Victor STOICA^*

University of Bucharest, Romania

Abstract: This article sheds light on certain manifestations of due diligence in cyberspace, and its connections with standards enhancing capabilities of states, which, further, depend on various other elements. It reveals the degree in which the existing and expanding cybersecurity legal framework of the European Union contributes to the application of the principle of due diligence in cyberspace for the EU Members States.

It does so by focussing on clarifying three basic characteristics of due diligence, as interpreted under general international law: territoriality, information and risk. It further describes relevant provisions mirroring the three, regulated through the NIS2 Directive, the Digital Services Act, the General Data Protection Regulation, the AI Act or the CER Directive, as well as on policy documents of the European Union such as the EU Strategy regarding Cybersecurity or the Declaration on a Common Understanding of the Application of International Law to Cyberspace.

Keywords: Due diligence, Cybersecurity, International Law, EU Law.

Introduction

Due diligence is not new in international law; it can be traced back to Roman Law, when an individual could have been held liable if causing harm by failing to meet ‘a standard of conduct expected of a diligens (or bonus) paterfamilias’.^[1] Under the same regime, due diligence was conceptualised as the principle of  ‘sic utere tuo ut alienum non laedas principle (use what is yours in such a manner as not to injure that of another).’^[2]  More recently, its interpretation and application has become rather prominent,^[3] and it continues to gain traction in multiple fields of international law.^[4] 

Several international courts and tribunals have refined its meaning. In the Alabama Claims Arbitration, the arbitral tribunal concluded that ‘the British government failed to use due diligence in the performance of its neutral obligations’,^[5]and that due diligence should have been exercised in exact proportion to the risk involved.^[6]In the Island of Palmas Case, the arbitral tribunal found that the right to territorial sovereignty has the corollary obligation to protect, within that territory, the rights of other states,^[7] whilethe arbitral tribunal from Trail Smelter decided that ‘no state has the right to use or permit the use of its territory in such a manner as to cause injury’.^[8]

The International Court of Justice (“the ICJ” or “the Court”) contributed towards the development of due diligence in international law. In the Corfu Channel Case, the Court issued its well-known obiter dictum, through which it concluded that a State has the obligation ‘not to allow knowingly its territory to be used for acts contrary to the rights of other states’,^[9]and thatthe obligation of due diligence depends on the knowledge held regarding potential dangers.^[10]In the United States Diplomatic and Consular Staff in Tehran, the Court concluded that the iranian authorities were ‘fully aware of their obligations under the conventions in force to take appropriate steps to protect the premises of the United States Embassy’,^[11]and of the urgent need for action.^[12]

Due diligence applies in various sub-branches of international law, spanning from the law of neutrality^[13] to investment law,^[14] from environmental law^[15] to humanitarian law.^[16] Even if due diligence has certain elements common to all these sub-fields of international law, in which it  manifests its effects, authors confirm that the development of sector specific standards may be needed.^[17] This may be the case of the application of due diligence for acts performed in cyberspace.

Multiple states, from across various continents, through their National Positions related to the application of international law in cyberspace accept that due diligence applies.^[18] What is not currently necessarily clear is whether different thresholds of due diligence exist across regulatory frameworks, if and how they influence each other.

Through this article, I will try to shed light on the subjective nature of applying due diligence, which is generally considered as depending on the capabilities of states, which, further, depend on various other elements. My contribution endeavours to reveal whether the existing and expanding cybersecurity legal framework of the European Union (“the EU”), also labelled as being an ecosystem^[19] or a regulatory landscape,^[20] contributes to the application of the principle of due diligence in cyberspace for the EU Members States.

It does so by focussing on clarifying three basic characteristics of due diligence, as interpreted under general international law: territoriality, information and risk. It will further describe relevant provisions mirroring the three, regulated through the NIS2 Directive, the Digital Services Act, the General Data Protection Regulation, the AI Act or the CER Directive, as well as on policy documents of the European Union such as the EU Strategy regarding Cybersecurity or the Declaration on a Common Understanding of the Application of International Law to Cyberspace.

Due Diligence Basics

Due diligence is often seen as involving a general duty of vigilance, which may transform, when States know or should have known of existing or potential harmful activities, into an obligation to act.^[21] The due diligence principle was established in international law in order to ‘protect states, territory and population as assets of the sovereign State against foreign harmful interference’,^[22]and isgenerally regarded as imposing ‘standards of behaviour normally identified as reasonable or appropriate in light of the circumstances’.^[23]

The case-by-case analysis of compliance with due diligence shows that its standard of appreciation is ‘deliberately flexible’,^[24]or ‘highly circumstantial’,^[25] but even so, doubts have been expressed as to ‘whether a refined duty of cyber diligence would cure or inflame the ills of cyberspace’.^[26]

