Tallinn Manual

What It Is

The Tallinn Manual is the leading non-binding expert analysis of how existing international law applies to cyber operations, developed by NATO's CCDCOE in Tallinn, Estonia. The Manual is a series of expert-led restatements applying international law to cyber operations, providing the most influential systematic attempt to clarify how existing rules of international law govern the cyber domain.

The Three Editions

Tallinn Manual 1.0 (2013) focused on cyber operations in armed conflict — jus in bello (the law of conflict conduct) and jus ad bellum (the law of resort to force). The first edition addressed questions like:

• When does a cyber operation constitute an 'armed attack' triggering self-defense rights under UN Charter Article 51?
• How do international humanitarian law principles (distinction, proportionality, military necessity) apply to cyber operations during armed conflict?
• What objects and infrastructure can lawfully be targeted in cyber operations?

Tallinn Manual 2.0 (2017) expanded to peacetime cyber operations and international law more broadly. The second edition addressed:

• Sovereignty and intervention in cyberspace.
• Due diligence obligations regarding cyber operations from a state's territory.
• State responsibility for cyber operations.
• Diplomatic law in cyberspace.
• The law of the sea and air law in cyber contexts.
• Privacy and human rights in cyber operations.

Tallinn Manual 3.0 is in development at CCDCOE, expected to address recent operational and doctrinal developments including the cyber dimensions of the Ukraine war, AI-enhanced cyber operations, and the growing role of private-sector cyber capabilities.

How the Manual Was Created

The drafting was led by Michael Schmitt with an International Group of Experts including legal scholars and practitioners from many nations. The process took years for each edition:

• Initial scoping and recruitment of experts.
• Multiple drafting sessions over 2–3 years.
• Consultation with state representatives and observers.
• Final review and consensus-building.
• Publication with extensive commentary.

The Manual is not a treaty or formal NATO doctrine — it represents the expert group's collective view of how existing law applies. Importantly, the rules are presented with commentary explaining the analysis and noting areas of disagreement among experts.

Why the Manual Matters

The Manual matters for several reasons:

• Filling a doctrinal vacuum: international law for cyber operations had been developing in piecemeal fashion. The Manual provided the most comprehensive treatment of the field.
• Influencing state practice: while not binding, the Manual has influenced state legal positions on cyber. Many states' published cyber legal positions reference Tallinn Manual analysis.
• Shaping international processes: UN Open-Ended Working Groups on cyber, the GGE process, and other diplomatic cyber processes have been informed by Tallinn analysis.
• Academic and policy basis: legal scholarship, military operational law, and policy analysis all use the Manual as a reference.
• Litigation and analysis: lawyers analyzing specific cyber incidents (including the SolarWinds, NotPetya, and various other attributions) routinely cite Manual analysis.

Specific Issues the Manual Addresses

The Manuals address dozens of specific issues, including:

• Sovereignty in cyberspace: whether a state's cyber sovereignty can be violated by another state's cyber operation, and what kinds of operations cross the line.
• Non-intervention: whether cyber operations targeting a state's political system, economy, or society constitute prohibited intervention.
• Due diligence: whether and to what extent a state is responsible for cyber operations conducted from its territory by non-state actors.
• Countermeasures: when a state may take responsive cyber action against another state.
• Cyber operations as armed attack: what level of cyber harm triggers Article 51 self-defense.
• Targeting in armed conflict: how IHL principles apply to selecting cyber targets.
• Civilian objects in cyberspace: protection of civilian critical infrastructure.
• Civilian participants in cyber operations: combatant status of hackers participating in conflicts.

Critiques and Limitations

The Manual has faced critiques:

• NATO origin: the Manual was produced under NATO auspices, leading some critics (especially Russia and China) to dismiss it as biased toward Western legal interpretations.
• State views diverge: as states have published their own legal positions on cyber, some divergence from Tallinn analysis has emerged.
• Pace of change: cyber operations have evolved rapidly; the Manuals can lag the latest developments.
• Limited state acceptance: the Manual is influential but not formally endorsed by any state; its analysis remains expert opinion.

Common Misconceptions

The Tallinn Manual is sometimes treated as binding international law. It is not — it is expert analysis of how existing international law applies to cyber. Binding rules come from treaties, customary international law, and other authoritative sources.

Another misconception is that the Manual is purely a NATO product. While CCDCOE is a NATO-accredited center, the International Group of Experts included scholars from many nations, including some non-NATO countries. The Manual reflects a broader expert community than the NATO-only label suggests.

Real-World Examples

The 2017 NotPetya attribution by US and UK governments to Russian military intelligence implicitly relied on Tallinn-Manual-influenced analysis of state responsibility and attribution. The 2018 Five Eyes attribution of WannaCry to North Korea followed similar analytical patterns. The UK government's 2018 published cyber legal position referenced and engaged with Tallinn Manual analysis. The ongoing development of Tallinn Manual 3.0 has been informed by the cyber dimensions of the Ukraine war and is expected to address questions raised by that conflict.