responsible State Behaviour in Cyberspace – saw only minimal African involvement. And since 2001, only 13 African countries have ratified the Budapest Convention on Cybercrime – the first such international treaty.

This time Africa displayed obvious interest from the early stages of the process, with African leadership significantly increasing the credibility and likely utility of the convention on the continent.

African countries have…different definitions of cybercrime, and different standards for evidence, interception, mutual legal assistance and extraterritoriality.

That reflects the growing priority given to digital transformation by the African Union (AU). The AU’s Digital Transformation Strategy for 2020-30 is a key part of its integration priorities, while Agenda 2063, the AU’s transformation ‘masterplan’ for Africa, has cybersecurity as a flagship project.  

However, the convention process also displayed the diversity of opinion within the AU member states. An ‘African Group’ was introduced during negotiations on the convention, which sought to present a harmonized African stance. But the group did not represent the AU position. And several African countries also alluded to the inadequacy of the Malabo Convention as a reason for their support of the UN convention.

That lack of consensus, within the AU and among African countries more generally, may now pose a challenge for implementation of the UN convention in Africa.

Lessons from Malabo

The Malabo Convention entered into force in 2023, but even today has only been ratified by 16 of the 55 AU member states. It suffered as a result of its structure, which merges three interrelated but separate topics – electronic transaction, personal data protection and cybersecurity – into one legal instrument. 

This combination raises a hurdle, given that African countries have generally enacted cybersecurity and data protection laws separately. They also have different definitions of cybercrime, and different standards for evidence, interception, mutual legal assistance and extraterritoriality.

The terms and scope of the new convention may face similar implementation challenges to Malabo. The UN convention is primarily based on criminalizing cyber-dependent crimes. But countries such as Nigeria and Egypt include a wider spectrum of computer-enabled crimes in their national cybercrime laws. 

During the UN negotiations, for example, Egypt proposed the inclusion of cyber-enabled crimes such as blackmail. Nigeria suggested including broader offences encompassed by its national legislation, such as cyber terrorism, cyber stalking, and manipulation of ATM and POS terminals.

The UN convention also states a commitment to avoiding suppression of human rights. But national cybercrime legislation has also often served as an opportunity for governments to impose broad restrictions on freedom of expression in Africa. For example, in 2020 a regional court ruled that Nigeria‘s Cybercrime Act contained provisions that could restrict cyberspace users’ rights to free expression and privacy.

International standards based on the systems and capacity of Western countries will often fail to account for the reality in developing countries.

Underpinning all of these challenges is a broad question of capacity. Most defining submissions to the convention came from Western countries during the negotiations, with the Budapest Convention providing a main source of guidance. 

But international standards based on the systems and capacity of Western countries will often fail to account for the reality in developing countries, especially those in Africa with limited digital capacity and infrastructure to effectively tackle cybercrimes.    

Towards implementation

21 African countries have already signed the UN treaty. The AU must adopt a tailored strategy to ensure the UN convention is adopted across the continent and does not become another widely unimplemented  ‘paper’ treaty.

The AU should begin by creating model legislation, shared definitions, guidance notes and peer review mechanisms to encourage alignment of countries’ legislation and institutional frameworks with the convention. It could also set up a continental monitoring mechanism to track progress on ratification  and implementation, including cooperation with law enforcement through AFRIPOL.

The AU must also ensure Africa is given high priority within implementation support mechanisms such as technical assistance, funding and capacity building. This can build upon existing initiatives: for example, the UK government has been providing capacity building assistance to various African countries – including a Joint Case Team on Cybercrime (JCTC) launched with Nigeria. 

Human rights concerns also cannot be ignored. The AU should promote regional guidance on how states can implement cybercrime laws consistent with human rights standards.

Leadership by the AU is essential. If Africa simply signs treaties without taking control of their implementation, it risks allowing external actors to define the scope of engagement. A proactive AU approach can help ensure Africa sets and protects its interests. 

But implementation must also reflect the continent’s diversity and differing levels of readiness. By coordinating capacity building under the AU umbrella, no AU member state will continue to be left behind in Africa’s fight against cybercrime.