The ICJ Advisory Opinion on Climate Change and Cyber Operations – Part I: General International Law Considerations

by | Jul 6, 2026

Climate change

In July 2025, the International Court of Justice (ICJ) issued its much-anticipated Climate Change advisory opinion. The opinion is worth reviewing for many reasons and raises a host of legal questions that have been addressed in various other fora. As an advisory opinion, the Court’s decision is non-binding and carries no obligatory weight. Nevertheless, as with advisory opinions in the past, this opinion likely “carries major persuasive legal weight.” As another commenter has observed, “Given the legal and moral authority of the Court, the quality and scope of its reasoning, and the scale of participation by States and international organizations in the proceedings, this opinion is sure to inform international litigation, U.N. Conference of Party negotiations (in the context of the U.N. Framework Convention on Climate Change (UNFCCC) and the Paris Agreement), and domestic procedures going forward.”

For the purposes of these posts, I examine the opinion’s potential impact on both general international law and the jus in bello with particular focus on cyber operations. Although there is no direct tie from the advisory opinion to cyber operations, I anticipate that many voices, including some States, will borrow the language and reasoning from the Court in an effort to heighten protections of the environment in military activities, including those in cyberspace. The relevant language and its implications are examined below.

General International Law

Because this opinion dealt with environmental obligations completely outside the context of armed conflict, the most likely doctrinal expansion will occur in the broader international legal framework. Possible impacts of the advisory opinion on those cyber operations include the application of due diligence; a new standard of review; assessment and indicator frameworks; notification and consultation requirements; and discussing erga omnes rights.

Due Diligence

No Cyber Sector Specific Application of Due Diligence

In a 2016 report, the International Law Association concluded that due diligence is an “expansive, sectorally-specific yet overarching concept of increasingly [sic] relevance in international law.” In other words, due diligence is a commonly accepted baseline standard of care that governs the interaction of States, generally including both the environment and cyber activities. However, in certain sectors, such as international environmental law, the principle of due diligence has taken on a much more significant role in governing State interactions. This sector-specific enlargement has not seemed to make its way into cyber operations. As Sean Watts and I have written elsewhere, “As yet, there is apparently no consensus on how the due diligence principle will apply in the sector-specific area of cyber operations.”

This approach is confirmed by the international Group of Experts (IGE) who produced the Tallinn Manual 2.0. The IGE noted that “the due diligence principle has long been reflected in jurisprudence [and] it is a general principle that has been particularised in specialised regimes of international law.” With respect to cyber operations, the IGE “recognized a more limited duty than that which has arguably developed in other sectors, such as international environmental law. The lack of a duty to prevent or even monitor, coupled with a high threshold of harm and an absolute requirement of knowledge, suggests a minimally intrusive notion of due diligence applicable to cyberspace.” (73 Oklahoma Law Review 645, 697 (2021)).

The general nature of the due diligence principle is embraced by the Court in its advisory opinion (paras. 135-38). Elaborating on the standard for the application of due diligence with respect to the environment, the Court reaffirms that the duty of due diligence is an obligation of “conduct and not one of result.” Each State is obligated to “employ all means reasonably available to them, so as to prevent [harm] so far as possible” (para. 135).

Then, referring specifically to the application of due diligence to environmental harm, the Court quotes the Pulp Mills case (p. 79, para. 197) and states that due diligence “entails not only the adoption of appropriate rules and measures, but also a certain level of vigilance in their enforcement and the exercise of administrative control.” From this, the Court concludes that “[a]s concerns climate change, a heightened degree of vigilance and prevention is required” (para. 138).

While the Court was clear here that they were targeting the sector-specific area of environmental harm, this language is exactly the expansion of due diligence that the Tallinn Manual IGE were clear to denounce in cyber operations. Nevertheless, it is easy to see how the Court’s strong embrace of this “heightened degree of vigilance and prevention” could be transplanted in an attempt to expand State responsibility. With the shift to focusing on conduct, such an expansion would require States to monitor their cyber networks and actively attempt to prevent potential cyber harms. This would equate to an increase in State responsibility and potentially open the door for some of the human rights concerns noted by individuals and governments.

A New Standard?

