The Tallinn Manual 3.0 is the third edition of a non-binding scholarly study, led by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, that articulates how existing international law governs state behavior in cyberspace. It is being prepared by an international group of legal experts under the direction of Professor Michael N. Schmitt, with input from states through "The Hague Process," a series of consultations that allow government legal advisers to comment on draft rules.
The project follows two earlier editions. The original Tallinn Manual (2013) focused narrowly on cyber operations rising to the level of armed conflict, addressing jus ad bellum and the law of armed conflict. The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2017) expanded the scope dramatically, covering peacetime issues such as sovereignty, due diligence, non-intervention, human rights, diplomatic and consular law, and state responsibility.
Tallinn Manual 3.0 is intended to update and expand 2.0 to reflect roughly a decade of additional state practice, opinio juris statements, and incidents. Drivers for the revision include published national positions on international law in cyberspace by states such as the United States, United Kingdom, France, Germany, the Netherlands, Australia, Japan, Brazil, and others; debates at the UN Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG); and major incidents such as NotPetya, SolarWinds, and ransomware campaigns against critical infrastructure.
Key contested issues the new edition is expected to address more deeply include whether sovereignty is a standalone primary rule or only a principle, the threshold for prohibited intervention, the application of due diligence, attribution standards, and the regulation of cyber operations below the use-of-force threshold. Like its predecessors, Tallinn Manual 3.0 will not be a treaty and will not bind states, but it is widely cited by governments, courts, and scholars as an influential reference.
Example
In 2021, the NATO CCDCOE announced that work on Tallinn Manual 3.0 had begun, with a planned multi-year drafting cycle involving international legal experts and state consultations through The Hague Process.
Frequently asked questions
No. It is a non-binding academic restatement of how independent experts believe existing international law applies to cyber operations. It does not represent the official position of NATO, the CCDCOE, or any sponsoring state.
Keep learning