The ICJ has not dealt directly with the principle of due diligence in too many of its judgments. It was in the Corfu Channel Case and in Pulp Mills on the River Uruguay that the Court confirmed the existence of due diligence obligations either ‘as a principle of international law and a regime-specific rule’. ^[27] Some authors confirm the controversial legal regime of due diligence and conclude that it may well be ‘a principle, standard, norm, or obligation’.^[28] Others argue that it may be either a ‘notion, concept, standard or principle’.^[29] The different approaches towards the interpretation of due diligence also originate from its potentially differentiated application within various branches of international law, some of them containing specific rules.^[30] More so, assessments of due diligence are not only general or sector specific, but also have cross-sectorial manifestations.^[31]

It is generally recognised that due diligence applies in cyberspace. Multiple States have issued National Positions regarding the Application of International Law to Cyberspace recognizing the application of due diligence in cyberspace. However, the legal status of due diligence is perceived differently. While Israel, New Zeeland or Canada frame due diligence as voluntary and non-binding,^[32] a wider number of States recognise that ‘due diligence constitutes a general international obligation for every State not to knowingly allow its territory to be used for internationally wrongful acts using cyber means’.^[33] Rule 6 of the Tallinn Manual 2.0 confirms that due diligence is an obligation of international law.^[34]

Even if these views may be, at a first glance, considered as irreconcilable, some scholars qualifying them as revealing an ‘all-or-nothing’^[35] approach, certain characteristics of the application of due diligence are generally accepted. Due diligence applies territorially as a rule and extraterritorially as an exception (2.1), due diligence is an obligation of conduct which depends on the availability of information (2.2), and it involves risk assessment (2.3).

2.1. Due diligence and Territory

a) Cybersecurity and International Law

The ICJ, in the Corfu Channel Case, concluded that due diligence applies in international law and that it is ‘every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States’.^[36] This argument is substantially entrenched in sovereignty,^[37] which manifests primarily territorially.

Even if the Court did not further expand its reasoning regarding the manner in which due diligence may apply extraterritorially, ‘the scope of application of due diligence obligations also extends towards acts or activities under the ‚jurisdiction’ or ‚control’ of states’.^[38]The Tallinn Manual 2.0. also confirms that due diligence may extend extraterritorially, when states control territories without exercising sovereignty over them or over government cyber infrastructure controlled abroad.^[39] This finding is not unique to cyber operations. In the field of human rights, scholars conclude that ‘there is no question that States’ obligations of due diligence can and should arise under international law in the kind of extraterritorial circumstances’.^[40]

Cyberspace is essentially characterized by de-territorialisation, particularly because in this environment ‘the territorial location of data at a given time is simply a function of algorithmic decisions of Internet intermediaries offering global computing services’.^[41] There are various manifestations of extraterritoriality in cyberspace, this conclusion being confirmed by the various National Positions issued by States with respect to the application of international law in cyberspace. Illustratively, the Netherlands, through its national position, affirms that in the context of cyberspace, States must take actions with respect to cyber operations that are ‘carried out by persons in their territory or where use is made of items and networks that are in their territory or which they otherwise control’.^[42] Finland further argues, through its national position, that the obligation of due diligence extends to ‘states through which data merely transits, so long as that State knows of that transmission and can stop it’.^[43] Other States have expressed similar views regarding the application of due diligence obligations related to activities under the control (but outside the territory) of States. Germany submits that ‘a state may also become liable under international law in connection with another State’s of a non-State actor’s actions if the first State fails to abide by its obligations stemming from the “due diligence” principle’.^[44]

What is currently clear is that due diligence obligations, as a norm of international law, have both territorial and extraterritorial effects. The EU Cybersecurity Legal Framework (the “EU CLF”) confirms this conclusion.

b) Cybersecurity and the EU CLF

The EU has recently issued its Declaration on a Common Understanding of International Law in Cyberspace, on 18 November 2024, through which it concluded that States have the duty to make efforts that infrastructure is not used ‘for cyber activities within the territory or information and communication technology infrastructure that they otherwise effectively control’.^[45]This document confirms, as a matter of policy, that due diligence applies territorially but may extend extraterritorially to information and communication technology infrastructure controlled by States outside their territories. This conclusion is further confirmed by various acts issued at the level of the European Union.

Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data (“GDPR”), through Article 3, provides that it also applies ‘to the processing of personal data by a controller not established in the Union, but in a place where Member State Law applies by virtue of public international law’.^[46]Further, once a breach has occurred, even in extraterritorial circumstances, Article 33 of the GDPR establishes obligations of notification to supervisory public authorities, ‘without undue delay’.^[47] The extraterritorial justifications of the GDPR have been anchored in the obligation of the EU ‘to protect people from third party activities that curtail to people’s fundamental rights’.^[48]

Directive 2022/2555 of the European Parliament and of the Council of 14 December 2022, on Measures for a High Common Level of Cybersecurity across the Union (“NIS 2”) is another instrument of the EU containing extraterritorial effects and further establishing certain obligations related to the fulfilment of due diligence by EU Member States. Article 28 expressly provides that databases of domain name registration data shall be handled with due diligence.^[49] Further, Article 26(5), part of Chapter V of the same Directive, entitled ‘Jurisdiction and Registration’, confirms that supervisory and enforcement measures may be undertaken with respect to entities that provide services or have networks and information systems on their territories.^[50] As such, the NIS2 has an extraterritorial reach which further expands the scope of its predecessor.^[51]

