A similar dynamic could theoretically be harnessed in the cybercrime context through the

imposition of minimum security standards as a condition of market access. However, the political
feasibility of such an approach at the international level remains limited.

NIS2’s requirement for board-level accountability for cybersecurity represents an important

By placing cybersecurity obligations on senior management rather than relegating them to IT

 A governance issue

 Not merely a technical issue

Similar board-level accountability requirements have been:

 Adopted in Singapore under the Cybersecurity Act (2018)

 Recommended by the UK’s National Cyber Security Centre

This trend suggests the emergence of a global governance norm (Singapore CSA, 2018).

5.3 Lessons From Developing Nations

The cybercrime legal experience of developing nations deserves careful attention, both because
these countries face distinctive challenges and because they are home to the majority of the
world’s Internet users.

In sub-Saharan Africa, rapid mobile Internet expansion has outpaced the development of legal and
institutional frameworks, creating significant vulnerabilities.

Nigeria’s Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 was one of the first comprehensive
national cybercrime statutes in West Africa and has been cited as a model for the region. However,
enforcement remains limited by:

 Resource constraints

 Corruption

(Osula, 2015).

Other regional legislative developments include:

Country Legislation Year Primary Focus

Nigeria Cybercrimes Act 2015 Comprehensive cybercrime regulation

Ghana Electronic Transactions Act 2008 Electronic governance and cyber regulation

Kenya Computer Misuse and Cybercrimes Act 2018 Cybercrime prevention and prosecution

These frameworks reflect broader efforts to build domestic legal capacity across Africa.
In Latin America, Brazil’s Marco Civil da Internet (2014) has attracted international attention as an
innovative framework for Internet governance that balances:

 User rights

 Network neutrality

 Law enforcement access

The Brazilian General Data Protection Law (LGPD, 2018), modelled partly on the GDPR, has
similarly advanced the region’s data protection landscape.

However, Brazil has not acceded to the Budapest Convention. The country’s position in the UN
convention negotiations reflects:

 An emphasis on data sovereignty

 Resistance to investigative powers that might enable foreign intrusion into domestic
networks

The experience of developing nations highlights a critical point: legal frameworks cannot be
effective without corresponding investment in:

 Institutional capacity

 Judicial training

 Technical infrastructure

The transfer of legislative models from high-income to low-income countries without

International organisations including:

 International Telecommunication Union (ITU)

 United Nations Office on Drugs and Crime (UNODC)

 World Bank

have programmes to address this capacity gap, but their scale remains insufficient relative to the
need.

Proposals For Strengthening Legal Frameworks

The first imperative is the systematic modernisation of domestic cybercrime statutes to address
the full range of contemporary and foreseeable cyber threats.

This process should be guided by several principles.

6.1 Legislative Modernisation

First, legislative definitions should be technology-neutral to the greatest extent possible, focusing
on the nature of the harm rather than the specific technology employed.

Where technology-specific provisions are necessary, they should be accompanied by expedited

 Use of AI for large-scale fraud

 Generation of CSAM

 Attacks on AI systems themselves

(Caldwell et al., 2020)

Third, cryptocurrency and virtual asset-related offences require explicit statutory coverage and the
grant of adequate powers to seize and confiscate digital assets.

Cryptocurrency And Virtual Asset-Related Offences

Offence Type Description

Theft of Virtual Assets Unauthorised access and theft of digital currencies or crypto wallets.

Money Laundering Use of crypto exchanges to conceal illicit funds.

Ransomware Payments Extortion payments made through cryptocurrencies.

The Financial Action Task Force (FATF) Travel Rule, requiring virtual asset service providers to
collect and share transaction information, provides a regulatory model that can inform legislative
drafting.

Fourth, offences targeting critical infrastructure require enhanced criminal penalties and parallel
civil regulatory regimes to incentivise private sector security investment.

Fifth, national statutes should include provisions explicitly authorising and regulating the use of
offensive cyber capabilities by law enforcement agencies—a power that many agencies exercise
without clear legal authority.

(Schmitt, 2017)

6.2 Institutional Capacity Building

Legislative reform without institutional capacity building is insufficient.

Governments must invest substantially in:

 Technical expertise

 Operational capacity

 Coordination mechanisms

 Cybercrime investigation services

 Cybercrime prosecution services

Dedicated cybercrime units with specialised technical skills in digital forensics, network analysis,
and cryptocurrency investigation should be established or strengthened in every jurisdiction.
These units require:

 Sustained funding

 Competitive compensation

 Access to state-of-the-art forensic tools

(UNODC, 2023)

Judicial Training And Education

The judiciary and prosecution services require specialised training programmes in:

 Digital evidence

 Forensic methodologies

 Technical dimensions of cybercrime offences