Recommendation of the Council on

the Digital Security of Products

and Services

OECD Legal
Instruments
This document is published under the responsibility of the Secretary-General of the OECD. It reproduces an
OECD Legal Instrument and may contain additional material. The opinions expressed and arguments employed
in the additional material do not necessarily reflect the official views of OECD Member countries.

This document, as well as any data and any map included herein, are without prejudice to the status of or
sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any
territory, city or area.

For access to the official and up­to-date texts of OECD Legal Instruments, as well as other related information,
please consult the Compendium of OECD Legal Instruments at http://legalinstruments.oecd.org.

Please cite this document as:

OECD, Recommendation of the Council on the Digital Security of Products and Services, OECD/LEGAL/0481

Series: OECD Legal Instruments

Photo credit: © Zenzen/Shutterstock

© OECD 2024

This document is provided free of charge. It may be reproduced and distributed free of charge without requiring any further permissions, as long as it is not altered in
any way. It may not be sold.

This document is available in the two OECD official languages (English and French). It may be translated into other languages, as long as the translation is labelled
"unofficial translation" and includes the following disclaimer: "This translation has been prepared by [NAME OF TRANSLATION AUTHOR] for informational purpose
only and its accuracy cannot be guaranteed by the OECD. The only official versions are the English and French texts available on the OECD website
http://legalinstruments.oecd.org"
 OECD/LEGAL/0481 3
_____________________________________________________________________________________________

Background Information

The Recommendation on the Digital Security of Products and Services was adopted by the OECD
Council on 26 September 2022 on the proposal of the Committee on Digital Economy Policy (CDEP)
and launched at the CDEP Ministerial meeting on 14 December 2022. The Recommendation aims to
assist Adherents in devising or updating digital security strategies and policies to strengthen digital
security without inhibiting economic and social prosperity.

OECD work on Digital Security

The OECD has been a pioneer in the area of digital security and has continuously updated its
approach over the last 30 years. In 1992, the Council adopted the first international legal instrument
on this issue, the Recommendation concerning Guidelines on Security of Information Systems
(“Security Guidelines”) [OECD/LEGAL/0271], which included high-level principles on how to approach
security as a condition for realising the economic and social potential of Information and
Communication Technologies (ICTs). Ten years later, the 2002 “Recommendation concerning
Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security”
[OECD/LEGAL/0312] updated the Security Guidelines to take into account the emergence of the
Internet. In 2015, the 2002 Security Guidelines were replaced by the Recommendation on Digital
Security Risk Management for Economic and Social Prosperity [OECD/LEGAL/0415] (“2015
Recommendation”), which emphasised the economic and social perspectives rather than only the
technical nature of digital security risk.

Since 1992, the OECD has also broadened its expertise and digital security policy standards. The
twice-updated high-level digital security principles have been used as a foundation to develop
additional Recommendations. In 1997, the OECD Council adopted the Recommendation concerning
Guidelines on Cryptography Policy [OECD/LEGAL/0289] (Cryptography Guidelines”) to promote the
use of cryptography without unduly jeopardising public safety, law enforcement, and national security.
In 2007, the Council adopted the Recommendation on Electronic Authentication
[OECD/LEGAL/0353]. In 2008, it adopted the Recommendation on the Protection of Critical
Information Infrastructures [OECD/LEGAL/0361], updated in 2019 to become the Recommendation
on Digital Security of Critical Activities [OECD/LEGAL/0456] (“2019 Recommendation”). The 2019
Recommendation provides guidance on how to implement the 2015 Recommendation to maintain the
continuity, resilience and safety of critical activities such as financial, telecommunication, energy
distribution and health care services, without inhibiting the benefits of digital transformation.
Furthermore, the 2015 Recommendation included a new section offering guidance on national digital
security strategies.

Following a review of the 2015 Recommendation in 2019-2022, the OECD decided to provide an
updated and more comprehensive package of digital security Recommendations. The adoption of this
Recommendation, along with three other new digital security Recommendations, is the culmination of
30 years of work.