Regulation 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services^[52] (“the DSA”) also ‘explicitly states its extraterritorial context’.^[53]In this sense, article 2 provides that it:

shall apply to intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment.^[54]

The DSA provides standards, which contribute to the exercise of due diligence obligations of EU Member States. Illustratively, article 18 of the DSA establishes obligations for service providers to ‘promptly inform the law enforcement or judicial authorities of the Member State or Member States concerned’ when they become aware ‘of any information giving rise to a suspicion that a criminal offence involving a threat to the life or safety of a person or persons’.^[55] Further, article 57 of the DSA establishes that the Digital Services Coordinators and the Commissions must provide mutual assistance in order to comply with the provisions of the DSA.

Directive 2024/2847 of the European Parliament and of the Council on Horizontal Cybersecurity Requirements for Products with Digital Elements^[56] (the “CRA”) also has extraterritorial manifestations which ‘will affect organisations along the entire supply chain’^[57] of products with digital elements. In this context, Article 13 of the CRA provides that ‘when placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential cybersecurity requirements’^[58] of the CRA. The location of the manufacturer need not be within the EU for the CRA to apply.^[59]

Several other legal instruments of the EU have extraterritorial effects which further substantiate and influence the obligations of due diligence of the EU Member States. The extraterritorial scope of certain EU regulations or directives has been labelled as the “Brussels Effect”, through which the EU ‘has the ability to promulgate regulations that shape the global business environment.’^[60] These extraterritorial provisions also act as legal harmonisers,^[61] as they promote cybersecurity outside the EU. Further, they are cooperation facilitators, revealing that the Members States of the EU (as well as private entities inside and outside the EU) should endeavour to constantly inform each other in order to address cybersecurity, often in real time, regarding potential malicious cyber operations. In this context, information and data is relevant for the fulfilment of due diligence obligations.

2.2. Due diligence and Information

a) Cybersecurity and General International Law

Due diligence is an obligation of conduct, or of means, rather than an obligation of result.^[62] However, the legal content of the concept of conduct is not that clear,^[63] in the sense that there is no standardised conduct relevant for the assessment of due diligence and, consequently, it may be comprised of ‘positive acts, omissions, failure to achieve a certain result, a failure to meet a standard of due care or pure lack of vigilance’.^[64] For example, the obligation of conduct related to due diligence does not imply that that there exists a general duty of prevention, transcending multiple sectors of international law. This approach is in accordance with the judgment of the International Court of Justice in the Prevention and Punishment of the Crime of Genocide, through which it concluded that ‘the content of the duty to prevent varies from one instrument to another’.^[65] While prevention applies regarding obligations to prevent transnational harm,^[66] it remains unclear whether it does so regarding malicious cyber operations.

Due diligence under international law has been historically addressed by the Arbitral Tribunal in the Alabama Claims. In this context, the dissenting opinion of Sir Alexander Cockburn is rather remarkable, as it conceptually expanded the test of due diligence applied by the majority opinion. Sir Alexander Cockburn identified two essential elements for due diligence:

it requires a government to take all possible steps to inform itself regarding the possibility of any violation of its obligations and, where necessary, to apply its means and power to prevent any such violation from occurring.^[67]

The relevance of States having and using information, for the purposes of fulfilling obligations of due diligence, was also confirmed by other international courts and tribunals. The Permanent Court of Arbitration, in the South China Sea arbitration, concluded that ‘upon receipt from another State of reports of non-compliance, the flag State is then under an obligation to investigate the matter and, if appropriate, to take action necessary to remedy the situation’.^[68]These findings regarding the relevance of information is often used to address vigilance as a corollary of diligence. This approach is confirmed at the level of the International Law Commission of the United Nations which provides, through Annex 2 of its Report of the 75^th Session, that it will also address ‘the degree of care, or vigilance, or the absence of negligence, that is required’,^[69] as an important issue for understanding due diligence under international law.

Vigilance implies, in this context, the ability of States to constantly verify available information and to respond appropriately, where necessary, in order to address potential risk or actual harm. The occurrence of harm does not imply that the obligation of due diligence was breached, as long as the State in question performed what was appropriate and reasonably expected from it. A relevant explanation of appropriate-ness would be that States take ‘all reasonable steps, both to inform itself of relevant factual and legal matters relating to any underlying risk and to respond to these in a timely and appropriate manner.’^[70] This is all the more relevant in the context of cybersecurity under the EU CLF. 

b) Cybersecurity under the EU CLF

A considerable number of instruments issued at the level of EU contain provisions regulating transfer of information, mainly from private entities to dedicated public authorities. 

