Between 13 and 24 April 2026, roughly 4,000 cyber operators from 41 nations gathered in Bucharest's University Politehnica library for Locked Shields 2026, the NATO Cooperative Cyber Defence Centre of Excellence's (CCDCOE) flagship live-fire exercise. According to the CCDCOE's after-action communique, sixteen multinational Blue Teams defended a fictional country's networks against approximately 8,000 real-time cyberattacks while juggling legal, strategic-communications and crisis-management injects. Ukraine — still on a wartime footing more than four years into Russia's full-scale invasion — participated as part of a joint team with Romania and Moldova.
That composition is the most interesting policy fact of the drill. The Romanian Ministry of National Defence confirmed that its team "participated in a joint format, together with experts from Ukraine and the Republic of Moldova," framing the arrangement as a deliberate exercise in Black Sea regional cooperation. Janes, citing CCDCOE, reported that the joint team trained against attacks on 5G communications networks, satellite management systems, power grids, electronic voting infrastructure, air-defence and battle-management systems — the same target surface that Russian and Russia-aligned operators have struck inside Ukraine since 2022.
A Battlefield-Tested Partner Inside NATO's Range
Ukraine's formal place in CCDCOE is not new. Tallinn raised the Ukrainian flag outside the Centre's headquarters in 2023, formally welcoming Kyiv as a Contributing Participant alongside Iceland, Ireland and Japan. What Locked Shields 2026 demonstrates is the operational consequence of that membership: Ukrainian defenders who have spent the last four years repelling live wiper, ransomware and APT campaigns now sit on the same Blue Team as Romanian and Moldovan counterparts whose grids and election systems sit one or two hops from the same adversary.
The State Service of Special Communications and Information Protection (SSSCIP) has documented why that experience is valuable. SSSCIP's H2-2024 incident report found roughly a 48 percent rise in registered cyber incidents over H1-2024, with attacks on defence-sector targets more than doubling from 111 (H2-2023) to 276 (H1-2024). Few NATO members can match that volume of in-contact learning. Embedding those operators in a 16-team multinational exercise pushes lessons that are normally locked inside Kyiv's SOCs into the muscle memory of allied teams.
What the Exercise Actually Trained Against
CCDCOE Director Mart Noorma told reporters that this year's scenarios deliberately leaned into AI-driven attacks and disinformation injects. The exercise included APT-grade intrusions, defacements and influence operations layered on top of conventional network defence — a fair reflection of how Russian and Belarusian operators have actually behaved against Ukrainian targets. Defending an e-voting environment matters less because anyone will deploy one tomorrow and more because the architecture (identity, transport, ballot integrity, audit log) mirrors banking, registry and benefits systems that real states do run.
Top honours went to a Latvia-Singapore coalition, with a Germany-Austria-Luxembourg-Switzerland team second and a France-Sweden pairing third. The Ukraine-Romania-Moldova team did not place on the podium; what matters for policy is participation in the doctrine pipeline, not the scoreboard.
The Steelman for Mandates — and Why Operational Cooperation Beats Them
There is a serious case for the EU and member-state approach of tightening rules around critical-infrastructure cybersecurity. The NIS2 Directive's expanded sectoral scope, the Cyber Resilience Act's product-security baseline and Ukraine's own draft Cyber Forces statute share a common assumption: voluntary maturity is uneven, attackers move faster than markets, and a regulatory floor — incident reporting, supply-chain due diligence, certified components — is the only way to lift the laggards. The empirical case is not weak. When unpatched VPNs and exposed RDP keep showing up as initial-access vectors, "let the market sort it" is a hard position to defend.
But Locked Shields 2026 is a useful reminder that paper compliance is not the same as capability. The defenders who actually moved Ukraine's grid back online in December 2023, or who blunted last year's wave of GRU-linked intrusions on telecoms, did not do it because a directive told them to file a report within 72 hours. They did it because they had drilled against real adversaries with allies. A proportionate policy posture would prioritise the cheaper, lighter-touch interventions that produce that kind of operator: funded exchange programmes, classified intel sharing with civilian CERTs, certified ranges accessible to private-sector defenders, and joint-team slots like the one Romania extended to Ukraine and Moldova this month.
The risk of over-correcting toward mandates is twofold. First, scarce defender attention gets diverted from threat-hunting to paperwork — a tax that falls hardest on small operators and SMEs. Second, "cyber resilience" too often becomes a flag of convenience for content controls, mandatory backdoors or data-localisation rules that have nothing to do with hardening a substation. Ukraine has so far resisted that drift; its draft Cyber Forces bill, which the Verkhovna Rada backed in first reading on 9 October 2025, is narrowly framed around military cyber operations and NATO interoperability rather than peacetime surveillance authority.
What to Watch
The second reading of Ukraine's Cyber Forces law, the next SSSCIP semi-annual report, and CCDCOE's published lessons-learned from Locked Shields 2026 will together signal whether allied cyber policy is genuinely consolidating around operator-led resilience — or sliding back into the comfort of mandates that look decisive on paper but do not, by themselves, defend a grid.