Editor’s Note: NATO’s members have spent a decade answering the question the 2014 Wales Summit left open: what does it mean, in practice, that international law applies in cyberspace? A new CCDCOE analysis by Agnes Kasper and Karine Veersalu compiles the answers and finds 27 of 32 allies now on the record, individually or through the EU’s November 2024 declaration, with agreement running deeper than the familiar disputes suggest.
For cybersecurity, data privacy, regulatory compliance and eDiscovery professionals, the convergence is directly usable. Thresholds for sovereignty violations and prohibited intervention shape breach-response decisions in cross-border incidents; attribution doctrine turns on evidence handling and documentation; and human rights commitments constrain how states restrict data flows and online services.
Watch two things next: the review of NATO’s cyberspace operations doctrine, AJP-3.20, and whether the alliance converts this documented baseline into a formally agreed common position.
Content Assessment: NATO allies converge on the law of cyber operations
Information - 93%
Insight - 92%
Relevance - 90%
Objectivity - 93%
Authority - 94%
92%
Excellent
A short percentage-based assessment of the qualitative benefit expressed as a percentage of positive reception of the recent article from ComplexDiscovery OÜ titled, "NATO allies converge on the law of cyber operations."
Industry News – Cybersecurity Beat
NATO allies converge on the law of cyber operations
ComplexDiscovery Staff
The core rules of international law governing cyber operations have not changed in decades. What has changed is that most NATO members have now gone on the record, individually or collectively, on how those rules apply.
That shift reveals what a new analysis from the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) describes as a documented common baseline for the 32-member alliance, assembled from the allies’ own published national and collective positions.
The paper, “International Legal Perspectives on Cyber Operations: A Common Baseline for NATO Allies,” was written by Agnes Kasper, head of the Law Branch at the Tallinn, Estonia-based center, and Karine Veersalu, a former law researcher there. Forthcoming in Issue 44 of the NATO Legal Gazette, the analysis maps where allied views on international law in cyberspace line up, from sovereignty and non-intervention to attribution, countermeasures and the law of armed conflict. The views expressed are the authors’ own, the paper says, not necessarily those of the CCDCOE or NATO.
A turning point in 2024
The authors describe 2024 as a turning point. NATO formally recognized at its 2014 Wales Summit that international law, including international humanitarian law and the UN Charter, applies in cyberspace, but individual allies were slow to explain what that meant in practice. The pace changed as national positions accumulated and, on Nov. 18, 2024, the Council of the European Union adopted a Declaration on a Common Understanding of the Application of International Law to Cyberspace on behalf of the EU and its member states.
The result, as of early 2026: 17 NATO allies have issued individual national positions, according to the paper’s survey built on the CyberLaw Toolkit, a public database maintained by the University of Exeter, the CCDCOE and the Czech Republic’s National Cyber and Information Security Agency. Ten more allies are covered solely through the EU’s common understanding. Only five, Albania, Iceland, Montenegro, North Macedonia and Turkey, have published no position at all. The pipeline keeps moving. Belgium published its national position in 2025 and, according to the analysis, Slovenia followed in 2026 while Estonia has signaled plans to revise its existing position.
The timing is not accidental. At the United Nations, the Open-ended Working Group on ICT security concluded its five-year run in July 2025 and handed off to a new permanent Global Mechanism, with the application of international law among the most contested questions to the end. Against that unsettled global backdrop, the authors wrote, the alliance’s accumulated positions carry unusual weight. Cyber operations are often covert, classified or deniable, and the underlying rules are technology neutral, which makes these written interpretations, in many cases, the only public evidence of how a state reads the law it expects others to follow.
Where the allies already agree
Every published allied position affirms that international law, including the United Nations Charter, applies to state uses of information and communication technologies. No allied position calls for a new treaty regime, and several states say expressly that existing law suffices.
On sovereignty, the paper finds consensus that the principle applies in cyberspace, paired with a well-known split over its legal character. Most allies treat sovereignty as a standalone rule whose violation can trigger state responsibility, while the United Kingdom, with some support from the United States, treats it as a guiding principle rather than a rule that can itself be breached. The practical convergence matters as much as the doctrinal split. Cyber operations causing substantial harmful effects on another state’s territory, such as physical damage, injury, loss or death, would likely be treated by most allies as a breach of sovereignty, while operations with negligible or de minimis effects would not. Everything in between gets a case-by-case assessment weighing what the paper calls scope, scale, impact and severity.
Non-intervention draws similar alignment. A cyber operation crosses the line when it coercively interferes in another state’s protected internal affairs, its domaine réservé. Tampering with electoral processes through cyber means is the example allies cite repeatedly, and the paper reports agreement that election interference attributable to a state can constitute prohibited intervention.
Force, attribution and lawful responses
On the use of force, allied positions uniformly assess effects, not means. A cyber operation falls under the UN Charter’s Article 2(4) prohibition when its consequences are comparable to a conventional use of force, with damaged critical infrastructure and downed aircraft the recurring examples. Many allies would also weigh severe non-physical consequences, including economic harm. Most distinguish a use of force from the graver threshold of an armed attack; the paper identifies the United States as the outlier that declines to separate the two, citing an April 2024 lecture by Richard C. Visek, then serving as acting legal adviser at the U.S. State Department, who acknowledged that many states, though not the United States, distinguish between the thresholds.
