Costa Rica has established itself as a leading country in technological adoption, in combination with a complete commitment to sustainability and the protection of the environment. Information and communications technology services accounted for 49% of the country’s exports (twice the average of OECD countries), placing the Central American country at the forefront of the digital economy.

In recent years, Bosnia and Herzegovina has seen a consistent increase in the rate of Internet absorption along with a continuous extension of broadband access across urban and rural areas. As a potential EU candidate country, Bosnia has recently developed a burgeoning drive to advance the country’s digital and cyber capabilities in line with those of the European Union; ‘smart growth’ is notably included as one of the national priorities under the 2015 Strategic Framework. That said, the institutional, regulatory, and operational framework that would enable the realisation of this ambition is still nascent and the progress in many policy areas is undermined by the complexity of the distribution of powers between the central government and two entities: the Federation of Bosnia and Herzegovina and the Republika Srpska. In 2017, Bosnia formally adopted the Policy of Electronic Communications of Bosnia and Herzegovina 2017-2021, which is largely aligned with the Digital Agenda of Europe [x]. This vision of a Bosnian digital society is a key milestone for the country’s emerging cyber diplomatic apparatus as it clearly identifies the foundational pillars of the country’s ICT ecosystem, which in turn will assist in bringing it into closer alignment with European cyber priorities.

The United States has historically been a strong partner in cyber diplomacy for the EU based on common values (human rights, rule of law), goals (open, stable and secure cyberspace) and interpretation of international law. Cyber diplomacy with the US has also been operationalised in the form of information-sharing and cooperation to tackle cybercrime, cooperation on cyber defence via NATO and cyber capacity building in third countries. Despite differences over certain foreign policy issues, the EU and the US remain close allies in cyberspace.

Costa Rica has played a paramount role in the Organisation of American States as is one of seven American countries that sponsored a resolution within the framework of the OAS as part of a Working Group on Cooperation and Confidence-Building Measures in Cyberspace. The resolution is inspired by the work of the United Nations Group of Governmental Experts and aims at enhancing interstate cooperation, transparency, predictability, and stability in cyberspace.

At the first substantive session of the 2021-2025 UNGGE, recalling its status as a potential candidate of the EU, Bosnia and Herzegovina aligned itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] Nevertheless, it has consistently refrained from aligning itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29.

The US believes that international law is applicable in cyberspace. As part of the ‘like-minded’ coalition, the US recognises a need to acknowledge the full breadth of relevant international law, including international humanitarian law (IHL), human rights law, customary international law on the responsibilities of states for internationally wrongful acts. The general applicability of IHL in cyberspace is not to be misconstrued as a tacit endorsement of aggression in the cyber domain; instead, it only serves to remind states of the responsibility to respect and protect civilians in the event of armed conflict. 
In the context of multilateral fora, US diplomats have specifically emphasised the applicability of the right to self-defence under Art. 51 of the UN Charter, noting that a State may lawfully take cyber-based or non-cyber-based countermeasures in response to internationally wrongful cyber activities attributable to another State, but only subject to the requirements of the doctrine under international law and the principles of necessity and proportionality.

Costa Rica has a long history of collaborating on cyber issues within the OAS Cyber Security Program, from training to capacity-building for both the public and private sectors. At a 2019 intervention, Costa Rica recognised the leadership carried out by the aforementioned Working Group in coordinating the response to cyber incidents regionally and establishing a cooperative framework of action to cyber threats.
Costa Rican participation in the UN OEWG is guaranteed until 2025. As part of the second substantive session in 2022, Costa Rica confirmed - along with several other countries - that international law is fully applicable to the use of ICT by states [OH1], with a focus on how international humanitarian law and the principles of humanity, necessity, proportionality, and distinction apply in cyberspace.
An interesting approach was taken by Costa Rica during this session, as the Caribbean country emphasised a multi-stakeholder approach to cybersecurity, involving the private sector, civil society, and researchers’ analysis, information, and capacity on threat.

At the first substantive session of the 2021-2025 UNGGE, Bosnia and Herzegovina aligned itself with the EU’s position that the previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus, form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x]. In 2018, however, it voted in favour of Russian-sponsored resolution A/73/27, which launched the Open-Ended Working Group (OEWG) format.

As stated in the 2018 National Security Strategy, the United States views voluntary, non-binding norms of state behaviour during peacetime as essential components of a framework of responsible State behaviour in cyberspace. The US has participated in all iterations of the UN Group of Governmental Experts (UNGGE) as well as the latest Open-Ended Working Group.
In these multilateral fora, US diplomats have typically opposed attempts at shifting to a legally binding status for norms of responsible state behaviour, arguing that such discussions are “premature” and do not represent the best way to address the immediate threats given the fast pace of technological developments. 
The starting basis for any further discussions on the part of the US rests on the current buildup of consensus surrounding the norms identified in the 2015 and 2021 GGE reports. Efforts should be concentrated on the implementation of existing consensus norms, not the creation of entirely new normative concepts (i.e. in relation to harmful hidden functions and specific critical infrastructure sectors).