With regard to this particular Recommendation, connected products and services are an increasingly
regular feature of modern life, being adopted in homes, businesses and within infrastructure (such as
smart cities). However, as the interconnected world penetrates more elements of more lives around
the world, it is critical that these connected products and services are designed with security in mind.
Currently, this is not the case, and the rapid growth of these products and services (with basic
vulnerabilities such as default passwords still present in many cases) represents a growing, vulnerable
“attack surface” that could be compromised to cause a range of harms. These harms can include
financial fraud, Distributed Denial of Service (DDOS) attacks, emotional harm or blackmail, physical
damage, or even the loss of human life. As consumers and businesses become increasingly aware of
this risk, trust can be lost, threatening such products and services and the capacity for individuals and
organisations to benefit from them. Ideally, market pressures would ensure that connected products
and services are developed with security in mind, yet a combination of complex (and global) supply
chains and knowledge asymmetries between those who make and buy products often leads to a
misallocation of responsibility for digital security. Many end–users are making uninformed decisions
about the products and services they purchase on the assumption that they are secure simply
because they are for sale.

Process for developing the Recommendation

4 OECD/LEGAL/0481
_____________________________________________________________________________________________

Process for developing the Recommendation

The Recommendation is one of four digital security Recommendations (on Digital Security Risk
Management, National Digital Security Strategies, the Digital Security of Products and Services, and
the Treatment of Digital Security Vulnerabilities) that were developed following the work plan
approved by the CDEP’s Working Party on Security in the Digital Economy (SDE) in 2020. The plan
included several drafting cycles based on text prepared by the Secretariat, circulated to delegations,
and updated according to comments made at SDE and received in writing, including from
Business@OECD as well as the Civil Society Information Society Advisory Council (CSISAC) and the
Internet Technical Advisory Committee (ITAC).

Other OECD bodies and/or their secretariats (in the area of digital economy, consumer policy,
responsible business conduct, infrastructure, SME policies and public governance) were also
consulted, as was an informal and international multi stakeholder group of 90 experts (“informal expert
group”). Overall, the Secretariat received over 650 specific suggestions from governmental and non-
governmental stakeholders.

Scope of the Recommendation

The Recommendation on Digital Security Risk Management contains the nine high-level digital
security principles that underpin this Recommendation. These principles reflect the culture of
promoting digital security to protect activities, people and society without inhibiting benefits and
opportunities from ICT or undermining human rights. Thus the Recommendation on Digital Security
Risk Management plays a special role, as it maps the broader digital security policy space,
encompassing aspects covered by this Recommendation.

This Recommendation includes guidance for Adherents to develop policies in view of realigning
market incentives and empowering stakeholders to enhance the digital security of products and
services. It outlines areas of action for policy makers, and provides guidance on which policy tools can
be effective. It highlights that the digital security of products and services is much more than a
technical issue calling for technical remedies, and rather a key public policy challenge calling for a
whole-of-government approach. It outlines the need for policy makers to take a holistic approach to
the digital security of products and services, to be proactive rather than reactive and to shape the
policy environment for the digital security of products and services with foresight. The
Recommendation outlines suppliers’ “duty of care” throughout their products’ and services’ entire
lifecycles to address externalities and realign market incentives. The Recommendation also highlights
the importance of international co-operation to avoid norm proliferation and inconsistencies across
jurisdictions.

The Recommendation embeds the nine high-level principles in the Recommendation of the Council
on Digital Security Risk Management and a culture of proportionate digital security in products and
services, recognising the current market failure and knowledge asymmetries. It provides guidance for
the development of public policies encouraging all stakeholders to adopt good practice, according to
their role, and for protecting vulnerability researchers from wrongful legal threats and proceedings
(“safe harbour”). It calls for a mix of policy actions, recognising that there is no single and simple
solution to improve the situation. While it is essential to apply existing good practice, it is important to
understand that each vulnerability is different, and that in certain contexts, “the cure can be worse than
the disease”. Furthermore, public policies need to take a broad approach targeting both producers of
code and their supply chain, as well as organisations using these products and vulnerability
researchers. Co-ordination among all stakeholders is paramount in this area.

