When NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE) closed Locked Shields 2026 in Tallinn on April 24, the headline figures were record-setting. More than 4,000 participants from 41 nations, organised into 16 multinational "blue teams," defended simulated critical infrastructure against roughly 8,000 real-time cyberattacks over two days. A team co-led by Latvia's National Guard Cyber Defence Unit and Singapore's Digital and Intelligence Service finished first, ahead of a German-Austrian-Luxembourgish-Swiss coalition and a French-Swedish pairing.
The scoreboard is the least interesting part. What makes Locked Shields a tech-policy story rather than a purely military one is the model it embodies — and the contrast that model draws with the compliance-first direction cyber regulation has taken elsewhere.
A drill run like a country in crisis
Locked Shields is not a capture-the-flag hacking contest. It is a strategic simulation. According to the CCDCOE, the 2026 scenario centred on the fictional state of Berylia, thrown into crisis after a rival, Crimsonia, began building artificial islands to expand its exclusive economic zone in defiance of a UN ruling. Teams had to keep power grids, 5G networks, satellite links and battle-management systems running under sustained attack — while simultaneously handling strategic communications, digital forensics, international-law questions and national-level decision-making.
That last cluster is the point. Locked Shields deliberately puts legal advisers and media strategists on the same team as network defenders, because in a real crisis the hard problems are rarely only technical. Estonian Defence Minister Hanno Pevkur framed this year's edition around crisis management and the protection of the systems a society actually depends on — a framing that treats cyber defence as a whole-of-government discipline rather than an IT department's problem.
Capability plus norms — Estonia's export
The CCDCOE, established in Tallinn in 2008 after the 2007 cyberattacks on Estonia, has run Locked Shields annually since 2010. But the centre's most influential output is not an exercise at all: it is the Tallinn Manual, the leading scholarly restatement of how existing international law applies to cyber operations. The 2.0 edition appeared in 2017, and a five-year Tallinn Manual 3.0 revision launched in 2021 to track evolving state practice.
Taken together, the exercise and the manual describe a distinctive theory of cyber resilience: build operational capability through realistic practice, and anchor it in shared, voluntary legal norms rather than a single binding code. It is a bottom-up, interoperable, standards-driven approach — and it is precisely the kind of model an open-internet, pro-innovation publication should want to see succeed.
The case for harder rules — and its limits
The strongest argument against leaning on exercises and non-binding manuals is straightforward and serious. Voluntary readiness is unevenly distributed; critical-infrastructure operators routinely under-invest in security because the costs of a breach fall partly on third parties. That market failure is exactly why the EU enacted the NIS2 Directive (Directive (EU) 2022/2555) and the Cyber Resilience Act (Regulation (EU) 2024/2847), which impose binding security obligations, incident-reporting timelines and, in NIS2's case, personal liability for senior management. Mandates create a floor that no amount of goodwill guarantees.
That case deserves to be taken on its own terms. But it also defines the limit of what regulation can do. A directive can compel an operator to file a risk assessment; it cannot manufacture the muscle memory, cross-border coordination and institutional trust that a French air-defence team and a Singaporean intelligence unit need to fight off a live intrusion together at 3 a.m. Those are built through repetition, not paperwork — and they are exactly what Locked Shields produces. The proportionate position is not to choose between the two. It is to recognise that mandates set the minimum, while exercises and shared norms raise the ceiling. Regulation that drifts toward box-ticking — voluminous reporting that consumes the very security teams it is meant to strengthen — gets that balance backwards.
The open, partner-inclusive advantage
The most under-appreciated feature of Locked Shields is who gets to play. Singapore — not a NATO member — co-led the top-scoring team. The exercise runs on platforms and telemetry contributed by private technology vendors. Partner nations, industry and academia sit inside the same scenario as alliance militaries. This multi-stakeholder openness is not a courtesy; it is the source of the model's adaptability. Threats do not respect the boundaries of a regulatory bloc, and neither should the institutions that train against them.
Contrast that with regimes whose instinct is to localise and wall off — data-residency mandates, fragmented certification schemes, and cyber rules that vary so much jurisdiction to jurisdiction that compliance, not security, becomes the full-time job. Estonia's bet is the opposite: that resilience scales through interoperability and trust, not through fences.
The takeaway
Locked Shields 2026 will be remembered for its scale and for an unusually strong showing from smaller and non-NATO states. Its more durable lesson is about method. The countries that weather the next decade of cyber conflict will be the ones that invested in people, in repeated realistic practice, and in shared rules of the road — not the ones that mistook a thick compliance binder for a defended network. Regulators chasing cyber resilience through ever-denser mandates could learn something from a war game run in the Estonian woods.