Editor’s Note: NATO’s members have spent a decade answering the question the 2014 Wales Summit left open: what does it mean, in practice, that international law applies in cyberspace? A new CCDCOE analysis by Agnes Kasper and Karine Veersalu compiles the answers and finds 27 of 32 allies now on the record, individually or through the EU’s November 2024 declaration, with agreement running deeper than the familiar disputes suggest.

For cybersecurity, data privacy, regulatory compliance and eDiscovery professionals, the convergence is directly usable. Thresholds for sovereignty violations and prohibited intervention shape breach-response decisions in cross-border incidents; attribution doctrine turns on evidence handling and documentation; and human rights commitments constrain how states restrict data flows and online services.

Watch two things next: the review of NATO’s cyberspace operations doctrine, AJP-3.20, and whether the alliance converts this documented baseline into a formally agreed common position.


Content Assessment: NATO allies converge on the law of cyber operations

Information - 93%
Insight - 92%
Relevance - 90%
Objectivity - 93%
Authority - 94%

92%

Excellent

A short percentage-based assessment of the qualitative benefit expressed as a percentage of positive reception of the recent article from ComplexDiscovery OÜ titled, "NATO allies converge on the law of cyber operations."


Industry News – Cybersecurity Beat

NATO allies converge on the law of cyber operations

ComplexDiscovery Staff

The core rules of international law governing cyber operations have not changed in decades. What has changed is that most NATO members have now gone on the record, individually or collectively, on how those rules apply.

That shift reveals what a new analysis from the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) describes as a documented common baseline for the 32-member alliance, assembled from the allies’ own published national and collective positions.

The paper, “International Legal Perspectives on Cyber Operations: A Common Baseline for NATO Allies,” was written by Agnes Kasper, head of the Law Branch at the Tallinn, Estonia-based center, and Karine Veersalu, a former law researcher there. Forthcoming in Issue 44 of the NATO Legal Gazette, the analysis maps where allied views on international law in cyberspace line up, from sovereignty and non-intervention to attribution, countermeasures and the law of armed conflict. The views expressed are the authors’ own, the paper says, not necessarily those of the CCDCOE or NATO.

A turning point in 2024

The authors describe 2024 as a turning point. NATO formally recognized at its 2014 Wales Summit that international law, including international humanitarian law and the UN Charter, applies in cyberspace, but individual allies were slow to explain what that meant in practice. The pace changed as national positions accumulated and, on Nov. 18, 2024, the Council of the European Union adopted a Declaration on a Common Understanding of the Application of International Law to Cyberspace on behalf of the EU and its member states.

The result, as of early 2026: 17 NATO allies have issued individual national positions, according to the paper’s survey built on the CyberLaw Toolkit, a public database maintained by the University of Exeter, the CCDCOE and the Czech Republic’s National Cyber and Information Security Agency. Ten more allies are covered solely through the EU’s common understanding. Only five, Albania, Iceland, Montenegro, North Macedonia and Turkey, have published no position at all. The pipeline keeps moving. Belgium published its national position in 2025 and, according to the analysis, Slovenia followed in 2026 while Estonia has signaled plans to revise its existing position.

The timing is not accidental. At the United Nations, the Open-ended Working Group on ICT security concluded its five-year run in July 2025 and handed off to a new permanent Global Mechanism, with the application of international law among the most contested questions to the end. Against that unsettled global backdrop, the authors wrote, the alliance’s accumulated positions carry unusual weight. Cyber operations are often covert, classified or deniable, and the underlying rules are technology neutral, which makes these written interpretations, in many cases, the only public evidence of how a state reads the law it expects others to follow.



Where the allies already agree

Every published allied position affirms that international law, including the United Nations Charter, applies to state uses of information and communication technologies. No allied position calls for a new treaty regime, and several states say expressly that existing law suffices.

On sovereignty, the paper finds consensus that the principle applies in cyberspace, paired with a well-known split over its legal character. Most allies treat sovereignty as a standalone rule whose violation can trigger state responsibility, while the United Kingdom, with some support from the United States, treats it as a guiding principle rather than a rule that can itself be breached. The practical convergence matters as much as the doctrinal split. Cyber operations causing substantial harmful effects on another state’s territory, such as physical damage, injury, loss or death, would likely be treated by most allies as a breach of sovereignty, while operations with negligible or de minimis effects would not. Everything in between gets a case-by-case assessment weighing what the paper calls scope, scale, impact and severity.

Non-intervention draws similar alignment. A cyber operation crosses the line when it coercively interferes in another state’s protected internal affairs, its domaine réservé. Tampering with electoral processes through cyber means is the example allies cite repeatedly, and the paper reports agreement that election interference attributable to a state can constitute prohibited intervention.

