Both authors write this contribution in a personal capacity. The views expressed herein are their own and do not necessarily reflect the views of their organizations.

Introduction

The Netherlands is preparing to host the NATO Summit taking place on the 24th and 25th of June in The Hague.¹ Like the final ascent of a mountain, the path to the upcoming NATO Summit is steep, with multiple geopolitical disruptions, from Russia’s war against Ukraine, to asymmetric attacks on Allies, to the United States’s shifting geopolitical focus from Europe. Yet the 2025 Summit provides an opportunity to bolster the Netherlands’ position as a dependable ally. With NATO and member states recognizing cyber as a warfighting domain, discussions are increasing about what this means for civil-military cyber collaboration, with a specific focus on improving the ways in which defence forces work with civilian partners to protect critical civilian infrastructure.

The cyber domain is almost completely civilian run. In the Netherlands, the National Cyber Security Centre (NCSC-NL) leads civilian efforts, protecting and safeguarding Dutch networks and information systems. Its mandate includes functioning as a Computer Security Incident Response Team (CSIRT), advising service providers and central government organizations, assisting them, and conducting analyses and technical research.² Within the realm of cybersecurity, the military also has an important but more limited role. In the Netherlands, it conducts cyber operations under its own mandate, guided by constitutional tasks, the Security Service Act, and international law, including the Law of Armed Conflict (LOAC). The authors, operating in both the military and civilian domains, acknowledge the need for civilian and military cooperation but observe a gap in knowledge, mandates, and experience on both sides, undermining effective cyber threat deterrence.

The NATO Summit is an opportunity to improve civil-military trust and collaboration. This article highlights ongoing challenges taking place in the Netherlands and among NATO partners, the current gaps in mandates, and the cultural and conceptual differences between military and government entities. It then highlights steps that can be taken to accelerate technological developments and to enhance cooperation between defence and other instruments of power. Finally, the authors invite readers to regard this contribution as a starting point for further hands-on discussion, and most of all, join the conversation.

Transformation of Cyber as a Warfighting Domain

Cyber has long been considered purely an Information Technology (IT) matter, even in military contexts, where it was primarily considered a supporting tool for traditional domains. However, geopolitical unrest and rapid technological progress have driven NATO’s transformation, as reflected in the concept of Multi-Domain Operations (MDO), where cyber and space are now both recognized as warfighting domains. Across the Alliance, discussions increasingly focus on the question, “What does deterrence mean in the cyber domain?” This question reflects a paradigm shift in which cyber is framed through the traditional lens of war planning and offers both advantage and vulnerability via kinetic and non-kinetic options.

Additionally, the cyber domain’s expansion raises new questions about less visible adversaries and achieving military advantage in this space. These questions present challenges related not only to mandates and legal implications, but also to practical concerns like stakeholder cooperation and teamwork among skilled personnel. Moreover, civilian professionals are often unwilling to be sidelined by military decision makers, who, while skilled in strategy, may lack operational expertise and risk overlooking valuable civilian lessons.

Just as civil-military cooperation is codified with humanitarian organizations in conflict zones, a similar approach is needed with cyber. This requires moving beyond generalities of cyber warfare, which is too broad for meaningful cooperation, as it fails to grasp the complexity of the cybersecurity landscape or the diversity of threats posed by a wide range of actors and capabilities. Instead, a deeper conversation must lead to specific mandates and lines of authority between civil and military organizations, followed by deliberate training and exercises cementing procedures, roles, and crisis responses.

Challenges of Mandates and Authorities: Who is in the lead?

Discussions within the armed forces regarding NATO’s mandate often centre on Article 5 of the Washington Treaty, which mandates a collective response to an armed attack. The narrative is that once this mandate is activated, NATO has a full range of military options at its disposal, relying on a deterrence doctrine built around its strong defence.

However, often overlooked is Article 5’s grounding in international law, particularly Article 51 of the UN Charter, which recognizes the right of a state to self-defence. Little attention is given to NATO’s obligation to report Article 5 actions to the UN Security Council, which has the authority to order a cessation of those actions.³ Consequently, Article 5 is often cited incompletely, leading to the misconception that it alone provides a conduit for the use of force.⁴

A further nuance exists with the concept of an “armed attack” in modern hybrid warfare involving cyber threats. A cyber attack clearly classified as an armed attack would simplify the military defence mandate, including the use of force in the cyber domain. However, this authority still necessitates civilian cooperation, as private and public organizations largely control cyber infrastructure. Thus, purely military operations in cyberspace are non-existent, and questions remain regarding which responsibilities remain in civilian hands, and which actions fall within the military authority. While defence forces, in the authors’ experience, often assume they should take the lead, practical challenges arise. In traditional armed conflict, a legal framework to conduct operations makes the use of force more straightforward. However, the authors are concerned that waiting for a similar cyberspace mandate is unviable, as purely academic discussions and outdated policies are unaffordable luxuries in real-world conflicts, as the war in Ukraine illustrates.

It is therefore unwise to wait until a crisis to think about effective cyberspace deterrence. Today, state actors increasingly use hybrid attacks in peacetime, such as cyber and information warfare. Russia’s cyberattacks against Ukraine challenge traditional armed attack notions, yet these operations can cripple nations without physical violence.