The AI Act includes obligations of establishing notifying authorities responsible for ‘setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring’.^[71]Further, Article 30 of the AI Act provides that notifying authorities shall notify the Commission and the other Member States, including the full details of conforming assessment mechanisms.^[72] The notifying authorities of Member States must further cooperate regarding the procedures applied for conformity assessment.^[73]

Reporting and disclosure obligations are also provided through NIS2. Article 12(1) establishes that ‘each member state shall designate one of its CSIRTs as a coordinator for the purposes of coordinated vulnerability disclosure’,^[74] one task of the CSIRT designated as a coordinator also being to assist ‘natural or legal persons reporting vulnerabilities’,^[75] which, in turn, are coordinated by European Union Agency for Cybersecurity (“ENISA”), the entity which maintains a European vulnerability database.^[76]

The GDPR also includes obligations of notification. Article 33 provides that controllers have the duty to report to the supervisory authority when risks related to rights and freedoms of individuals.^[77]

The DSA contains, due to its scope of application, more complex provisions related to reporting and disclosure. For example, it established, through Article 22, trusted flaggers, entities which are awarded this status by the EU Member States if they have particular expertise and competence for ‘detecting, identifying and notifying illegal content.’^[78]The EU has also enacted whistle-blower tools for the DSA, through which it enables ‘anonymous, or attributed submissions of insights’^[79] from individuals with inside information. 

Reporting and transfer of information are addressed by ENISA in its first Report on the State of Cybersecurity in the Union, through which it mentions that ‘notification obligations and contextual measures are progressing, but some Member States lack reporting tools’^[80] and further provides that the growing threat landscape needs improved reporting.^[81] What is also determined by ENISA is that reporting and notification procedures are directly connected with risk assessment.

2.3. Due diligence and Risk Assessment

a) Cybersecurity and International Law

Due diligence is linked with the likelihood of harm and with the degree in which the potential harm is foreseeable. Authors conclude, in this respect, that one of the functions of due diligence is ‘risk management and securing accountability’.^[82] Other authors go further and determine that:

protective obligations have been commonly associated with the idea that states must behave diligently with a view to preventing, stopping or redressing a variety of harms or risks to persons, property or territory, ranging from internationally wrongful acts to lawful activities or even accidents.^[83]

In other words, when addressing risk, the relevant issue at hand is the amount of information a State possesses about the harmful act in question.^[84] The consequence is that the more data a State has regarding illegal acts performed in cyberspace, the more acute the duty of due diligence becomes, authors concluding in this respect that ‘the standard of due diligence demanded by these norms would be commensurate with the capacity of a particular state against particular cyber threats on the facts of a case’.^[85]

A negative consequence of this risk-based approach to the application of due diligence may be that of negligence. The International Law Commission of the United Nations confirms this conclusion, through article 39 of the Articles on Responsibility of States for Internationally Wrongful Acts, which provides that ‘in the determination of reparation, account shall be taken of the contribution to the injury by wilful or negligent action or omission of the injured State or any person or entity in relation to whom reparation is sought’.^[86] The more recent work of the International Law Commission further links due diligence with risk and, in its Annex II of the Report of the Seventy Fifth Session entitled “Due Diligence in International Law”, it shares that it intends to study ‘whether there is a minimum level of risk of harm and the gravity of the harm before the obligation of due diligence is activated; and questions over the relevant knowledge requirement and foreseeability of the risk of harm’.^[87]The International Law Association, through its Working Session Report from Johannesburg further confirms that due diligence is ‘a variable concept that might change over time and in relation to the risk involved’.^[88]

b) Cybersecurity and the EU CLF

The EU CLF enhances the technical capacities of States, in order to better mitigate risks and threats that are specific to cyberspace. This conclusion firstly arises out of the European Union Cybersecurity Strategy, as it aims to strengthen protection measures against risks related to security and fundamental rights, through three principal instruments addressing ‘resilience, technological sovereignty and leadership, building operational capacity to prevent, deter and respond, and advancing a global and open cyberspace.’^[89]The Strategy is confirmed at the regulatory level, as multiple legal instruments of the European Union aim to implement its principles.

The NIS2 provides through Article 1(2)(b) that it lays down ‘cybersecurity risk-management measures and reporting obligations’^[90] for certain entities considered important or essential for the purposes of cybersecurity. The Directive further defines risk as being ‘the potential loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident’.^[91] Article 7 of NIS2 requires EU Member States to adopt national cybersecurity strategies, which must include, inter alia, ‘a mechanism to identify relevant assets and an assessment of the risks in that Member State’^[92]and policies related to the promotion of the ‘development and integration of relevant advanced technologies aiming to implement state-of-the-art cybersecurity risk-management measures’.^[93]

Directive 2022/2557 of the European Parliament and of the Council on the Resilience of Critical Entities (“CER”) contains a similar definition of risk as the one provided through NIS2 and further defines ‘risk assessment’, in the following terms:

the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident.^[94]

Article 6 of CER develops on the obligations of States to perform risk-assessment, and establishes obligations for the EU Member States to identify critical entities by taking into account the outcomes of the risk-assessment. The sectors and sub-sectors of critical entities are codified in the Annex of CER, and they include digital infrastructure.^[95]

The AI Act  defines risk as meaning ‘the combination of the probability of harm and severity of the harm’,^[96]and also identifies the concept of ‘systemic risk’ as being ‘a risk that is specific to the high-impact capabilities of general purpose AI-models’.^[97] Article 27 of the AI Act is particularly relevant for due diligence, as it provides obligations related to ‘fundamental rights impact assessments for high-risk AI systems’^[98]which should consist of, inter alia, ‘the specific risks of harm likely to have an impact’^[99] on individuals.

