The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations is an influential expert study published in 2017 by Cambridge University Press, prepared under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia. It was produced by an International Group of Experts led by Professor Michael N. Schmitt, with input from legal scholars, practitioners, and peer reviewers from numerous states and international organizations.
The Manual is not a treaty and has no binding legal force. It is a restatement-style work that articulates how the experts believe existing international law — including the UN Charter, customary international law, the law of state responsibility, international humanitarian law, human rights law, and the law of the sea, air, and space — applies to cyber activities by and against states.
Tallinn 2.0 expanded significantly on the original Tallinn Manual (2013), which had focused narrowly on cyber warfare and jus ad bellum/jus in bello questions. The 2017 edition added detailed coverage of peacetime cyber operations, addressing topics such as sovereignty, non-intervention, due diligence, diplomatic and consular law, and countermeasures. It contains 154 numbered "black-letter" rules accompanied by extensive commentary.
Key contributions include:
- Articulating thresholds at which a cyber operation may constitute a use of force (Article 2(4) UN Charter) or an armed attack (Article 51) triggering self-defense.
- Discussing attribution standards and state responsibility for cyber acts by non-state actors.
- Treating cyber infrastructure within a state's territory as subject to that state's sovereignty.
Governments — including the United States, United Kingdom, France, the Netherlands, and Australia — have issued their own statements on international law in cyberspace that sometimes endorse, refine, or diverge from the Manual's positions. It remains the most-cited reference work in the field.
Example
In 2021, France's Ministry of the Armies cited reasoning consistent with the Tallinn Manual 2.0 when articulating its position that a cyber operation breaching French sovereignty could constitute an internationally wrongful act.
Frequently asked questions
No. It is a non-binding academic restatement by an International Group of Experts; it has persuasive value but does not itself create legal obligations.
Keep learning