OECD Policy Framework on Digital Security

The Framework has been developed by the OECD Secretariat with the aim of bringing together in a
coherent narrative the various aspects covered in digital security Recommendations.
 OECD/LEGAL/0481 5
_____________________________________________________________________________________________

The Framework primarily targets policy makers and is presented in a user-friendly format. It makes
references to and introduces the digital security Recommendations. It also helps identify linkages with
other OECD legal instruments such as the Recommendation concerning Guidelines Governing the
Protection of Privacy and Transborder Flows of Personal Data [OECD/LEGAL/0188], work carried
out in CDEP, other OECD committees, and beyond the OECD, as appropriate.

The Framework provides a modular approach that can scale with the potential future addition of digital
security Recommendations, as appropriate, but may also be amended as necessary to ensure
coherence with new developments.

Next steps

CDEP, through the SDE, serves as a forum for exchanging information on digital security to identify
good practice in coordination with other international organisations and fora. These discussions take
place in the SDE and other dedicated events under the umbrella of the Global Forum on Digital
Security for Prosperity. The aim of these conversations is to foster dialogue among stakeholders and
support the exchange of experience among Adherents, thus supporting the implementation of good
practices. In addition, analytical work that supports the implementation of the Recommendation will be
determined as part of the Programme of Work and Budget and focus on priority areas identified by
Members.

The COVID-19 crisis highlighted our dependence on certain critical activities, as well as the growing
digitalisation of their operators, which increases their exposure to digital security risk. For instance,
many hospitals have been the target of digital security attacks such as Distributed Denial-of-Service
(DDoS) or ransomware. In fact, the pandemic has been a stress test for the digital security risk
management practices of many of our critical infrastructures. This Recommendation provides
governments with timely guidance on strengthening the digital security of such critical activities without
undermining the benefits of digital transformation. For further information please consult: Dealing with
digital security risk during the Coronavirus (COVID-19) crisis (oecd.org)

For further information on OECD digital security work, please consult

https://www.oecd.org/digital/ieconomy/digital-security/.
Contact information: digitalsecurity@oecd.org.
6 OECD/LEGAL/0481
_____________________________________________________________________________________________

THE COUNCIL,

HAVING REGARD to Article 5 b) of the Convention on the Organisation for Economic Co-operation and
Development of 14 December 1960;

HAVING REGARD to the Recommendation of the Council on Digital Security Risk Management (Digital
Security Recommendation) [OECD/LEGAL/0479]; the Recommendation of the Council on National Digital
Security Strategies [OECD/LEGAL/0480]; the Recommendation of the Council on Digital Security of
Critical Activities [OECD/LEGAL/0456]; the Recommendation of the Council on the Treatment of Digital
Security Vulnerabilities [OECD/LEGAL/0482], the Recommendation of the Council concerning Guidelines
for Cryptography Policy [OECD/LEGAL/0289], and the Recommendation on Electronic Authentication
[OECD/LEGAL/0353], which form with the present Recommendation a comprehensive set of international
standards on digital security featured in the OECD Policy Framework on Digital Security
[C(2022)145/ADD1];

HAVING REGARD to the standards developed by the OECD in the area of privacy and transborder flows
of personal data, internet and internet policy making, digital economy, innovation, growth and social
prosperity, artificial intelligence, public procurement, regulatory governance to harness innovation;

RECALLING that while digital security risk cannot be entirely eliminated, it can be managed and reduced
to a level that is acceptable to stakeholders and to society as a whole, and that there is a variety of
contexts of use for products and services, levels of risk appetite and digital security maturity as well as
available resources amongst stakeholders;

