On the margins of the 2026 International Law Commission (ILC) session, UNIDIR is organizing a side event on due diligence in cyberspace to bridge discussions and encourage engagement between cyber diplomats and the international legal community.
Due diligence is a well-established concept in international law, whereby States should not knowingly allow the use of their territory for activities contrary to the rights of other States. In international cybersecurity, States have recognized it as an important element of the agreed voluntary normative framework of responsible State use of information and communications technologies (ICTs), with some arguing it constitutes a binding rule in cyberspace. At the same time, the ILC has addressed due diligence in various contexts, most notably in relation to transboundary environmental harm, and in 2025 it added “due diligence in international law” to its programme of work as a distinct topic.
A well-established concept
As early as in 1928, the Island of Palmas arbitration linked due diligence to States’ obligation to act with reasonable care and established it as a corollary to territorial sovereignty. In the 1941 Trail Smelter case, the arbitral tribunal framed due diligence within the general obligation not to cause transboundary harm, proclaiming that no State has the right to use its territory, or permit its use, to cause significant injury to another State or persons located in another State’s territory.
Perhaps the most famous formulation of due diligence in international law comes from the International Court of Justice (ICJ) and its Corfu Channel judgment:
States have an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States.”
In doing so, the Court suggested there are two prerequisites:
- State knowledge of a potential harm to the rights of another State emanating from its territory; and
- a real possibility that reasonable action taken by the territorial State could prevent or minimize that harm.
The ICJ later extended this reasoning in the Tehran Hostages case, where it held that the State was responsible for omitting to protect foreign diplomatic premises and its diplomatic and consular staff from attacks by non-State actors when it had both knowledge of the harm and capacity to act.
Modern doctrine approaches due diligence in at least three ways: as a principle of international law, as a stand-alone obligation, and as modality attached to a duty of care (a standard of conduct). Irrespective of its legal qualification, the practical exercise of due diligence by a State depends on two factors:
- First, the State should have power over the source of the risk to another State’s rights, property or citizens.
- Second, the State should be aware of or anticipate the risk that triggers due diligence.
As the ICJ emphasized in the Corfu Channel, the mere presence on the State territory of the source of harmful acts is not sufficient to impute knowledge of these acts to the State.
Cyberspace raises new questions
Alongside doctrinal debates on the legal nature and scope of due diligence, the discussion has recently gained a second wind specifically in the cyber context. In particular, the application of due diligence to State use of ICTs, and its implications for State responsibility, have become subjects of extensive debate.
The UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, in its 2015 consensus report, articulated a voluntary norm that “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs”. The 2021 GGE report clarified that:
a State should not permit another State or non-State actor to use ICTs within its territory to commit internationally wrongful acts.
As noted, due diligence is conditioned on knowledge. In the cyber context, the 2021 GGE report further qualified “knowledge” of malicious ICT conduct as requiring the State to be “aware or has been notified in good faith” that an internationally wrongful act involving ICTs is being carried out from or through its territory. The report also indicated that States will take all appropriate, reasonably available, and feasible steps to detect, investigate and stop internationally wrongful ICT activities emanating from or transiting their territory; it does not, however, impose a duty to monitor all ICT activities within their territory.
Despite years of negotiations among States on how international law applies to cyberspace, due diligence in cyberspace remains subject to divergent State interpretations. As observed by UNIDIR, key outstanding questions include the legal status of due diligence, the scope of expected conduct, the required level of knowledge, and the harm threshold.
The ILC takes up the issue
Due diligence previously featured on the ILC’s agenda in specific contexts, most notably in the 2001 Draft articles on Prevention of Transboundary Harm from Hazardous Activities. Article 3 provides that “the State of origin shall take all appropriate measures to prevent significant transboundary harm or at any event to minimize the risk thereof” – an obligation of conduct requiring the State to exert its best efforts to minimize the risk, without guaranteeing that no harm will occur (commentary 7 to Article 3 of the Draft articles).
Furthermore, in 2025 the ILC decided to include “due diligence in international law” in its programme of work and to appoint Dr Penelope Ridings as Special Rapporteur. Her first report in April 2026 reviews the long pedigree of due diligence in international law and the past work of the ILC on related topics. It acknowledges the lack of clarity regarding the legal character of due diligence and proposes to identify its common elements applicable both generally in international law and to special regimes, including potentially its application in the ICT domain.
This ILC endeavor is particularly relevant for cyberspace. As noted:
divergent State interpretations of cyber due diligence persist, and the ILC’s forthcoming work offers a timely opportunity to bring valuable clarity to how the concept applies in the cyber context.
UNIDIR at the 2026 ILC session
As part of UNIDIR’s ongoing work on international cyber stability, the Institute will organize a side event on Due Diligence in Cyberspace on 2 July, on the margins of the 77th session of the ILC.
The objective is to bridge the parallel discussions in the cyber diplomatic and international legal communities, fostering a much-needed exchange between these two groups.
This event, organized with a contribution from Dr Penelope Ridings, Special Rapporteur of the ILC on due diligence, is designed to explore national and regional interpretations, highlight practical challenges States face, and to facilitate an exchange of views between ILC members, cyber diplomats, and legal experts on how to further clarify and operationalize cyber due diligence.