Having established an expanded view of due diligence in relation to climate concerns, the Court then clarifies that the standard under customary and treaty law is “stringent” (paras. 138, 246), meaning “each party has to do its utmost to ensure … [its efforts] represent its highest possible ambition in order to realize” its obligations (para. 246). The Court acknowledges that obligations under due diligence “may vary depending on the circumstances of the State in question and its capacity to influence the salient acts or events” (as discussed below). “There thus exists a link between the concept of due diligence and the principle of common but differentiated responsibilities and respective capabilities in light of different national circumstances” (para. 247).

However, with respect to climate change, the Court argues that each State’s due diligence obligation with an aim of “pursu[ing] domestic mitigation measures” includes “putting in place a national system, including legislation, administrative procedures and an enforcement mechanism, and exercising adequate vigilance to make such a system function effectively” (para. 253). The same “stringent” standard that requires a State to “do its utmost” also applies to this application of due diligence (para. 254).

Arguing that the due diligence obligation under international law must be translated to domestic legal mechanisms, including “administrative procedures and enforcement mechanisms,” would almost certainly undermine the “common but differentiated responsibilities and respective capabilities in light of different national circumstances” in cyber operations. States with limited technological capacity might find this a difficult standard to satisfy. In addition, the Court heightens this responsibility with respect to the private sector. Quoting the International Tribunal for the Law of the Sea (ITLOS), the Court stated that the “obligation of due diligence is particularly relevant in a situation in which the activities in question are mostly carried out by private persons or entities” (para. 252).

Because cyber activities today are principally conducted by private persons or entities, translating this understanding of due diligence to cyber operations would dramatically change current expectations of government intrusion into cyber systems within a State’s territory, including the requirement to “exercise adequate vigilance to make such a system function efficiently, with a view to achieving the intended objective” (para. 281).

After making this point, the Court reiterates that the methods by which a State’s compliance with its due diligence obligation includes the creation of regulatory mitigation mechanisms, adaptation measures, and effective enforcement and monitoring mechanisms to ensure compliance by both public and private operators (para. 282). “Thus, a State may be responsible where, for example, it has failed to exercise due diligence by not taking the necessary regulatory and legislative measures to limit the quantity of emissions caused by private actors under its jurisdiction” (para. 428).

Again, if applied to cyber activities, this would represent a significant expansion of State requirements under its due diligence obligation in cyberspace, particularly in the private sector. Many States have taken a “hands off” approach to limiting aspects of the private sector’s cyber activities, especially outside of civil and political rights. It is unclear whether translating the environmental harm version of due diligence to cyber activities would continue to allow States to do so.

Plausible Indications of Potential Risks

In connection with the ever-increasing capability of technology, the Court also required States to consider the availability of and need to acquire and analyze scientific information. In fact, the Court states that due diligence, “requires States to actively pursue the scientific information necessary for them to assess the probability and seriousness of harm, in conformity with the common but differentiated responsibilities and respective capabilities principle” with the caveat that States which do not have “the capacity to access and properly act on relevant scientific information” will not violate their due diligence obligation (para. 283).

The Court adopts the ITLOS approach to due diligence with respect to environmental harm by endorsing the view that “the implementation of the obligation to prevent harm to the marine environment ‘requires a State with greater capabilities and sufficient resources to do more than a State not so well placed’” (para. 291). While every State must “take all the means at its disposal”, States with less capability and resources will be expected to do less” (para. 291). Nevertheless, the Court states that it “agrees with the conclusion reached by ITLOS that ‘where there are plausible indications of potential risks,’ a State ‘would not meet its obligation of due diligence if it disregarded those risks’ and, in that sense, the ‘precautionary approach is also an integral part of the general obligation of due diligence’ under the duty to prevent significant harm to the environment” (para. 294, citation omitted).

Of course, as with the entirety of the advisory opinion, the Court limits this obligation to environmental harms. But it is easy to see that if this opinion were later applied to cyber operations, the standard of “plausible indications of potential risks” might significantly restrain current cyber operations, both inside and outside of armed conflict. If States were restricted from conducting cyber operations that produced risks which the State was unable to minimize, whether because of technological considerations or otherwise, those limitations would significantly restrain current inter-State cyber activities.