RECALLING that there are often trade-offs between digital security and other elements such as product
and service performance, quality, usability and affordability; and that striking the right balance between
these elements is crucial to reach an optimal level of digital security;

RECALLING that enhancing the digital security of products and services increases privacy and personal
data protection, and that is a key public policy objective to reduce all stakeholders’ exposure to digital
security risk, which is increasing due to digital transformation of the economy and society;

RECOGNISING that products and services are increasingly vulnerable to digital security risk, including
through vulnerabilities in code and misconfigurations, combined with numerous factors including the
increased complexity of technologies and supply chains, as well as capability of threat actors;

RECOGNISING that the likelihood of digital security incidents having negative human safety
consequences is increasing with the development of the Internet of Things (IoT) and cyber-physical
systems, and that some products and services, upon which critical activities or a very large number of
users rely, raise systemic digital security risk;

RECOGNISING that significant information asymmetries, misaligned market incentives, a misperception of

digital security risk and economic externalities limit the ability of stakeholders to optimally manage the
digital security risk of products and services, and often lead to a lack of investment in digital security;

RECOGNISING that enhanced international co-operation to strengthen the digital security of products and
services is essential as their market and supply chains are increasingly global, interconnected and, in
some cases, interdependent.

On the proposal of the Committee on Digital Economy Policy:

I. AGREES that the purpose of this Recommendation is to provide policy guidance on how to
implement the Digital Security Recommendation to enhance the digital security of products that contain
code and can interconnect, and associated services such as cloud and managed services, in order to
strengthen trust in the digital transformation, achieve economic and social prosperity, ensure the delivery
 OECD/LEGAL/0481 7
_____________________________________________________________________________________________

of critical activities such as healthcare, water treatment, energy distribution and elections, and protect
people’s safety;

II. AGREES that, for the purpose of this Recommendation, the following definitions are used:

● Users refers to individuals and organisations that use these products and services. They include
corporate and industrial customers as well as consumers.
● Suppliers refers to supply-side actors involved in the product or service’s supply chain, and that
have a role in developing, providing access to, maintaining or selling the product or service, such
as manufacturers, service providers, providers of components, integrators, intermediaries and
vendors, as well as third-party code owners.
● Code owners refers to suppliers responsible for developing and/or maintaining a layer of code.
Products may include code from different code owners.
● End-of-support (EOS), also known as End-of-life, refers to the stage of the product’s lifecycle
when suppliers cease to issue security updates. It can be misaligned with the EOU.
● End-of-use (EOU) refers to the stage of the product’s lifecycle when end-users cease to use the
product. It can be misaligned with the EOS.

DOMESTIC AND INTERNATIONAL CO-OPERATION

III. RECOMMENDS that Members and non-Members adhering to this Recommendation (hereinafter
the “Adherents”) take measures to intensify co-operation on the digital security of products and services,
including by:

1. At the domestic level:

a. Integrating policies on the digital security of products and services in their national strategies for
digital security and digital transformation.
b. Leveraging the multi-stakeholder digital security community, including suppliers and users, civil
society, academia and the technical experts’ community to develop, implement and improve
policies in this area, for instance through multi-stakeholder consultations.
c. Establishing a whole-of-government approach to enhance the digital security of products and
services, and increasing co-operation between public authorities, in particular those responsible
for digital security, consumer protection, intellectual property, consumer product safety, privacy
and data protection, insurance, as well as sectoral regulators.
d. Fostering digital security capacity building, including for vulnerable users, organisations with
limited resources, such as Small and Medium Enterprises (SMEs), and civil society
organisations, as well as organisations supporting critical activities such as in the healthcare
sector.
e. Encouraging suppliers and users to collaborate, co-ordinate incident response, and share
information on threats, vulnerabilities, and risk related to products and services through CSIRTs,
Product Security Incident Response Team (PSIRT) and Information Sharing and Analysis
Centers (ISACs).

