On October 4, 2025, Supreme Resolution No. 148-2025-RE was published, granting full powers to the Ambassador of Peru in Vietnam to sign the ”United Nations Convention against Cybercrime: Strengthening International Cooperation to Combat Certain Crimes Committed through Information and Communication Technology Systems and to Transmit Electronic Evidence of Serious Crimes” (hereinafter, the “Convention”).
This marks a turning point for Peru’s digital ecosystem, in a context where cyberattacks and personal data breaches have been increasing across both public and private sectors. Peru’s adhesion not only reinforces its international commitment in this field but also promotes the consolidation of responsible digital governance capable of balancing innovation, security, and the protection of rights in the digital environment.
- Context: The Urgency of a Global Response to Cybercrime
The intensive and sustained use of Information and Communication Technologies (hereinafter, “ICT”) drives the development of society and the digital economy but also gives rise to new and sophisticated forms of crime on a global scale. In this scenario, it becomes essential to adopt solid public policies in criminal matters, as well as concrete actions at both the national and international levels to confront cybercrime. This fight requires coordination and effective international cooperation, since, as the saying goes, “The Internet knows no borders, neither of homes nor of States.”
Today, more than ever, regulatory frameworks must evolve at the same pace as technological innovation. The response to cybercrime must be integrated with strategies for secure digital transformation, ethical artificial intelligence, and the protection of critical infrastructures.
- The Convention: A Key Instrument for Cooperation
The scope of crimes related to the misuse of ICT is broad—it covers terrorism, transnational organized crime, human trafficking, drug trafficking, and sexual offenses, among others. In this context, the Convention constitutes a fundamental international instrument that seeks to strengthen:
- the harmonization of domestic legislation; and
- global cooperation among States in the prevention, investigation, and prosecution of crimes committed through ICT systems, as well as in the transmission of electronic evidence in criminal proceedings.
From a digital transformation perspective, the Convention also encourages the development of institutional capacities and the interoperability of governmental technological systems, which will be essential for evidence traceability and technical cooperation among countries.
- General Principles of International Cooperation
The Convention establishes that the States Parties shall cooperate with each other—in accordance with the Convention itself, other international treaties, and their domestic legislation—to investigate, prosecute, and sanction the offenses covered. This includes measures such as seizure, confiscation, forfeiture, and return of assets, as well as the collection, preservation, and transmission of electronic evidence.
Where dual criminality is required, this shall be deemed fulfilled if the conduct constitutes an offense under both States’ laws, regardless of whether it is classified under the same name or legal category.
The technological component will be critical in this cooperation. States must invest in secure digital infrastructure, encrypted exchange protocols, and common authentication standards, ensuring the legal validity of digital evidence, transparency, and respect for national sovereignty. In this sense, the process also represents an opportunity for Peru to modernize its domestic frameworks on cybersecurity and digital evidence, aligning them with international standards and reinforcing its role as a strategic regional ally.
- Covered Crimes and Sovereignty of States Parties
When implementing other UN conventions and protocols, States Parties must ensure that the offenses defined therein are also recognized as crimes under their domestic laws when committed through ICT. However, the Convention does not create new crimes, nor does it authorize a State to exercise jurisdiction in the territory of another.
Among the offenses that States must criminalize are:
- Unauthorized access to all or part of an ICT system for illicit or dishonest purposes.
- Obtaining, producing, selling, or distributing access credentials, passwords, or similar data.
- Soliciting or communicating with minors through ICT for purposes of exploitation or sexual abuse, including the production or dissemination of child abuse material.
- Unauthorized dissemination or publication of intimate images of a person through ICT systems.
Furthermore, the Convention emphasizes the importance of establishing corporate liability for participation in such offenses, which may be criminal, civil, or administrative depending on national legislation. Sanctions must be effective, proportionate, and dissuasive.
This implies that Peruvian companies must review their digital compliance management, information security policies, and incident reporting mechanisms. Corporate responsibility regarding technological crimes will no longer be merely a matter of ethics but of national and international legal compliance.
- Statute of Limitations
Each State Party must establish adequate limitation periods, taking into account the seriousness of the offenses. It is recommended to adopt extended timeframes or suspension mechanisms when the suspect has evaded justice—an appropriate measure to avoid impunity.
From a technological perspective, this also requires preserving the integrity of digital evidence over long periods, which demands robust policies for secure storage, blockchain-based systems, or immutable records ensuring the chain of custody.
It should be emphasized that the use of emerging technologies such as blockchain or distributed ledgers not only strengthens evidentiary chains but also paves the way toward a more traceable, efficient, and reliable digital justice system.
- Ratification and Adhesion to the Convention
The Convention will be open for signature by all States in Hanoi (Vietnam) in 2025 and subsequently at the United Nations Headquarters until December 31, 2026. Hence the importance of Supreme Resolution No. 148-2025-RE, which authorizes the Ambassador of Peru in Vietnam to sign this instrument.
- Entry into Force of the Convention
The Convention will enter into force 90 days after the deposit of the fortieth instrument of ratification, acceptance, approval, or accession. For States that accede thereafter, it will enter into force 30 days after the submission of their instrument or from the date of general entry into force, whichever is later.
- Approval and Ratification within the Peruvian Legal Framework
According to Article 56 of the Political Constitution of Peru, the Convention must be approved by Congress by an absolute majority before its ratification by the President of the Republic. Article 57 also recognizes the presidential authority to ratify the Convention once it has been approved by Congress.
The coordination between the branches of government and technical bodies will be essential to ensure that the adoption of the Convention translates into effective, sustainable, and digitally secure public policies.
- Impact on the Peruvian Private Sector
Peru’s adhesion to this Convention will have significant implications for the business and technological spheres, particularly in the financial, telecommunications, and digital services sectors, and, to a greater or lesser extent, across all industries.
Accordingly, it is essential that companies strengthen their cybersecurity mechanisms, preservation of digital evidence, and cooperation with competent authorities in the context of international investigations.
Likewise, internal policies (compliance), risk management frameworks, and personal data protection protocols must be updated to align with the new obligations arising from international cooperation in the fight against cybercrime.
Additionally, both the State and private entities must strengthen citizen “cyber trust”, ensuring effective protection of personal data through audits, technological transparency, and incident response protocols.
As digital citizens, we must also recognize that anyone who supplies personal information online becomes exposed to such crimes. What is neither permissible nor acceptable is that we, compelled by legal requirements, provide personal information and subsequently find ourselves victims of these offenses due to malpractice by public or private entities to which we were required to submit such information.
- Conclusion
In conclusion, the signing of the Convention represents a decisive step for Peru toward consolidating an international legal framework that enables more effective action against cybercrime, while simultaneously ensuring the protection of fundamental rights and digital security for citizens and organizations.
The need for cooperation and joint action among nations has never been greater than it is today. If we fail to recognize that we are witnessing a transformation in the way human beings live and interact with their environment, we risk deepening the very divisions and digital gaps that already separate us.
Beyond regulatory compliance, this milestone must be embraced as a strategic opportunity to drive the nation’s digital maturity. Integrating regulation with innovation, and law with technology, will be the key to building a digitally sovereign, resilient, and competitive Peru.
Ing. María José Rodríguez
Jefa de Transformación Digital
maria.rodriguez@kaitekiregulacion.pe