In 2016, Costa Rican Cybersecurity Incident Response Team (CSIRT) joined CAMP, an international alliance that serves as a platform for the members to enhance their cybersecurity capacity.
Costa Rica is also collaborating with Israel on cyber issues and digital transformation in an effort that has the potential to streamline innovation in the public sector, transforming public services and institutions and positioning Costa Rica as a regional benchmark in cybersecurity.
On a national scale, Costa Rica launched a digital transformation strategy for the public sector in 2018 and is now working to create a strategy for the implementation of Artificial Intelligence. The initiative seeks to promote the use of digital technologies and access to scientific knowledge, innovation, technology, and telecommunications for social and productive transformation.
Having suffered a cyber attack in 2022, Costa Rica is now positioning cybersecurity as a top national priority, and the Ministry of Science, Innovation, Technology and Telecommunications is beginning to implement various actions to detect, respond and correct cyber intrusions, build faster and more robust response protocols, and train individuals in skilled threat detection.

The country has no overarching cybersecurity strategy. Elements of strategic contemplation over cybersecurity can be found within the Criminal Code, which criminalises critical infrastructure damage (including that of information systems) as an act of terrorism. The 2015-2020 Strategy for Prevention and Combating Terrorism reiterates an objective laid out in earlier documents regarding the setup of a dedicated national CERT that will develop and implement monitoring and response mechanisms vis-a-vis the misuse of the Internet for terrorist purposes. Bosnia and Herzegovina has been exploring potential avenues of cooperation with NATO, especially in relation to common solutions to security challenges in the area of cyber defence [x], while Bosnian scientists have also participated in the NATO SPS Programme. Finally, as a member state of the OSCE, Bosnia and Herzegovina is required to implement the OSCE’s 16 Confidence Building Measures (CBMs) as adopted by the OSCE Permanent Council.

The March 2021 Interim National Security Strategic Guidance states that “[the US] will make cybersecurity a top priority, strengthening our capability, readiness, and resilience in cyberspace.” Following the recommendations of the 2020 Solarium Commission, the US government has adopted the concept of ‘layered resilience’ and is gradually rolling out a comprehensive arsenal of resilience measures across a variety of domains. 
The US has been active in engaging in strategically-minded capacity building with partners; US capacity building in Africa with organisations such as the African Union and SADC, for instance, have been largely motivated by Washington’s wish to promote an open, secure, and democratic model for Internet governance across the African continent. 
In relation to cyber defence, there have been several joint operations and military exercises, both bilaterally (e.g. between the US Cyber Command and the Montenegrin military) and under the auspices of NATO. Recent regional engagement efforts such as the dialogues in the context of the tripartite AUKUS coalition and the Structured Quadrilateral Security Dialogue (the eponymous Quad) also heavily feature references to collaborative cyber-capacity building. In multilateral fora, the US has also welcomed the inclusion of confidence-building measures in the GGE reports and noted that, in order for CBMs to be useful, they need to be implemented at minimum on a bilateral basis and preferably on a multilateral and eventually an international basis.

Costa Rica is one of the few Latin American countries to have signed the Budapest Convention on Cybercrime, along with the First and Second Protocol (this one was signed in 2022 but yet to be ratified), and is at the forefront of cybercrime legislation in the region.
National legislation on cybercrime is fully compliant with the Convention and is contained in the Law on Intervention of Telecommunications and the Law of Computer Crimes and Related Crimes. It includes penalties for committing cybercrimes in the country. Additionally, legislative regulations were introduced to govern the use of social networks and other electronic means.
Their Cybersecurity Policy from 2017 was updated in 2021 with the creation of the CSIRT, the implementation of cybersecurity protocols across public institutions and the establishment of partnerships with strategic actors, mainly in the private sector.

Bosnia and Herzegovina is a party to the Budapest Convention on Cybercrime, officially acceding in 2006. As of 2019, however, domestic legislation at the state level had only been partially harmonised with Budapest provisions [x]. The country voted against the Russian-sponsored UN resolution that launched the institutional procedure for a new legal instrument on international cybercrime cooperation. Bosnian law enforcement regularly cooperates with Europol and is due to open negotiations for a cooperation agreement with Eurojust [x].

The US is a signatory and an early proponent of the Budapest Convention. A big part of American cyber diplomatic activity has, in fact, been focused on promoting the Budapest regime as the global model of cybercrime governance. In 2019, the US firmly opposed the Russian-sponsored resolution calling for an alternative legal instrument to the Convention; following the passing of the resolution, however, the US has agreed to participate in the Ad Hoc Committee established under UNGA resolution 74/247 despite the fact that the “surprise text” within the May 2021 resolution was seen as an effort to “circumvent dialogue” and undermine the “balanced, inclusive, consensus-based process” sought by the US. 
On a multilateral level, the US is also a party to the UN Convention against Transnational Organised Crime (UNTOC) and the Inter-American Convention on Mutual Legal Assistance of the Organisation of American States (OAS) and is a member of Interpol. 
Bilaterally, the US has completed an agreement with the UK under the CLOUD Act that facilitates cross-border data sharing directly between US companies and the British government; the US is trying to expand this type of bilateral engagement, currently negotiating a similar agreement with Australia.