Notification and Consultation

The Court embraces the Environmental Impact Assessment and a notification and consultation requirement as key aspects of environmental due diligence. “This obligation exists where planned activities within the jurisdiction or control of a State create a risk of significant harm, and notification and consultation is necessary to determine the appropriate measures to prevent that risk (see Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v. Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v. Costa Rica), Judgment, I.C.J. Reports 2015 (II), p. 706, para. 104) (para. 299). In other words, as States contemplate environmental activities that create a “risk” of significant harm, the State must notify potential victim States and conduct consultations.

Applying this standard to the cyber context would likely affect much of the cyber espionage and other more provocative cyber activities that consistently occur between States. Recent use of cyber activities to facilitate the capture of Maduro by U.S. forces or the insertion of the STUXNET malware into Iranian nuclear production facilities would likely be prohibited under this standard.

Erga Omnes Rights

Toward the end of the advisory opinion, the Court discusses erga omnes rights: rights owed by every State to the entire international community. The Court states that “In this context, the Court considers that each injured State may separately invoke the responsibility of every State which has committed an internationally wrongful act resulting in damage to the climate system and other parts of the environment. And where several States are responsible for the same internationally wrongful act, the responsibility of each State may be invoked in relation to that act” (para. 431).

The Court continues, “In light of the foregoing, the Court concludes that while the causal link between the wrongful actions or omissions of a State and the harm arising from climate change is more tenuous than in the case of local sources of pollution, this does not mean that the identification of a causal link is impossible in the climate change context; it merely means that the causal link must be established in each case through an in concreto assessment” (paras. 438). The Court concludes on this point by arguing that “States’ obligations pertaining to the protection of the climate system and other parts of the environment from anthropogenic GHG emissions, in particular the obligation to prevent significant transboundary harm under customary international law, are obligations erga omnes” (para. 440). “It follows that responsibility for breaches of such obligations, such as climate change mitigation obligations, may be invoked by any State when such obligations arise under customary international law. When such obligations arise under the climate change treaties, all parties to the treaty may invoke such responsibility, since every party is deemed to have a legal interest in the protection of these obligations” (para. 442).

The Court limits its application of these erga omnes rights to “the protection of global environmental commons like the atmosphere and the high seas” (para. 440). However, there have already been a chorus of calls to treat cyberspace as a man-made digital commons (see here, here, here, and here) because of its importance for international commerce, finance, and security. If such treatment were to give rise to erga omnes rights for cyber harms, that would represent a significant change in the application of State responsibility for cyber harms, particularly when coupled with an expanded view of due diligence. Each cyber activity that resulted in harm in violation of the expanded due diligence principle would give rise to a claim for reparations from any and all States, whether or not they had experienced any direct harm.

Concluding Cautions in General International Law

As I have tried to make clear above, the Court made no attempts to apply the sector-specific due diligence principle in international environmental harm to peacetime cyber activities. In fact, it was clear to cabin its advisory opinion to the applicable questions asked of it. Nevertheless, it was also a unanimous opinion. The clarity with which the Court viewed this expanded version of due diligence is notable. And the Court’s view reflects exactly the kinds of restraints many may want to see in cyber operations.

Infusing the cyber sector with these rules and applications would force States to take on much greater responsibility to monitor and prevent cyber harms and bring with it responsibility for failing to do so. The requirements to apply these standards to the “particularly relevant” actions of private entities would significantly add to the legal obligations of States. Eased limitations for a lack of capability put technologically limited States at even greater risk for legal responsibility, and the duties and responsibilities associated with “plausible indications of potential risks” would alter current State practice.

The requirement of notification and consultation, combined with the transition of cyberspace to a “global commons” and an accompanying erga omnes right for reparations, would significantly alter the current global approach to cyber operations. So, while the ICJ advisory opinion on climate change creates no current cause for alarm, it raises deep potential concerns, particularly as it creates a pathway to expand the due diligence obligation into the cyber sector.

***

Eric Talbot Jensen is a Professor of Law at Brigham Young University.

The views expressed are those of the author, and do not necessarily reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.

Articles of War is a forum for professionals to share opinions and cultivate ideas. Articles of War does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published. Authorship does not indicate affiliation with Articles of War, the Lieber Institute, or the United States Military Academy West Point.

 

 

 

 

 

 

 

Photo credit: Akshat Sharma, Unsplash