Globalisation and increasing economic interconnections have brought up new (cyber) challenges in the economic sector. Among cyber attacks that companies may face (e.g. phishing or ransomware), economic cyber espionage is a crucial one, namely the attempt to acquire trade secrets by States or other  companies. All businesses can become the target of economic (cyber) espionage: only in Hungary, around 50% of large companies have claimedto have addressed cyber security issues in the past years. 

In 2021, the Hungarian Foreign Minister highlighted how “cyber attacks […] pos[e] a serious threat to private and corporate users […]”; and in 2021, "cyber crimes have […] cost the global corporate sector USD 6,000 billion“.

How international – and national – law protects against economic cyber espionage?

The picture is rather fragmented.

Firstly, it should be highlighted the lack of detailed public data about cyber incidents in the economic sector. Companies generally do not disclose data about the cyber threats they have been victim of, due to a number of reasons  - e.g. fear of bad reputation or to become (more) vulnerable to hackers. Also at the national level, data and statistics are not comprehensive. In Hungary, for example, we can rely on the website of the National Institute of Cyber ​​Defense (NKI) of the National Security Service. Moreover, we can consult reports and data published by private companies and institutions.

Overall, the lack of clear and comprehensive data is surely an obstacle when it comes to understand how to regulate in the most efficient way this phenomenon.

Moreover, it is also not very clear whether economic (cyber) espionage is considered (un)lawful under international law. While some scholars affirm that economic espionage during peacetime violates international law  - as a form of invasion on the territorial integrity and sovereignty of a state -, others claim that the widespread use of economic espionage during peacetime has rendered it accepted under international law. It is true that, to date, the activity of espionage is not prohibited by any international conventions. In this respect, the Commentary to Rule 32 of the Tallinn Manual 2.0 makes it clear that ‘international law does not prohibit espionage per se’. 

On the other hand, misappropriation of trade secrets has started to be dealt with in the international, regional and national regulations. 

At the international level, the Paris Convention for the Protection of Industrial Property and the Agreement on Trade-Related Aspects of Intellectual Property Rights of the World Trade Organization (TRIPS) can be applied in case of economic cyber espionage. According to article 10bis of the Paris Convention, ‘[…] countries […should] assure […] effective protection against unfair competition […]’, which might also include operations of economic cyber espionage. Also article 39.2 of TRIPS goes in the same direction. 

Also free trade agreements can add some elements to the regulatory framework of economic cyber espionage. For example, article 20.69 of the United States-Mexico-Canada Agreement provides that “each Party shall […] prevent trade secrets […] from being disclosed to, acquired by, or used by others […] in a manner contrary to honest commercial practices”.

However, the existing international legal framework is still rather fragmented and lacks a special regulation on economic (cyber) espionage. 

This is true also when it comes to the European Union (EU): while there is a quite robust regulatory frameworkdealing with cyber security, there is no specific act addressing the issue of economic (cyber) espionage. Provisions on protection of trade secrets are only included in Directive 2016/943, and are started to be included in international economic agreements with third countries, like in the EU and Japan's Economic Partnership Agreement, the Trade and cooperation agreement with UK or the New EU-Mexico Agreement in Principle

At the national level, it is worth recalling that Hungary was one of the first countries in Central Europe to formulate its national cyber security strategy in 2013. Though it is has not adopted an ad hoc regulation on economic cyber espionage, we find several provisions protecting trade secrets in different national regulations: the Civil Code, the Competition Act, the Criminal Code, the Labour Code, the Information Act and the Public Procurement Act. Accordingly, there are no specialised courts dealing with trade secrets violations: depending on the circumstances at hand, civil courts, or criminal courts, or the Hungarian Competition Authority might be competent. 

Hungary has been reported to be particularly vulnerable to economic (cyber) espionage. This has led Hungary to cooperate with other countries, especially with the United States: in 1998, they started a joint initiative to fight organised crime, including cyber crime, in Central and Eastern Europe. 

Apart from bilateral efforts of cooperation, we witness a general lack of regulatory coordination on economic (cyber) espionage at the international, regional and national levels, which makes it difficult to understand which regulation applies in the case at hand (e.g. in Hungary, we should assess whether each case falls in the labour, criminal, civil or administrative sphere of competence). Given the increasing instances of cyber espionage in the economic sector worldwide, it is time that national, EU and international policy makers develop a more coordinated approach in this field.