The allies also agree that the customary law of state responsibility applies wholesale. A state cannot launder wrongful cyber operations through proxies or contractors, and legal attribution, the paper says, is a question of evidence and judgment distinct from technical forensics or political naming-and-shaming. International law imposes no obligation on an attributing state to disclose its evidence, though several allies say transparency serves cooperation.
When a state is wronged, the response ladder is familiar: lawful but unfriendly acts of retorsion such as sanctions or expelling diplomats, countermeasures designed strictly to induce compliance rather than punish, a narrow plea of necessity in the face of grave and imminent peril, and self-defense under Article 51 when a cyber operation’s scale and effects rise to an armed attack. Responses need not be symmetrical. A cyber wrong can draw a non-cyber answer, and vice versa.
Due diligence and human rights remain in motion
Convergence thins in places. All examined positions address due diligence, the expectation that a state not knowingly allow its territory to be used for wrongful cyber acts, as a standard of conduct applicable in the cyber context, drawing on the International Court of Justice’s Corfu Channel formulation and the broader no-harm principle. Most allies regard it as a binding obligation, while the U.K. and U.S. positions conclude it has not yet acquired that status in cyberspace.
Human rights law shows firmer agreement. Obligations apply online as they do offline, with freedom of expression, privacy, assembly and access to information the recurring priorities. States accept that qualified rights may be restricted for legitimate aims, but measures such as internet shutdowns and broad censorship may fail those standards, a point raised by Romania and the United States among others.
The dual-use problem in armed conflict
International humanitarian law (IHL) rounds out the baseline. All examined positions agree IHL fully applies to cyber operations during armed conflict and that its application neither legitimizes conflict nor militarizes cyberspace. A cyber operation qualifies as an attack when it is reasonably expected to cause injury, death, damage or destruction, and the rules of distinction, proportionality and precaution then apply, even where infrastructure is dual-use. Civilians who directly participate in cyber hostilities may lose protection from direct attack for the duration of that participation. Still unsettled: whether data as such can be an object of attack, a question several allies say needs further consideration.
From published positions to operational doctrine
The authors draw two implications. First, allies planning and conducting cyber operations must now account for positions representing 27 of NATO’s 32 members, expressed nationally or collectively through the EU declaration, and NATO’s doctrinal development, including what the paper says is an ongoing review of the Allied Joint Doctrine for Cyberspace Operations (AJP-3.20), should build on those convergences. The current edition dates to 2020, before most national positions existed. Second, the accumulated positions could serve as the foundation for a formally agreed NATO common position, a step the authors call timely. They also flag two cautions: the positions vary in granularity, silence on an issue does not signal agreement, and the findings amount to a snapshot of convergences at the beginning of 2026 in a field that keeps moving.
For legal, security and eDiscovery professionals, the practical takeaways sit closer to home. Counsel advising on cross-border incident response can consult the CyberLaw Toolkit to check how affected states define thresholds for sovereignty violations and intervention before a crisis forces the question. Teams handling attribution should recognize that legal attribution turns on evidence and reasoned assessment, so the disciplines eDiscovery professionals already practice, preservation, provenance and documentation, strengthen governmental judgments and any later legal proceedings alike. And compliance leaders operating in the 10 allied states covered only by the EU declaration should watch for national positions still to come.
If most of the alliance now agrees on the legal baseline for cyber operations, how long before NATO adopts a common position of its own, and how much divergence will remain beneath the agreement when it does?

News sources
- International Legal Perspectives on Cyber Operations: A Common Baseline for NATO Allies (NATO CCDCOE)
- Declaration on a Common Understanding of the Application of International Law to Cyberspace (Council of the European Union)
- Wales Summit Declaration (NATO)
- The OEWG ends and a new UN cybersecurity permanent mechanism is born (Global Partners Digital)
- EU Council approves declaration on international law in cyberspace (JURIST)
- International cyber law: interactive toolkit (CyberLaw Toolkit)
- Handbook on Developing a National Position on International Law and Cyber Activities (University of Exeter)
Assisted by GAI and LLM technologies
Additional reading
- The negotiator was the leak: insider who betrayed ransomware victims gets 70 months
- Why a single Signal recovery key is a preservation problem
- Europe’s critical sectors are maturing, but seven still sit in ENISA’s risk zone
- When the worm targets the assistant: Miasma turns AI coding agents into the trigger
- Glasswing widens: Anthropic puts Mythos inside power, water and hospital operators across more than 15 countries
- Canvas breach moves from disclosure to demand as ShinyHunters sets May 12 deadline
- CISA’s CI Fortify rewrites the disconnection playbook for critical infrastructure
- A 48-month federal benchmark resets the incident-response insider question
- Data collection in occupied territory: A closer read of Cyber Law Toolkit scenario 35
- Cyber Law Toolkit tests surveillance and data collection under occupation
Source: ComplexDiscovery OÜ

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.



