The GDPR also refers to risk in Article 32, referring to security of processing, which regulated the obligation of controllers and processors to ‘implement appropriate technical and organisational measures to ensure a level of security commensurate with the risk’.^[100]Further, Article 35(4) of the GDPR regulates the competence of the public supervisory authority to issue lists of operations, which need impact assessment:

The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment^[101]

Finally, the CRA also regulates risk assessment mechanisms, through Article 13(2) which provides that manufacturer of products with digital elements must undertake:

an assessment of the cybersecurity risk associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks^[102]

Risk assessment is a fundamental pillar of the EU CLF. ENISA, through its 2024 Report. ENISA issued six recommendations and one of them proposes that supply chain security may be enhanced through EU wide coordinated risk assessments, that would address cybersecurity challenges faced by both public and private sectors.^[103]

Conclusion

If due diligence is characterised by territoriality (and extraterritoriality, exceptionally), the amount of data/information held by the State expected to perform its due diligence obligations, and the technical capabilities of identifying risk and performing, in certain circumstances, risk assessment activities, the European Union Cybersecurity Framework contributes to its fulfilment.

Even so, due diligence is variable, and States confirm its standards of variability. Illustratively, Switzerland argues that ‘due diligence is a variable standard and depends on the capacities and capabilities of a state as well as the particular circumstances of each case’.^[104]Thissubjective appreciation is further nuanced by the Canada, arguing that ‘a State with limited technical capabilities would not likely be expected to respond if it failed to detect a malicious cyber activity emanating from or through cyber infrastructure on its territory. However, once aware, the State would be expected to respond’.^[105] The Czech Republic confirms that ‘factors such as technological and financial resources and overall material capabilities of the State, in the particular circumstances of each case, have to be taken into consideration when evaluating the compliance with the due diligence obligation.’^[106]This variability of due diligence also reveals something else: the technological and logistical disparities between developed States and developing States regarding standards of due diligence.

Through its position on the Application of International Law to Cyberspace, the African Union concludes that developing countries face challenges in implementing due diligence measures due to resource constraints and further submits that ‘international cooperation and information sharing, including through Computer Emergency Response Teams’^[107] would further enable States to fully uphold the obligation of due diligence. The African Union seems to refer to the mechanisms used by the European Union, some of them briefly addressed through this article. The Legal Framework of the European Union, regulating cybersecurity through its various Regulations and Directives, either directly or indirectly, raises the standards of capacity and capability of its Member States and further enhances compliance with due diligence obligations. Consequently, reporting and notification mechanisms, information sharing, international cooperation, mutual assistance, risk identification, classification of malicious cyber operations and critical infrastructures, and establishing national authorities collecting information, enhances cybersecurity.

---

* Victor is Senior Assistant Professor at the University of Bucharest. The opinions expressed in this paper are solely the author’s and do not engage the institution he belongs to.

[1] Jonathan Bonnitcha, Robert McCorquodale, The Concept of Due Diligence in the UN Guiding Principles on Business and Human Rights, European Journal of International Law, vol. 28, 2017, p. 902.

[2] Caroline E. Foster, Due Regard for Future Generations? The No Harm Rule and Sovereignty in the Advisory Opinions on Climate Change, Transnational Environmental Law, vol. 13, 2024, p. 589.

[3] Vladyslav Lanovoy, Due Diligence in International Law: A Useful Renaissance or All Things to All People, European Journal of International Law, vol. 20, 2024, p.1.

[4] Interantional Law Association, Study Group on Due Diligence in Intenrational Law, Mandate, www.ila-hq.org/en_GB/documents/mandate-2.

[5] Alabama Claims of the United States of America Against Great Britain, 1872, p. 130, legal.un.org/riaa/cases/vol_XXIX/125-134.

[6]  Ibid. p 129.

[7] Island of Palmas Case (Netherlands, USA), 1928, p. 839, legal.un.org/riaa/cases/vol_ii/829-871.

[8] Trail Smelter Case (United States, Canada), 1938, p. 1965, legal.un.org/riaa/cases/vol_iii/1905-1982.

[9] The Corfu Channel Case (Great Britain v. Albania), Merits, 1949, p. 22, www.icj-cij.org/sites/default/files/case-related/1/001-19490409-JUD-01-00-EN.

[10]  Ibid.

[11] Case Concerning United States Diplomatic and Consular Staff in Tehran (United States of America v. Iran), Merits, 1980, p. 32, www.icj-cij.org/sites/default/files/case-related/64/064-19800524-JUD-01-00-EN.