2. At the international level:

a. Taking into account international technical standards when developing national policies on the
digital security of products and services.
8 OECD/LEGAL/0481
_____________________________________________________________________________________________

b. Sharing good practices on national and regional policies and initiatives to enhance the digital
security of products and services.
c. Increasing cross-border co-operation among cybersecurity regulators, sectoral and other relevant
regulators, and international standardisation organisations.
d. Encouraging suppliers and users to collaborate, co-ordinate incident response, and share
information across borders through CSIRTs, PSIRTs and ISACs.
e. Enabling cross-border interoperability of legal frameworks, including for those establishing digital
security requirements for products, services and their suppliers as well as for their certification
and labelling.
f. Fostering digital security capacity building in developing countries.

DUTY OF CARE OF SUPPLIERS

IV. RECOMMENDS that Adherents ensure that suppliers take responsibility for the digital security of
their products and services (“duty of care”), by designing policies which foster:

1. Security-by-design, whereby suppliers integrate digital security at every stage of the product’s
lifecycle, starting from its design (“security development lifecycle”), and in particular:

a. Implement baseline digital security measures, including:

‒ A sufficiently secure update mechanism, access management and authentication
mechanisms;
‒ Vulnerability treatment processes, including co-ordinated vulnerability disclosure and
patching;
b. Define digital security requirements based on the assessment of the digital security risk their
products may pose to their users and third parties, including by:
‒ Developing scenarios of expected use cases and of digital security incidents, based on
threat modelling;
‒ Taking into account the:
▪ variety of user categories, their use contexts, levels of risk appetite, digital security
maturity and available resources;
▪ “state of the art” for digital security, including the international technical standards
that best fit their risk assessment, known attack methods, as well as technical and
economic constraints such as affordability, performance, usability and accessibility;
▪ geopolitical context;
c. Ensure that digital security vulnerabilities in their products and services do not pose
unreasonable risk to their users and third parties, including with respect to physical safety;
d. Integrate privacy impact assessments and privacy-by-design objectives and requirements in the
development process of their products and services;

2. Security-by-default, whereby suppliers take an appropriate level of responsibility for

preconfiguring products and services and managing their digital security, rather than shifting this
responsibility to users, and in particular:

a. Pre-configure and activate security features by default, while allowing users to opt-out to
configure the security features themselves;
 OECD/LEGAL/0481 9
_____________________________________________________________________________________________

b. Provide users with information about preconfigured security settings and clear and simple
instructions for security configuration;
c. Provide users with, at least until the product’s EOS and if possible until the product’s EOU,
security updates which are:
‒ Free of charge;
‒ Distinct from functional updates or upgrades, where possible;
‒ Automatically activated by default, where possible, in particular for critical vulnerabilities,
while enabling users to opt out from automatic updates for example if they need to manage
the potential digital security risk that updates can pose in their use context;
d. Provide users opting out from automatic updates with information and warnings about possible
risk to themselves and third parties;

3. Dynamic treatment and co-ordination of vulnerabilities, whereby suppliers adopt processes

to discover, handle, manage and co-ordinate disclosure and whenever possible directly fix vulnerabilities,
as well as communicate clear information to users about security updates, vulnerabilities, exploits, security
incidents and possible mitigations, as appropriate;

4. Responsible, clear and transparent end-of-support (EOS) policies, whereby suppliers:

a. Maintain the digital security of their products for a reasonable period, corresponding to the
expected length of use of the product;
b. Reduce the gap between the EOS and the EOU, by exploring the following options:
‒ Incentivising end-users to stop using a product when it reaches the EOS, for instance
through notifications, discounted or free upgrades, and support for recycling;
‒ Enabling other stakeholders, including users, the open-source community or another
organisation, to maintain the product after its EOS, where appropriate and possible, for
instance by transferring source code or allowing administrative access for security
updates;
c. State publicly the length of time for which their products will receive security updates and the
rationale for the duration of the support period;
d. Enable stakeholders to maintain their products in case of unexpected events affecting the
products’ EOS, such as the supplier’s bankruptcy, for instance through source code escrow;
e. Monitor, where appropriate, the extent to which their products continue to be used after their EOS
and publish relevant data, while respecting user privacy and personal data protection;
f. Protect personal and other sensitive data associated with the product after its EOU or change of
ownership (e.g. by enabling destruction of the data);

