Cybersecurity, Foreign Investment, and the Evolving Meaning of Full Protection and Security

Authors

  • Ali Farahzadi Centre for Energy Law Studies, Faculty of law and political Sciences, Tehran University, Tehran; Iran
  • Seyedeh Kimia MousaviShahri

DOI:

https://doi.org/10.69971/lra.3.2.2025.155

Keywords:

cybersecurity, foreign investment, full protection and security, investment law, due diligence

Abstract

Foreign investors increasingly rely on digitally mediated assets and operations, like data centres, cloud services, and industrial control systems, that are situated within or controlled by host states. The law governing the obligations of host states to prevent and respond to cyber incidents affecting those investments remains uneven and fragmented. Current study examines whether, and in what manner, the classical investment law standard of full protection and security (FPS) can be interpreted to encompass a positive duty of cyber due diligence. Drawing on treaty practice, arbitral jurisprudence, and general public international law on state responsibility, it traces the conceptual and doctrinal routes through which cyber risks may be characterized as security risks to an investment and brought within the ambit of FPS. The research provides an ordered understanding of cyber due diligence, built around three core dimensions namely regulatory preparedness, operational readiness and remedial responsiveness. Regulatory preparedness is the existence of reasonably up-to-date legal frameworks on cybersecurity and breach notification; operational readiness is the institutional capacity and technical and organizational measures in critical infrastructure; and remedial responsiveness is the incident handling, cooperation with affected investors, and transparency in the aftermath of an attack. These dimensions are tested against hypothetical but realistic scenarios, including ransomware attacks on industrial facilities and systemic data exfiltration from state licensed data centers, to explore how arbitral tribunals approach questions of causation, attribution, and contributory fault in cyber related FPS claims. Recognizing a digital variant of FPS need not transform host states into insurers against all cyber harm. Properly framed as an obligation of conduct, cyber due diligence clarifies the standard of reasonableness in circumstances where regulatory indifference or institutional inaction can significantly magnify transboundary harm. The article concludes with drafting suggestions for next generation investment treaties that seek to integrate cyber due diligence into FPS and related clauses while preserving the regulatory autonomy required for evolving cybersecurity policy.

References

Cichonski, Paul, Tom Millar, Tim Grance, and Karen Scarfone. 2012. Computer Security Incident Handling Guide. National Institute of Standards and Technology (NIST) Special Publication 800-61 Revision 2: 1-80. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

Cristani, Federica. 2020. Cybersecurity of Foreign Investment in the Visegrád Four (V4 Countries). Visegrad Insight (Think Visegrad): 1-53. https://think.visegradfund.org/wp-content/uploads/Federica-Cristani.pdf

Dias, Talita, and Antonio Coco. 2021. Cyber Due Diligence in International Law. Oxford Institute for Ethics, Law and Armed Conflict: 1-211. https://www.elac.ox.ac.uk/wp-content/uploads/2022/02/Final-Report-BSG-ELAC-CyberDueDiligenceInInternationalLaw.pdf

ENISA (European Union Agency for Cybersecurity). 2020. How to Set Up CSIRT and SOC. ENISA. https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Report%20-%20How%20to%20setup%20CSIRT%20and%20SOC.pdf

ENISA (European Union Agency for Cybersecurity). 2024. Best Practices for Cyber Crisis Management. ENISA: 1-58. https://www.enisa.europa.eu/sites/default/files/2024-11/ENISA%20Study%20Best%20Practices%20Cyber%20Crisis%20Management.pdf

ENISA (European Union Agency for Cybersecurity). 2024. ENISA Threat Landscape 2024. ENISA. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024

Gordon, Kathryn and Joachim Pohl. 2015. Investment Treaties over Time—Treaty Practice and Interpretation in a Changing World. OECD Working Papers on International Investment: 1-42. https://www.oecd.org/content/dam/oecd/en/publications/reports/2015/01/investment-treaties-over-time-treaty-practice-and-interpretation-in-a-changing-world_g17a25b0/5js7rhd8sq7h-en.pdf

International Law Commission. 2001. Draft Articles on Prevention of Transboundary Harm from Hazardous Activities, with Commentaries. Yearbook of the International Law Commission 7: 148–170. https://legal.un.org/ilc/texts/instruments/english/commentaries/9_7_2001.pdf