[12] Ibid. p. 33.

[13] Jan Martin Lemnitzer, Back to the Roots: The Laws of Neutrality and the Future of Due Diligence in Cyberspace, European Journal of International Law, vol. 33, p. 797.

[14] Markus Burgstaller, Giorgio Risso, Due Diligence in International Investment Law, Journal of International Arbitration, vol. 38, pp. 697-922.

[15] Medes Malaihollo, Due Diligence in International Environmental Law and International Human Rights Law: A Comparative Legal Study of the Nationally Determined Contributions under the Paris Agreement and Positive Obligations under the European Convention on Human Rights, Netherlands International Law Review, Volume 68, pp. 121-155.

[16] Marco Longobardo, Due Diligence in International Humanitarian Law, in in Heike Krieger, Anne Peters, Leonhard Kreuzer (eds.), Due Diligence in the International Legal Order, Oxford University Press, 2021, pp. 183-199.

[17] Joanna Kulesza, Due Diligence in Cyberspace, in Cross Cultural Interaction: Concepts, Methodologies, Tools and Applications, Information Resources Management Association, 2014, pp. 326-345.

[18] The list of National Positions of States accepting that due diligence applies in cyberspace is available under the NATO Cooperative Cyber Defrence Centre of Exelence, cyberlaw.ccdcoe.org/wiki/Due_diligence.

[19] Christina Rupp, Navigating the EU Cybersecurity Policy Ecosystem: A Comprehensive Overview of Legislation, Policies and Actors, Interface, 2024, www.interface-eu.org/publications/navigating-the-eu-cybersecurity-policy-ecosystem.

[20] EuroSmart White Paper, EU Cybersecurity Regulatory Landscape, 2024, www.eurosmart.com/eu-cybersecurity-regulatory-framework/.

[21] Yirong Sun, The Future of Due Diligence in Cyberspace, NYU Journal of International Law and Politics, vol. 54, 2022, p. 754.

[22] Nicolas Angelet, Due Diligence in International Law: From Enviornmental and Economic Law to Migrant Protection, Verfassungblog, 30 july 1994, verfassungsblog.de/due-diligence-in-international-law/.       

[23] Alice Ollino, Due Diligence Obligations in International Law, Cambridge University press, 2022, p. 3.

[24] Joanna Kulesza, Human Rights Due Diligence, William and Mary Bill of Rights Journal, vol. 30, 2021, p. 265; Carmen Achimescu, Maria Bebec, Is it necessary to review social networks responsibility in the context of COVID pandemic in Gergely Gosztonyi, Elena Lazăr (eds), Media Regulation during the COVID-19 Pandemic: A Study from Central and Eastern Europe, Cambridge Ethics International press, 2023, p.108.

[25] Alice Ollino, Due Diligence Obligations in International Law, Cambridge University press, 2022, p. 252; Carmen Achimescu, Dragoș Costescu, Gouvernance d’Internet à la lumiere de la CEDH in  Philippe Achilleas, Willy Mikalef (eds) TIC, Innovation et Droit international, Pedone, 2017.

[26] Eric Talbot Jensen, Sean Watts, A Cyber Duty of Due Diligence: Gentle Civilizer or Crude Destabilize, Texas Law Review, vol. 95, p. 1576.

[27] Eric Talbot Jensen, Sean Watts, Cyber Due Diligence, Oklahoma Law Review, Vol. 73, 2021, p. 676.

[28] Joanna Kulesza, Human Rights Due Diligence, William & Mary Bill of Rights Journal, Volume 30, Issue 30, p. 265.

[29] Marco Longobardo, The Relevance of the Concept of Due Diligence for International Humanitarian Law, Wisconsin International Law Journal, 2020, p. 47.

[30] Federica Violi, The Function of the Triad ‘Territory’, ‘Jurisdiction’ and ‘Control’, in Due Diligence Obligations, in Heike Krieger, Anne Peters, Leonhard Kreuzer (eds.), Due Diligence in the International Legal Order, Oxford University Press, 2021, p. 75.

[31] Alice Ollino, Due Diligence Obligations in International Law, Cambridge University Press, 2022, p. 7. 

[32] International Cyber Law in Practice: Interactive Toolkit, „Due Diligence”, cyberlaw.ccdcoe.org/wiki/Due_diligence.

[33] Ibid.

[34] Michael Schmitt, Liis Vihul, Tallinn Manual 2.0. on the International Law Applicable to Cyber Operations, Cambridge University Press, 2017, p. 30.

[35] Antonio Coco, Talita de Souza Dias, Cyber Due Diligence: A Patchwork of Protective Obligations in International Law, European Journal of International Law, Vol. 32, 2021, p. 773.

[36] Corfu Channel Case (Great Britain v. Albania), Judgment of 9 April 1949, ICJ Reports 1949, p. 22.

[37] Michael Schmitt, Liis Vihul, Tallinn Manual 2.0. on the International Law Applicable to Cyber Operations, Cambridge University Press, 2017.