5. Co-operation across the supply chain’s code owners, whereby suppliers identify and co-
operate with other suppliers, code owners, and users including at the technical level, to:

a. Identify all code components and dependency relationships of the product and associated code
owners, for both closed and open-source code;
b. Ensure effective vulnerability treatment across the value chain and the various code components
of their products;
c. Designate a co-ordinator, where appropriate and feasible, to manage the relationships between
code owners. Such co-ordinator may be a supplier such as a PSIRT, a third-party organisation
(e.g. a certification or standard body, industry consortium, or specific organisations), a Computer
Security Incident Response Team (CSIRT) or a governmental agency;
10 OECD/LEGAL/0481
_____________________________________________________________________________________________

6. Assessment of the level of digital security of the product and service, whereby suppliers
may, depending on the contexts of use and assessment of risk:

a. Self-assess the level of digital security of their products and services regularly against a list of
requirements based on international standards;
b. Certify the level of digital security of their products and services through third-party evaluation;

TRANSPARENCY AND INFORMATION SHARING

V. RECOMMENDS that Adherents adopt policies that foster transparency and information sharing
with respect to the digital security of products and services, in order to (i) raise awareness and empower
users to effectively assess digital security risk related to products and services and make informed
decisions on how to use them and (ii) incentivise suppliers to further value and invest in the digital security
of their products and services. To that effect, these policies should incentivise suppliers to:

1. Use independent third-party evaluation such as audits, inspection tests, and certification, and to
communicate the results of these evaluations, for example through labels;

2. Be transparent to all users and stakeholders regarding:

a. The digital security features of their products and services;

b. The processes and policies in place for addressing the digital security of their products and
services (e.g. security-by-design, vulnerability treatment and EOS policy);
c. The risk-profile of their organisation, for instance regarding its digital security risk management
strategy, the location of its headquarters and the impact of applicable law (including possible
extraterritorial effects) on the digital security of their products and services;
d. Digital security incidents affecting them or actors in their supply chain that could present a risk to
their products and services’ users and other stakeholders;

3. Co-operate and share information with public authorities and other stakeholders such as the
digital security community and other code owners and suppliers regarding, where appropriate and
possible:

a. The traceability for the components of their products (e.g. through a bill of materials) and the
lower tiers suppliers that provide these components;
b. The security of their products’ source code, for instance through independent third-party audits,
open-source licensing, or transparency centres;

4. Enable advanced users to access and modify security settings of the products they use;

5. Encourage vulnerability researchers, where appropriate, to test a product or service, and to

examine “telemetry” data, or metadata about usage and access (log information) to detect anomalies,
while respecting personal data protection laws;

VI. RECOMMENDS that Adherents that intend to develop digital security labels for products and
services take into account international standards, as appropriate;
 OECD/LEGAL/0481 11
_____________________________________________________________________________________________

FLEXIBLE POLICIES

VII. RECOMMENDS that Adherents adopt policies to enhance digital security of products and
services that are proportionate to the risk, and that:

1. Take into account the variety of ecosystems and contexts of use, levels of risk appetite and of
digital security maturity as well as stakeholders’ resources;

2. Start with a light-touch approach based on voluntary policy measures, and explore the need for
mandatory measures that are principles-based and outcomes-oriented, as appropriate, including to
enhance the level of digital security for certain products and services, such as those which could affect
safety or critical activities;