Force, attribution and lawful responses

On the use of force, allied positions uniformly assess effects, not means. A cyber operation falls under the UN Charter’s Article 2(4) prohibition when its consequences are comparable to a conventional use of force, with damaged critical infrastructure and downed aircraft the recurring examples. Many allies would also weigh severe non-physical consequences, including economic harm. Most distinguish a use of force from the graver threshold of an armed attack; the paper identifies the United States as the outlier that declines to separate the two, citing an April 2024 lecture by Richard C. Visek, then serving as acting legal adviser at the U.S. State Department, who acknowledged that many states, though not the United States, distinguish between the thresholds.

The allies also agree that the customary law of state responsibility applies wholesale. A state cannot launder wrongful cyber operations through proxies or contractors, and legal attribution, the paper says, is a question of evidence and judgment distinct from technical forensics or political naming-and-shaming. International law imposes no obligation on an attributing state to disclose its evidence, though several allies say transparency serves cooperation.

When a state is wronged, the response ladder is familiar: lawful but unfriendly acts of retorsion such as sanctions or expelling diplomats, countermeasures designed strictly to induce compliance rather than punish, a narrow plea of necessity in the face of grave and imminent peril, and self-defense under Article 51 when a cyber operation’s scale and effects rise to an armed attack. Responses need not be symmetrical. A cyber wrong can draw a non-cyber answer, and vice versa.

Due diligence and human rights remain in motion

Convergence thins in places. All examined positions address due diligence, the expectation that a state not knowingly allow its territory to be used for wrongful cyber acts, as a standard of conduct applicable in the cyber context, drawing on the International Court of Justice’s Corfu Channel formulation and the broader no-harm principle. Most allies regard it as a binding obligation, while the U.K. and U.S. positions conclude it has not yet acquired that status in cyberspace.

Human rights law shows firmer agreement. Obligations apply online as they do offline, with freedom of expression, privacy, assembly and access to information the recurring priorities. States accept that qualified rights may be restricted for legitimate aims, but measures such as internet shutdowns and broad censorship may fail those standards, a point raised by Romania and the United States among others.

The dual-use problem in armed conflict

International humanitarian law (IHL) rounds out the baseline. All examined positions agree IHL fully applies to cyber operations during armed conflict and that its application neither legitimizes conflict nor militarizes cyberspace. A cyber operation qualifies as an attack when it is reasonably expected to cause injury, death, damage or destruction, and the rules of distinction, proportionality and precaution then apply, even where infrastructure is dual-use. Civilians who directly participate in cyber hostilities may lose protection from direct attack for the duration of that participation. Still unsettled: whether data as such can be an object of attack, a question several allies say needs further consideration.

From published positions to operational doctrine

The authors draw two implications. First, allies planning and conducting cyber operations must now account for positions representing 27 of NATO’s 32 members, expressed nationally or collectively through the EU declaration, and NATO’s doctrinal development, including what the paper says is an ongoing review of the Allied Joint Doctrine for Cyberspace Operations (AJP-3.20), should build on those convergences. The current edition dates to 2020, before most national positions existed. Second, the accumulated positions could serve as the foundation for a formally agreed NATO common position, a step the authors call timely. They also flag two cautions: the positions vary in granularity, silence on an issue does not signal agreement, and the findings amount to a snapshot of convergences at the beginning of 2026 in a field that keeps moving.

For legal, security and eDiscovery professionals, the practical takeaways sit closer to home. Counsel advising on cross-border incident response can consult the CyberLaw Toolkit to check how affected states define thresholds for sovereignty violations and intervention before a crisis forces the question. Teams handling attribution should recognize that legal attribution turns on evidence and reasoned assessment, so the disciplines eDiscovery professionals already practice, preservation, provenance and documentation, strengthen governmental judgments and any later legal proceedings alike. And compliance leaders operating in the 10 allied states covered only by the EU declaration should watch for national positions still to come.

If most of the alliance now agrees on the legal baseline for cyber operations, how long before NATO adopts a common position of its own, and how much divergence will remain beneath the agreement when it does?



News sources



Assisted by GAI and LLM technologies

Additional reading

Source: ComplexDiscovery OÜ

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is an independent digital publication and research organization based in Tallinn, Estonia. ComplexDiscovery covers cybersecurity, data privacy, regulatory compliance, and eDiscovery, with reporting that connects legal and business technology developments—including high-growth startup trends—to international business, policy, and global security dynamics. Focusing on technology and risk issues shaped by cross-border regulation and geopolitical complexity, ComplexDiscovery delivers editorial coverage, original analysis, and curated briefings for a global audience of legal, compliance, security, and technology professionals. Learn more at ComplexDiscovery.com.

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Gemini, Grammarly, Midjourney, and Perplexity, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).