Within five weeks this spring, the small Estonian capital of Tallinn ran two of the most consequential events in the Western cyber-defense calendar. On 24 April, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) closed Locked Shields 2026, the world's largest live-fire cyber exercise, having mobilized more than 4,000 defenders from 41 nations into 16 multinational teams. Then, from 26–29 May, the same Centre convened the 18th International Conference on Cyber Conflict (CyCon) under the theme "Securing Tomorrow," drawing roughly 800 experts from 50 countries.
Taken together, the two events are more than a calendar coincidence. They represent a distinct theory of how liberal democracies should defend a contested digital domain: build muscle through repeated, realistic practice; clarify how existing law applies before reaching for new instruments; and treat the private sector and academia as partners rather than regulated subjects. For a publication that favors proportionate, evidence-based regulation, that model deserves attention precisely because it is working.
What Locked Shields actually tested
Locked Shields is not a tabletop. According to CCDCOE, the 2026 edition tasked Blue Teams with defending simulated national infrastructure under sustained real-time attack across three days, with joint teams from Latvia–Singapore, the Germany–Austria–Luxembourg–Switzerland bloc, and France–Sweden ranking highest. NATO's SHAPE reported that the defended systems included 5G infrastructure, satellite management systems, power grids, and electronic voting — the exact targets where a real adversary's intrusion would cascade into physical and democratic harm. The exercise has grown from four nations and 60 people at its 2010 debut to 41 nations and thousands of operators today, per SecurityWeek's reporting.
The steelman for a heavier regulatory hand here is genuine. Critical-infrastructure operators face attackers backed by state resources; voluntary best-practice guidance has repeatedly failed to close known gaps, and the EU's NIS2 Directive exists precisely because patchy national rules left gaps that adversaries exploited. If a power grid or 5G core is a systemic dependency, the argument goes, society cannot leave its hardening to the operator's discretion.
That case is real — but Locked Shields illustrates the limit of mandates. The hardest problem the exercise surfaces is not whether operators should be secure; it is whether their teams can coordinate, triage, and make legal calls under fire and across borders in hours. No statute produces that capability. Repetition does. A proportionate regime sets outcome-based duties — incident reporting, baseline resilience — and then invests the larger share of public effort in the drills, shared threat intelligence, and interoperability that actually move the needle. The 41-nation turnout is evidence that voluntary, capability-first cooperation can scale without a treaty compelling it.
CyCon's quieter contribution: law that fits the technology
CyCon's value is legal and conceptual. The conference's signature output is not a press release but the Tallinn Manual project — the CCDCOE-facilitated, expert-led restatement of how international law already applies to cyber operations. The original Manual (2013) addressed force and armed conflict; Tallinn Manual 2.0 (2017) extended to peacetime operations below that threshold; and a 3.0 update, led again by Professor Michael Schmitt, is underway to track evolving state practice.
This is the proportionate path made concrete. Rather than negotiating a brittle new cyber treaty — a years-long process that risks locking in rules obsolete on arrival — the Tallinn approach asks how sovereignty, due diligence, and the law of armed conflict map onto cyberspace as it actually operates. It is non-binding, which critics fairly note limits its force; states can and do contest specific rules. But its influence on government legal advisers has been substantial precisely because it clarifies rather than commands, leaving democratic legislatures to adopt what they choose.
CyCon 2026's headline theme reinforced the point. NATO Assistant Secretary General for Cyber Defence Jean-Charles Ellermann-Kingombe urged the field, per Baltic Times reporting, to "stop thinking of AI purely as a threat to manage and start treating it as a force multiplier to leverage." That is the correct instinct for regulators tempted to pre-emptively constrain AI in security tooling: the same agentic systems that worry defenders are also the ones that will let understaffed security teams keep pace. Welcoming addresses from Estonian President Alar Karis and Czech President Petr Pavel, alongside Ukrainian and US officials, underscored that this is a coalition position, not an Estonian eccentricity.
The Estonian template
Estonia earned this convening role the hard way: the 2007 distributed denial-of-service attacks that knocked out banks and government services were a founding trauma that produced CCDCOE in 2008. Nearly two decades on, the country's response was not to wall off its famously digital state but to double down on resilience, alliance, and legal clarity — building a model of pro-innovation security that the rest of NATO now rehearses annually.
The lesson for policymakers elsewhere is to resist the reflex that every cyber risk demands a new prohibition. Where binding rules are warranted — reporting duties, baseline standards for systemic operators — they should be outcome-focused and proportionate. The larger investment belongs where Tallinn has put it: in the exercises that build capability, the institutions that share intelligence, and the patient legal work that fits enduring principles to fast-moving technology. "Securing Tomorrow," it turns out, looks less like a rulebook and more like a rehearsal.