3. Support the development of guidance and technical standards for the digital security of products
and services;

4. Facilitate the application of consumer protection and liability law to products and services, as
appropriate, for example when digital security risk could affect safety;

INNOVATION AND COMPETITION

VIII. RECOMMENDS that Adherents adopt policies to promote innovation as well as research and
development to enhance the digital security of products and services, including by:

1. Ensuring that competitive markets enable optimal customer choice and incentivise suppliers to
innovate for digital security;

2. Developing research programs and supporting innovation ecosystems focused on digital security;

3. Supporting digital security literacy at all levels of the educational system and in particular by
developing specialist programs for digital security in higher education and mainstreaming digital security in
non-technical curricula;

4. Enabling controlled experimentation such as regulatory sandboxes to support innovation where

existing regulation may limit innovation, while also fostering policy learning and adaptation;

5. Integrating digital security requirements in public procurement;

***

IX. CALLS ON stakeholders, in particular suppliers, to disseminate and follow this Recommendation
in their approach to digital security of products and services.

X. INVITES the Secretary-General to disseminate this Recommendation.

XI. INVITES Adherents to disseminate this Recommendation at all levels of government.

XII. INVITES Adherents to the Digital Security Recommendation to take due account of, and adhere
to, this Recommendation.

XIII. INSTRUCTS the Committee on Digital Economy Policy, to

12 OECD/LEGAL/0481
_____________________________________________________________________________________________

a. Serve as a forum for:

i. exchanging information on public policies related to the digital security of products and
services in coordination with other international fora, and
ii. developing analytical work to support the implementation of the Recommendation;
b. Report to the Council on the implementation, dissemination, and continued relevance of this
Recommendation when reporting on the Digital Security Recommendation.
About the OECD
The OECD is a unique forum where governments work together to address the economic, social and
environmental challenges of globalisation. The OECD is also at the forefront of efforts to understand
and to help governments respond to new developments and concerns, such as corporate governance,
the information economy and the challenges of an ageing population. The Organisation provides a
setting where governments can compare policy experiences, seek answers to common problems,
identify good practice and work to co-ordinate domestic and international policies.

The OECD Member countries are: Australia, Austria, Belgium, Canada, Chile, Colombia, Costa Rica,
the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Israel, Italy, Japan, Korea, Latvia, Lithuania, Luxembourg, Mexico, the Netherlands, New Zealand,
Norway, Poland, Portugal, the Slovak Republic, Slovenia, Spain, Sweden, Switzerland, Türkiye, the
United Kingdom and the United States. The European Union takes part in the work of the OECD.

OECD Legal Instruments

Since the creation of the OECD in 1961, more than 500 legal instruments have been developed within
its framework. These include OECD Acts (i.e. the Decisions and Recommendations adopted by the
OECD Council in accordance with the OECD Convention) and other legal instruments developed
within the OECD framework (e.g. Declarations, international agreements).

All substantive OECD legal instruments, whether in force or abrogated, are listed in the online
Compendium of OECD Legal Instruments. They are presented in five categories:

• Decisions are adopted by Council and are legally binding on all Members except those which
abstain at the time of adoption. They set out specific rights and obligations and may contain
monitoring mechanisms.

• Recommendations are adopted by Council and are not legally binding. They represent a
political commitment to the principles they contain and entail an expectation that Adherents will
do their best to implement them.

• Substantive Outcome Documents are adopted by the individual listed Adherents rather than
by an OECD body, as the outcome of a ministerial, high-level or other meeting within the
framework of the Organisation. They usually set general principles or long-term goals and have
a solemn character.

• International Agreements are negotiated and concluded within the framework of the
Organisation. They are legally binding on the Parties.

• Arrangements, Understandings and Others: several other types of substantive legal

instruments have been developed within the OECD framework over time, such as the
Arrangement on Officially Supported Export Credits, the International Understanding on
Maritime Transport Principles and the Development Assistance Committee (DAC)
Recommendations.