[38] Federica Violi, The Function of the Triad ‘Territory’, ‘Jurisdiction’ and ‘Control’, in Due Diligence Obligations, in Heike Krieger, Anne Peters, Leonhard Kreuzer (eds.), Due Diligence in the International Legal Order, Oxford University Press, 2021, p. 75.

[39] Michael Schmitt, Liis Vihul, Tallinn Manual 2.0. on the International Law Applicable to Cyber Operations, Cambridge University Press, 2017, pp. 32-33.

[40] Samantha Besson, Due Diligence and Extraterritorial Human Rights Obligations – Mind the Gap!, European Society of International Law Reflections, Vol. 9, Issue 1, 2020, p. 7.

[41] Cedryc Ryngaert, Extraterritorial Enforcement Jurisdiction in Cyberspace: Normative Shifts, German Law Journal, Vol. 24, Issue 3, p. 548.

[42] Appendix to the Letter to the Parliament on the International Legal Order in Cyberspace, Minister of Foreign Affairs to the President of the House of Representative, Netherlands, 2019, pp. 4-5, www.government.nl/ministries/ministry-of-foreign-affairs/documents/parliamentary-documents/2019/09/26/letter-to-the-parliament-on-the-international-legal-order-in-cyberspace

[43] Michael N. Schmitt, Liis Vihul, The Application of International Law to Cyberspace: A Comparative Legal Analysis, EU Institute for Security Studies, 2024, p. 22.

[44] Federal Government of Germany, On the Application of International Law in Cyberspace, Position Paper, 2011, p. 11, www.auswaertiges-amt.de/resource/blob/2446304/32e7b2498e10b74fb17204c54665bdf0/on-the-application-of-international-law-in-cyberspace-data.

[45] Declaration on a Common Understanding of International Law in Cyberspace, as approved by the Council at its meeting held on 18 November 2024, pp. 5-6.

[46] Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, eur-lex.europa.eu/eli/reg/2016/679/oj/eng.

[47] Ibid.

[48] Stephan Koloßa, The GDPR’s Extraterritorial Scope: Data Protection in the Context of International Law and Human Rights Law, ZaöRV, vol. 80, 2020, p. 806.

[49] Directive (EU) 2022/2555 of The European Parliament and of the Council of 14 December 2022, on Measures for a High Common Level of Cybersecurity across the Union, eur-lex.europa.eu/eli/dir/2022/2555/oj/eng.

[50] Ibid.

[51] Kristian McCann, NIS 2 enters Law: What EU-Operating Enterprises Need to Know, Cybersecurity Magazine, 2024, cybermagazine.com/articles/nis2-enters-law-what-enterprises-need-to-know.

[52] Regulation 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services, eur-lex.europa.eu/legal-content/EN/TXT.

[53] Laureline Lemoine, Mathias Vermeulen, The Extraterritorial Implications of the Digital Services Act, DSA Observatory, 2023, dsa-observatory.eu/2023/11/01/the-extraterritorial-implications-of-the-digital-services-act.

[54] Regulation 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services, eur-lex.europa.eu/legal-content/EN/TXT.

[55] Ibid.

[56] Directive 2024/2847 of the European Parliament and of the Council on Horizontal Cybersecurity Requirements for Products with Digital Elements, eur-lex.europa.eu/eli/reg/2024/2847/oj/eng.

[57] Alex van der Wolk, Michelle Si-Ting Luo, EU Cyber Resilience Act Raises the Cybersecurity Bar for Digital Products, Morrison Foster, www.mofo.com/resources/insights/240523-eu-cyber-resilience-act-raises

[58] Directive 2024/2847 of the European Parliament and of the Council on Horizontal Cybersecurity Requirements for Products with Digital Elements, eur-lex.europa.eu/eli/reg/2024/2847/oj/eng.

[59] Anne-Gabrielle Haie, Maria Avramidou, The Eu Cyber Resilience Act has Entered into Force: 10 things to know about it, StepTechToe, 2024, www.steptoe.com/en/news-publications/steptechtoe-blog/the-eu-cyber-resilience-act-has-entered-into-force.

[60] Anu Bradford, The Brussels Effect: How the European Union Rules the World, Oxford University Press, 2020, p. iv.

[61] Martin Husovec, Jeniffer Urban, Will the DSA have the Brussels Effect?, Verfassungsblog on Matters Constitutional, 2024, verfassungsblog.de/will-the-dsa-have-the-brussels-effect.

[62] Timo Koivurova, Krittika Singh, Due Diligence, in Max Planck Encyclopedia of International Law, 2022.

[63] Alice Ollino, Due Diligence Obligations in International Law, Cambridge University press, 2022, p. 106.

[64] Goran Lysen, State Responsibility and International Liability of States for Lawful Acts: A Discussion of Principles, Iustus, 1997, p. 55.

[65] Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), 2007, p. 220.