International Law Commission. 2001. Draft Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries. United Nations: 31-115. https://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf

Malik, Mahnaz. 2011. The Full Protection and Security Standard Comes of Age: Yet another challenge for states in investment treaty arbitration? International Institute for Sustainable Development: 1-18. https://www.iisd.org/publications/report/full-protection-and-security-standard-comes-age-yet-another-challenge-states

Stouffer, Keith, Victoria Pillitteri, Suzanne Lightman, Marshall Abrams, and Adam Hahn. 2015. Guide to Industrial Control Systems (ICS) Security. National Institute of Standards and Technology (NIST), Special Publication 800-82 Revision 2: 1-248. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-82r2.pdf

National Institute of Standards and Technology (NIST). 2024. The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). National Institute of Standards and Technology. https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final

OECD. 2015. Digital Security Risk Management for Economic and Social Prosperity. Organisation for Economic Co-operation and Development (OECD): 1-74. https://www.oecd.org/content/dam/oecd/en/publications/reports/2015/10/digital-security-risk-management-for-economic-and-social-prosperity_g1g5c3dc/9789264245471-en.pdf

OECD. 2019. Digital Security and Resilience in Critical Infrastructure and Essential Services. Organization for Economic Co-operation and De-velopment (OECD): 1-55. https://www.oecd.org/content/dam/oecd/en/publications/reports/2019/04/digital-security-and-resilience-in-critical-infrastructure-and-essential-services_5593c149/a7097901-en.pdf

OECD. 2025. Clarifying ‘Full Protection and Security’ Obligations in Investment Treaties: Opportunities for a Joint Interpretation. Organization for Economic Co-operation and Development (OECD): 1-9. https://one.oecd.org/document/DAF/INV/TR2/WD(2025)1/ADD/REV1/en/pdf

Schmitt, Michael N. 2017. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge University Press. https://www.cambridge.org/core/books/tallinn-manual-20-on-the-international-law-applicable-to-cyber-operations/E4FFD83EA790D7C4 C3C28FC9CA2FB6C9

Schreuer, Christoph. 2010. Full Protection and Security. Journal of International Dispute Settlement 1: 353–369. https://doi.org/10.1093/jnlids/idq002

UNCTAD. 2004. International Investment Agreements: Key Issues. United Nations, New York and Geneva: 1-416. https://unctad.org/system/files/official-document/iteiit200410_en.pdf

UNCTAD. 2015. Investment Policy Framework for Sustainable Development. United Nations Conference on Trade and Development: 1-157. https://unctad.org/system/files/official-document/diaepcb2015d5_en.pdf

UNCTAD. 2020. International Investment Agreements Reform Accelerator. United Nations Conference on Trade and Development : 1-32. https://unctad.org/system/files/official-document/diaepcbinf2020d8_en.pdf

UNCTAD. 2021. International Investment Agreements and Their Implications for Tax Measures: What Tax Policymakers Need to Know. United Nations Conference on Trade and Development. https://unctad.org/publication/international-investment-agreements-and-their-implications-tax-measures-what-tax

UNCTAD. 2025. International Investment Agreements Toolbox on Clean Energy, Digital Transformation and Public Health: Insights from Recent Group of 20 Treaties. United Nations Conference on Trade and Development : 1-32. https://unctad.org/publication/international-investment-agreements-toolbox-clean-energy-digital-transformation-and

United Nations General Assembly. 2021. Final Substantive Report of the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security. UN Doc. A/75/816.

United Nations General Assembly. 2021. Official Compendium of National Contributions on How International Law Applies to the Use of Information and Communications Technologies by States. UN Doc. A/76/136.

World Bank. 2024. Advancing Cloud and Data Infrastructure Markets: Strategic Directions for Low- and Middle-Income Countries. World Bank. https://openknowledge.worldbank.org/entities/publication/2803be81-3545-4584-99ea-cfa29be2bc2d

Downloads

Published

2025-12-08

Issue

Vol. 3 No. 2 (2025)

Section

Reviews

License

Copyright (c) 2025 Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Farahzadi, Ali, and Seyedeh Kimia MousaviShahri. 2025. “Cybersecurity, Foreign Investment, and the Evolving Meaning of Full Protection and Security”. Legal Research & Analysis 3 (2): 61-71. https://doi.org/10.69971/lra.3.2.2025.155.