5 min read

The Tallinn Manual: A Look at the International Law Governing Cyber Operations

The Tallinn Manual: A Look at the International Law Governing Cyber Operations

Few single events did more to expose the legal vacuum around state-sponsored hacking than the wave of cyberattacks that hit Estonia in the spring of 2007. What followed from that episode has become one of the most influential — and most contested — projects in the field of international cyber law: the Tallinn Manual.

Origins: The 2007 Estonia Attacks

In April 2007, a diplomatic dispute between Estonia and Russia over the relocation of a Soviet-era war memorial, the Bronze Soldier of Tallinn, spiraled into a sustained campaign of distributed denial-of-service (DDoS) attacks against Estonian institutions. Parliament, government ministries, banks, newspapers, and broadcasters all found their websites knocked offline for days. It remains one of the earliest and most widely cited examples of an entire country's digital infrastructure coming under coordinated assault.

Estonia opened a criminal investigation and sought cooperation from Russian authorities under an existing mutual legal assistance treaty, but that request was turned down, with Russian officials arguing the treaty didn't cover the kind of investigative assistance being sought. Suspicion that the attacks were state-sponsored lingered, and no one was ever held internationally accountable. The episode also revealed something more fundamental: there was no clear body of international law addressing what had just happened, or what states were entitled to do about it.

In response, NATO stood up the Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn and began building out formal cyber defense policy. Out of that effort came the Tallinn Manual project.

From Tallinn 1.0 to Tallinn 2.0

The first Tallinn Manual, published in 2013, was narrow by design — it addressed the law applicable to cyber operations that rise to the level of armed conflict, drawing on the law of armed conflict and jus ad bellum. It was assembled by an International Group of Experts working under the direction of Michael N. Schmitt, then of the U.S. Naval War College, and drew criticism for leaning heavily on Western, NATO-aligned legal scholars.

The 2017 follow-up, Tallinn Manual 2.0, was a deliberate response to that criticism. The pool of contributing experts widened to include scholars from Thailand, Japan, China, and Belarus, and the manual's scope expanded well beyond armed conflict to cover the much larger universe of everyday, below-the-threshold cyber incidents — espionage, sovereignty disputes, human rights questions, and telecommunications law among them. Running to roughly 650 pages, the manual is organized into four parts: general international law as applied to cyberspace, specialized legal regimes, international peace and security, and the law of armed conflict inherited from the original 2013 text. The manual's authors were explicit that it is meant as a scholarly restatement of existing law as they understood it in 2016 — not a policy recommendation, and not binding on any state.

Sovereignty. The manual takes the position that no state holds sovereignty over the internet as a whole, but that states do retain sovereignty over the cyber infrastructure physically located within their territory — the cables, servers, and systems that make up their "national segment" of cyberspace.

Cyber espionage. Given how routinely states conduct digital surveillance and intelligence-gathering, the manual's drafters examined whether remote cyber espionage could ever cross into a violation of international law. They could not reach consensus on where, if anywhere, that line sits — a reflection of how unsettled this area remains.

Attribution and countermeasures. The manual sets out rules for attributing a cyberattack to a state, making clear that the mere fact an attack originated from or was routed through a country's infrastructure isn't sufficient proof of state responsibility. Building on that, it recognizes that a state injured by an internationally wrongful cyber act may respond with proportionate countermeasures of its own.

Use of force. One of the manual's clearer contributions is extending the customary international law prohibition on the threat or use of force into cyberspace — establishing that a cyber operation can be unlawful even if it never rises to the level of an "armed attack" that would trigger a right of self-defense. To help states sort operations that fall short of an obvious armed attack, the manual lays out a set of factors for evaluating severity, including how immediate, direct, and invasive the effects are, whether they can be measured, and whether military or state involvement is evident. Severity does the most work in this analysis: operations causing physical harm to people or property will generally count as a use of force, minor disruptions generally will not, and everything in between requires a more contextual judgment call.

Protections during armed conflict. The manual also extends traditional protections for prisoners of war into the digital realm — for instance, treating the online publication of humiliating images or information about detainees as a violation of existing Geneva Convention protections, and cautioning against intrusions into detainees' communications or financial and medical records.

Cultural property and digitized data. The drafters considered how the digitization of cultural heritage changes the calculus around wartime destruction of physical artifacts, and flagged the emerging risk of using digitized population records — including ethnic or genetic data — to facilitate atrocities, calling such use clearly unlawful.

Toward Tallinn Manual 3.0

The most significant recent development is the ongoing work on a third edition. The CCDCOE launched the Tallinn Manual 3.0 project in 2021 as a multi-year revision effort, again directed by Michael Schmitt alongside co-general editors Liis Vihul and Marko Milanović. The goal is to update the black-letter rules and commentary of the 2017 edition in light of the substantial body of state practice that has accumulated since — many governments have since published their own formal positions on how international law applies to cyberspace, on topics ranging from sovereignty to whether cyber operations can qualify as "attacks" under humanitarian law. The project has drawn on a structured consultation process with governments, sometimes referred to as the Hague Process, alongside a broader crowdsourced call for expert input.

The project has taken longer than originally planned — Schmitt had once hoped for completion by around 2025 — but as of mid-2026, work is understood to be in its final stages, with a published edition anticipated from Cambridge University Press. Expected areas of significant revision include whether sovereignty functions as a binding rule in its own right or merely a guiding principle (a question on which states like the United Kingdom have taken a notably different position than others), how due diligence and non-intervention obligations apply, and how attribution standards should account for proxy actors and advanced persistent threats.

An Unfinished Debate

Even with a third edition in the pipeline, the core criticism of the Tallinn Manual project hasn't disappeared: it remains a product of an invited group of legal experts rather than a negotiated treaty, and many states outside the NATO orbit have felt their perspectives were underrepresented in earlier editions. Broader participation in Tallinn Manual 3.0 partly addresses that concern, but the manual's non-binding, "restatement" character means it will continue to function as an influential reference rather than settled law. States remain free to disagree with its conclusions — and many, especially over questions like sovereignty and the legality of certain surveillance practices, still do.

What the Tallinn Manual has accomplished, across three editions, is turning an area of near-total legal ambiguity into one where there is at least a well-developed framework for the argument — even if the argument itself is far from over.