[66] Caroline E. Foster, Due Regard for Future Generations? The No Harm Rule and Sovereignty in the Advisory Oppinions on Climate Change, Transnational Environmental Law, vol. 13, 2024, pp. 588-609.

[67] Katja Samuel, The Legal Character of Due Diligence: Standards, Obligations, or Both?, Central Asian Yearbook of International Law and International Relations, vol. 1, 2022, p. 18.

[68] Permanent Court of Arbitration, The South China Sea Arbitration (The Republic of the Philippines v The People’s Republic of China) (The Hague, July 12, 2016), Case no 2013-19, Award, PCA 2016, p. 375, para. 944.

[69] Penelope Ridings, Due Diligence in International Law, Annex II, A/79/10, p. 153, legal.un.org/ilc/reports/2024/english/annex2.pdf.

[70] Katja Samuel, The Legal Character of Due Diligence: Standards, Obligations, or Both?, Central Asian Yearbook of International Law and International Relations, vol. 1, 2022, pp. 18-19.

[71] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence, eur-lex.europa.eu/eli/reg/2024/1689/oj/eng.

[72] Ibid.

[73] Ibid.

[74] Directive (EU) 2022/2555 of The European Parliament and of the Council of 14 December 2022, on Measures for a High Common Level of Cybersecurity across the Union, eur-lex.europa.eu/eli/dir/2022/2555/oj/eng.

[75] Ibid.

[76] Ibid.

[77] Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, eur-lex.europa.eu/eli/reg/2016/679/oj/eng.

[78] Regulation 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services, eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2065.

[79] European Commission, Securing the Digital Space: DSA Whistleblower Tool, digital-strategy.ec.europa.eu/en/policies/dsa-whistleblower-tool.

[80] European Union Agency for Cybersecurity, 2024 Report on the State of the Cybersecurity in the Union, www.enisa.europa.eu/publications/2024-report-on-the-state-of-the-cybersecurity-in-the-union.

[81] Ibid.

[82] Heike Krieger, Anne Peters, Due Diligence and Structural Change in the International Legal Order, in Heike Krieger, Anne Peters, Leonhard Kreuzer (Eds.), Due Diligence in the International Legal Order, Oxford University Press, 2020, p. 351.

[83] Antonio Coco, Talita de Souza Dias, Cyber Due Diligence: A Patchwork of Protective Obligations in International Law, European Journal of International Law, Vol. 32, 2021, p. 778.

[84] Ibid. 789.

[85] Abhijeet Shrivastava, Rudraksh Lakra, Unpacking Cyber Due Diligence in Practice: Detection, Mitigation and Prevention, in Opinio Juris, 20.03.2023, opiniojuris.org/2023/03/20/unpacking-cyber-due-diligence-in-practice-detection-mitigation-and-prevention.

[86] Responsibility of States for Internationally Wrongful Acts, 2001, legal.un.org/ilc/texts/instruments/english/draft_articles/9_6_2001.pdf

[87] Penelope Ridings, Due Diligence in International Law, Annex II, A/79/10, p. 153, legal.un.org/ilc/reports/2024/english/annex2.pdf

[88] International Law Association Study Group on Due Diligence in International Law Working Session, 2016, Johannesburg, www.ila-hq.org/en/documents/working-session-report-johannesburg-2016-19.

[89] The EU’s Cybersecurity Strategy for the Digital Decade, p. 4, digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade-0.

[90] Directive 2022/2555 of The European Parliament and of the Council of 14 December 2022, on Measures for a High Common Level of Cybersecurity across the Union, eur-lex.europa.eu/eli/dir/2022/2555/oj/eng.

[91] Ibid.

[92] Ibid.

[93] Ibid.

[94] Directive 2022/2557 of the European Parliament and of the Council of 14 December 2022, on the Resilience of Critical Entities, eur-lex.europa.eu/eli/dir/2022/2557/oj/eng.

[95] Ibid.

[96] Regulation 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence, eur-lex.europa.eu/eli/reg/2024/1689/oj/eng.

[97] Ibid.

[98] Ibid.

[99] Ibid.

[100] Ibid.

[101] Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, eur-lex.europa.eu/eli/reg/2016/679/oj/eng

[102] Ibid.

[103] European Union Agency for Cybersecurity, 2024 Report on the State of the Cybersecurity in the Union, www.enisa.europa.eu/publications/2024-report-on-the-state-of-the-cybersecurity-in-the-union.

[104] National Position of Switzerland on the Application of International Law to Cyberspace, cyberlaw.ccdcoe.org/wiki/National_position_of_Switzerland_(2021).

[105] National Position of Canada on the Application of International Law to Cyberspace, cyberlaw.ccdcoe.org/wiki/National_position_of_Canada_(2022).

[106] National Position of the Czech Republic on the Applicability of International Law to Cyberspace, cyberlaw.ccdcoe.org/wiki/National_position_of_the_Czech_Republic_(2024).

[107] Common Position of the African Union on the Applicability of International Law to Cyberspace, cyberlaw.ccdcoe.org/wiki/Common_position_of_the_African_Union_(2024).