In December 2025, the Office of the Prosecutor of the International Criminal Court (ICC) adopted its ‘Policy on Cyber-Enabled Crimes under the Rome Statute’. While the document has largely been read through the lens of international criminal law, its significance extends well beyond The Hague. What the Policy signals is not the regulation of Internet infrastructure, nor an expansion of the Court’s jurisdiction into ordinary cybercrime. Rather, it reflects a structural junction between global justice mechanisms and the technical systems that underpin the Internet. Cyberspace is now recognised as an operational environment for the gravest international crimes, and investigating those crimes necessarily implicates data flows, networked systems, and specialised technical expertise. For the Internet governance community, particularly those concerned with DNS, connectivity, and infrastructure, this convergence raises questions that are not about compliance, but about evidence, cooperation, neutrality, and the conditions under which accountability becomes possible in a distributed network.

Cyber-Enabled Crimes Are Not Cybercrime

A foundational move in the Policy is the clear distinction between ‘cybercrime’ and ‘cyber-enabled crimes under the Rome Statute’. Ordinary cyber offences, such as hacking, fraud, or malware deployment, remain the territory of domestic criminal law and international cooperation instruments. The ICC does not claim jurisdiction over such conduct as such. However, the Policy makes explicit that cyber means may constitute elements of genocide, crimes against humanity, or war crimes when embedded in broader campaigns of violence, persecution, or armed conflict. Cyber operations used to identify victims, incite violence, disrupt essential civilian infrastructure, or facilitate physical attacks may fall squarely within the Court’s jurisdiction. For Internet infrastructure actors, this distinction matters because it reframes cyberspace not as a peripheral domain of harm, but as an integral medium through which international crimes may be enabled, coordinated, or concealed.

Infrastructure as Evidentiary Terrain

One of the most consequential aspects of the Policy lies in its treatment of evidence. The Office of the Prosecutor explicitly recognises that investigations into cyber-enabled crimes will rely heavily on technical digital evidence, malware samples, network logs, metadata, server records, and other artefacts generated by Internet infrastructure. Such evidence is often ephemeral. Data may be routinely overwritten, anonymised, or deleted as part of normal operational practice. Paragraphs 161—163 of the Policy therefore emphasise early and diligent evidence preservation, including voluntary preservation requests and, where legally permissible, compulsory measures executed by States Parties. Intentional destruction, tampering with, or interference in the collection of evidence is expressly characterised as an offence against the administration of justice, regardless of motive. For DNS operators and network providers, this marks an important legal inflection point. While routine data minimisation and privacy-preserving practices remain legitimate and often required, deliberate actions taken to frustrate international criminal investigations cross into a different legal category. The line between neutral technical operation and procedural obstruction acquires legal significance at the level of international criminal law.

Accessing Specialised Technical Expertise

The Policy is unusually candid about institutional limitations. The Office of the Prosecutor acknowledges that investigating cyber-enabled crimes will often require highly specialised technical expertise that it does not possess internally and does not routinely fund as part of its core budget. Attributing malicious code to particular systems or individuals, analysing complex network behaviour, and reconstructing cyber operations are described as specialised investigative activities. To address this gap, the Office anticipates relying on a flexible mix of secondments, external consultants, assistance requests under Article 93 of the Rome Statute, and commissioned forensic analysis by reputable external institutions. Crucially, paragraph 160 adds that the Office will take strategic advice from relevant stakeholders, including civil society and industry experts. This reflects an implicit recognition that expertise relevant to cyber-enabled crimes is distributed across technical and governance communities rather than concentrated within states or law enforcement bodies. For multistakeholder Internet governance, this language is familiar, but its appearance in an international criminal policy context is notable. At the same time, it raises governance questions about neutrality, independence, and the appropriate boundaries between technical advice and legal decision-making.

Jurisdiction and Cooperation in a Distributed Network

The Policy also adopts a restricted approach to jurisdiction in cyberspace. The Office explicitly rejects the notion that mere data transit through a State Party’s territory is sufficient to establish ICC jurisdiction, an important clarification for a globally routed Internet. At the same time, the Policy affirms that where cyber conduct forms an integral part of criminal activity, jurisdiction may be asserted even in highly distributed technical environments. States Parties are obliged to assist the Court, including by compelling corporations and other entities within their jurisdiction to produce evidence. In parallel, the Office may seek voluntary cooperation from private actors, subject to applicable legal obligations. For Internet infrastructure operators, this dual pathway mirrors existing tensions in DNS abuse and cybersecurity governance, where requests for cooperation increasingly originate from multiple authorities with overlapping but distinct mandates.

Infrastructure Performance, Data Access, and Digital Equity

The Policy’s reliance on technical evidence implicitly assumes the existence of infrastructure capable of generating reliable data. Yet recent CircleID analysis, including evaluations by Doug Dawson and Larry Press, demonstrates that connectivity is uneven, performance varies significantly, and access is often mediated through tiered service models. These infrastructural conditions have evidentiary consequences. In contexts of conflict or repression, satellite connectivity and other non-terrestrial systems may be the primary channels for communication, documentation, and coordination. Where connectivity is intermittent or degraded, the resulting data trail may be incomplete or distorted. This introduces a subtle dimension of digital equity into international criminal accountability. Communities dependent on unstable or prioritised infrastructure may be doubly marginalised, first by cyber-enabled harms, and second by evidentiary gaps that render those harms less visible to legal processes.

Sensitive Data, Scale, and Human Impact

The Policy also recognises that information relevant to cyber-enabled crimes may be sensitive, implicating national security, commercial confidentiality, or protected personal data. The Office commits to handling such material through established protective procedures and to resolving conflicts cooperatively with concerned states. Additionally, the Office acknowledges the scale of digital evidence involved in cyber-enabled investigations and confirms investments in resilient systems capable of storing, managing, and reviewing large volumes of data. These concerns will be familiar to Internet governance practitioners accustomed to debates about scalability, retention, and auditability. Finally, the Policy emphasises that assessing the impact of cyber-enabled crimes requires attention to differentiated harms, including those experienced by women, children, persons with disabilities, and marginalised populations. Technical evidence may establish causation and attribution, but it does not, on its own, capture the full human consequences of cyber-enabled violence and repression.

Way Forward: Infrastructure, Evidence, and Accountability

The ICC’s Policy reflects an institution adapting, cautiously but decisively, to the realities of cyberspace. It acknowledges dependence on specialised technical expertise, the vulnerability and scale of digital evidence, the infrastructural conditions that shape data visibility, and the need for cooperation beyond traditional state-centric models. The significance of this development lies not in any immediate regulatory obligation for Internet infrastructure actors, but in the increasing regulation. As cyber-enabled conduct becomes embedded in the prosecution of international crimes, technical systems and expertise are no longer peripheral to global accountability; they are structurally implicated in it. The challenge for Internet governance is therefore not to become an enforcement arm of international criminal law, but to ensure that cooperation, evidence preservation, and expert engagement take place within frameworks that preserve technical neutrality, protect human rights, and respect multistakeholder legitimacy. The ICC’s Policy suggests that international criminal law is beginning to learn from the governance logic of the Internet. Whether Internet governance institutions are prepared for the reciprocal demands of that convergence remains an open, and increasingly urgent, question.