Eighteen Years and 39 Nations
On May 14, 2026 — exactly 18 years after the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) opened its doors in Tallinn — three more flags were raised outside its headquarters. Albania, Finland, and Sweden formally acceded to the Centre in a flag-raising ceremony, lifting total membership to 39 nations and making CCDCOE the largest NATO-accredited Centre of Excellence by member count. The timing was deliberate: the Centre was founded on that same date in 2008, and accession on its anniversary was a signal that the institution has grown into something its founders could not have fully anticipated.
Three Accessions, Three Stories
Each new member arrived by a different path, and together they illustrate the range of threats that now drive nations toward collective cyber governance.
Albania's case is the most visceral. In July and September 2022, Albanian government systems were hit by cyberattacks the United States and Albania attributed to Iranian state actors — assessed as retaliation for Albania hosting the Mujahideen-e-Khalq, an exiled Iranian opposition group. NATO's North Atlantic Council formally condemned the attacks on September 8, 2022, calling them "designed to destabilise and harm the security of an Ally, and disrupt the daily lives of citizens." Albania subsequently severed diplomatic relations with Tehran. That episode — one of the clearest-cut instances of a NATO member's national digital infrastructure being comprehensively assaulted by a state adversary — turned abstract doctrine into urgent necessity. Albanian Ambassador Mimoza Halimi pledged at the accession ceremony that Albania would "contribute actively to the Centre's work in research, training, exercises, and the development of best practices." That is not a diplomatic courtesy; it is a commitment grounded in operational experience.
Finland and Sweden took a different route. Both joined NATO following Russia's full-scale invasion of Ukraine in February 2022 — Finland in April 2023, Sweden in March 2024. Both brought mature cyber traditions: Finland has embedded national cyber resilience within its longstanding total-defence doctrine; Sweden's armed forces maintain dedicated cyber units. CCDCOE accession is the logical complement to their NATO memberships, enabling both nations to contribute to and draw from the Centre's doctrine development and exercise cycles from inside the alliance's formal structures.
What the Centre Actually Produces
Sceptics of multilateral cyber forums argue, not unreasonably, that interoperability commitments often remain on paper — committees convene, doctrine is drafted, and real incident response stays siloed within national agencies. That critique has real purchase when applied to some international bodies. CCDCOE provides a meaningful rebuttal.
The Centre runs Locked Shields, the world's largest live-fire cyber defence exercise. In April 2026, over 4,000 participants from 41 nations defended simulated critical infrastructure — air defence systems, e-voting platforms, military command networks — against coordinated adversarial attacks conducted in real time. Sixteen multinational teams competed; France-Sweden, Latvia-Singapore, and Germany-Austria-Luxembourg-Switzerland ranked at the top. Compare that with Locked Shields' first edition in 2010, which involved just four nations and 60 participants. The sixteen-year growth curve is itself an argument for the model. These are not tabletop exercises: participants operate under genuine technical pressure, and the operational lessons flow directly back into national cyber strategies.
Beyond exercises, CCDCOE produced the Tallinn Manuals — the most authoritative non-binding analysis of how international law applies to cyber operations. Tallinn Manual 2.0 (2017) codified 154 "black-letter" rules governing state behaviour in cyberspace short of armed conflict. A third edition is under development to address AI-driven operations and hybrid warfare scenarios. These texts shape how governments construct legal arguments, design national cyber legislation, and communicate redlines to adversaries — outputs generated through expert consensus rather than top-down mandate.
Why Near Full-Alliance Coverage Matters
CCDCOE opened in 2008 with seven founding nations: Estonia, Germany, Italy, Latvia, Lithuania, Slovakia, and Spain. Reaching 39 members means the Centre is now close to representing every NATO ally. That breadth is strategically significant. Ambiguity about whether a major cyberattack triggers Article 5, which agency leads the response, or how allies share intelligence in real time is itself an exploitable vulnerability. Adversaries probe these seams. Shared exercises and shared legal doctrine narrow them. The more nations that train together under CCDCOE-developed standards, the faster and more predictable collective responses become — and the less attractive ambiguous attacks become for adversaries calculating the cost-benefit.
Estonian Defence Minister Hanno Pevkur put it succinctly at the accession ceremony: "The Centre provides an excellent platform for the exchange of cyber domain expertise and know-how in an increasingly dynamic security environment."
The Architecture Worth Defending
For the broader technology policy debate, CCDCOE's 18-year trajectory illustrates the value of proportionate international intervention in cyberspace. The Centre does not dictate industrial standards, mandate product architectures, or impose liability regimes on technology companies. It builds capacity, develops non-binding norms, and runs joint exercises. Member states retain sovereignty over their domestic cyber agencies and legal frameworks.
This architecture delivers more durable security than heavy regulatory mandates alone. Centralised compliance requirements — whether on encryption standards, mandatory vulnerability disclosure timelines, or prescribed security configurations — tend to fragment at enforcement, reward paper compliance over genuine hardening, and generate chilling effects that slow legitimate innovation without commensurate security gains. Capacity-building and norm-development, coordinated through an institution with 18 years of operational credibility, can achieve what mandates cannot: genuine doctrinal alignment, tested in real exercises, between sovereign states that have chosen to participate.
CCDCOE Director Tõnis Saar captured the Centre's institutional purpose after Locked Shields 2026: "The key now is to take the lessons identified from the exercise and translate them into real-world readiness." After 18 years and 39 members, the institution has earned the standing to make that commitment mean something. The flags raised in Tallinn on May 14 are evidence of it.