ICC’s Policy on Cyber-Enabled Crimes under the Rome Statute: An Overview

by

Dimitrios Papantoniou

CyJurII Overseer

on 4 December 2025

Keywords: Cyber operations; cyber-enabled crimes; International Criminal Court; Military manuals; war crimes

On December 3, the Office of the Prosecutor of the International Criminal Court released its Policy on Cyber-Enabled Crimes under the Rome Statute.  OTP recognizes that while new and emerging technologies present new opportunities for society and human endeavors, they simultaneously introduce new risks and obstacles. Thus, technology may occasionally be utilized to conceal the commission of crimes. In this regard, OTP fulfills its obligation to prepare for the crimes of the future, highlighting that cyberspace is not a law-free zone and that the Statute is technology neutral. In 72 pages, the Policy on Cyber-enabled Crimes under the Rome Statute sets out how the Office of the Prosecutor will use its mandate and powers to investigate and prosecute cyber-enabled crimes within the jurisdiction of the International Criminal Court. The Policy was developed through an extensive consultative process involving multiple rounds of written input and direct discussion with internal Office staff and external experts, with the support of Prof. Marko Milanović,  as well as a public consultation.

The Policy uses the term ‘cyber-enabled crimes’ (as a factual description, and not as a distinct legal concept) simply to refer to the international crimes set out in the Rome Statute, which may be committed or facilitated by cyber means. It should be highlighted that relevant crimes under the Statute include not only aggression, genocide, crimes against humanity, and war crimes, but also offences against the administration of justice at the Court. Only cases of sufficient gravity will be admissible before the Court—assessed by reference to factors including the scale, nature, manner of commission, and impact of the alleged crime(s) attributed to the suspect(s) in question. Of particular importance is the relative gravity of the potential case, that is, how it compares to other potential cases currently under consideration by the Office with a view to investigation or prosecution. Moreover, the Court does not have jurisdiction over ordinary ‘cybercrimes’ that are punishable under domestic law, such as fraud or unauthorized access to a computer system. States may have assumed international obligations to punish such crimes under treaties to which they are parties, but as such these do not fall within the remit of the Court or the Office.

The Policy also makes reference to the applicable law before the Court which includes application of the Statute, Elements, and Rules; applicable treaties and the principles and rules of international law, including the established principles of the international law of armed conflict; where necessary, general principles of law derived by the Court from national law of legal systems of the world, provided they are not inconsistent with the Statute, international law, and internationally recognised norms and standards; In any circumstances, both the application and interpretation of the Statute must be consistent with internationally recognised human rights, without any adverse distinction with emphasis to rights particularly relevant to the investigation and prosecution of cyber-enabled crimes, inter alia, the right to life, the right to physical and mental health, the right to freedom of expression, the right to privacy and family life, the right to participate in public affairs, and the right to freedom from discrimination, including on grounds of gender.

Examples of potential cyber war crimes include inter alia:

• Cyber operations against hospitals or other medical facilities.

• The intentional use of destructive malware that can automatically self-replicate and proliferate (such as a worm), and which is capable of causing the requisite degree of harm through its effects on a wide variety of military and civilian computer systems, without discrimination.

• Cyber operations which are designed to delete data, and that deletion leads, or could have led, to death or injury—for example, a power plant is unable to function because indispensable data on its systems was deleted, and this then leads to a prolonged disruption in power supply that causes the death of civilians—the Office could potentially charge this act as the war crime of intentionally directing attacks against civilians or the civilian population. 

• Online messages calling for international crimes to be carried out by others.

• Creating or publishing degrading images of protected persons, such as prisoners of war.

The Policy also includes examples of cyber operations that can qualify as a use of force, which is prohibited by article 2(4) of the Charter and as an act of aggression. The threshold is not the technological means used, but the effects produced. Such a case could arise if the operators of one State launch cyber operations against the armed forces of another State, by hacking the navigational systems of aircraft or naval vessels, for example, thereby causing death, injury or physical damage. It may be less straightforward if the alleged cyber use of force does not cause such consequences. Finally, the Policy acknowledges that cyber conduct of a non-State actor targeting a State, such as a hacking group, may constitute a use of force between States if the conduct of the non-State actor was attributable to another State, in accordance with applicable rules of international law. In any event, such a requirement is cumulative to the required showing that the suspect—who must be in a position of leadership of a State— “planned, prepared, initiated or executed” the relevant act of aggression carried out by the non-State actor, with the required intent and knowledge.

Conclusion

To conclude, this new Policy of the OTP aims to help to ensure that it is ready for the crimes of tomorrow. Meanwhile, the Office will carefully monitor and consider the potentially evolving practice and positions of States on these issues. In this aspect, there is a need to update the States' military manuals on the law of military operations as well as relevant training directives, to ensure dissemination of OTP’s policy to all relevant stakeholders, including military and civilian audiences.