It is precisely in this peacetime grey zone where a clear framework is lacking, and without it, cooperation between Defence forces and other instruments of power is lacking.

Military in a Domain Run by Civilians

Unlike physical military operations, cyber operations face multiple constraints. Beyond its own network, the military enters an environment where nearly all infrastructure—networks, IT systems, and cloud services—is publicly owned. Freedom of movement often requires permissions, and civilian owners will prioritize business continuity, privacy laws, and regulatory requirements over military objectives.

NATO is often perceived as a defensive force, with deterrence and defence as core tasks. In conventional warfare, a show of force is an effective means of discouraging adversaries. However, in the cyber domain, this concept is problematic. First, protecting virtual assets is less visual compared to a physical military presence. Second, cyber forces are reluctant to reveal capabilities, as knowledge of exploitable vulnerabilities provides a significant advantage in both offensive and defensive operations. Lastly, NATO has condemned malicious cyber activities aimed at undermining democratic institutions, national security, and society.⁵ The Alliance promotes a free, open, peaceful, and secure cyberspace. Demonstrating destructive cyber capabilities may challenge the moral high ground.

In the cyber warfighting domain, military-led operations require clear rules of engagement to minimize collateral damage. However, limited intelligence and unknown interdependencies may lead to unintended consequences for civilian infrastructure. Effective situational awareness is vital, and civilian collaboration, while challenging, is essential. Additionally, military command structures are hierarchical, whereas civilian organizations span a wide spectrum of public and private stakeholders, some of whom may be unwilling to cooperate. Cyber assets, such as domain names, host IP-addresses, and digital content, may come from diverse sources, some of which are outside of the area of responsibility, reinforcing the need for an integrated cyber defence approach.

Opportunities for Cooperation: Cyber Crisis Management

ISO 22361 defines a crisis as an “abnormal or extraordinary event or situation threatening an organization or community, requiring a strategic, adaptive, and timely response.”^6,7 Traditional crises, such as natural disasters or terrorism, are physical and visible, with clear public perception and hierarchical leadership responses.

Cyber crises differ significantly. In 2024, the European Union Agency for Cyber Security (ENISA) published a guide for managing cyber crises with a set of national best practices.⁸ In the guide, they recognized the varied EU interpretations of cyber crises and recognized that a cyber incident can expand into a cyber crisis within milliseconds. Attribution is difficult, attack origins are remote, and interconnected systems can amplify attacks.

To manage cyberattacks, many countries emphasize information exchange on vulnerabilities and threats. Effective exchange aids early detection, mitigation, or prevention of cyber incidents, increasing resilience and situational awareness. The effectiveness of this exchange depends on the specific needs of each organization. Coordinated responses among diverse entities, including law enforcement, national cybersecurity centres, intelligence agencies, and military units are essential. Military organizations, trained for crises, can contribute to MDO while benefiting from civilian collaboration.

Learning and Training Together

Joint exercises enhance mutual understanding between civilian and military organizations. They help train personnel, refine procedures, improve decision making, and foster information sharing. Exercises in simulated environments, from table-top drills to wargaming and capture-the-flag events, sharpen individual technical skills and boost civil-military understanding.

Similarly, national-level exercises validate cyber crisis response. Many countries conduct such exercises, akin to drills for first responders, and notable examples include NATO’s “Locked Shields” and “Cyber Coalition” from the NATO Collective Cyber Defence Centre of Excellence (CCDCOE), CyberEurope (ENISA), and ISIDOOR (NLD). ISIDOOR, named of the patron saint of the internet (St. Isidore) is a biannual exercise conducted by the government of the Netherlands last held in 2023. In this fourth edition, over 120 organizations managed a fictitious vulnerability, and the exercise demonstrated the benefits of regular exercises.

Looking ahead: The NATO Summit

The June 2025 NATO Summit in The Hague is an important forum to emphasize the importance of cyber preparedness, interoperability, and teamwork. On both the legislative and policy levels, states will benefit from a shared vocabulary in NATO and EU documents when shaping their cyber strategies. Within the EU, Member states must comply with obligations set out in EU directives and acts. These requirements should align with those established in NATO agreements, and vice versa.

While NATO focuses on collective defence while the EU prioritizes economic cooperation, cyber activities must be harmonized to avoid confusion, particularly during a cyber crisis.

For instance, the Network and Information Security Directive 2 (NIS2) excludes defence and security actors from its scope, arguing that these matters fall under national jurisdiction. However, as Ministries of Defence often manage these systems, the authors advocate including them in national and allied defence missions, increasing threat information sharing, and embracing cyber incident reporting duties.⁹ The EU should assist Member States in implementing these regulations while ensuring NATO alignment. NATO documents, in turn, should reflect this perspective, helping Alliance members’ defence sectors to establish a common understanding of incident-sharing responsibilities.

Implementing such an approach presents challenges, including NATO-imposed restrictions and varying national data-sharing interpretations. Therefore, Member State collaboration should not be limited to crisis response but should also include regular policy peer reviews. Proactive policy comparison and bold data-sharing decisions would enhance collective cyber resilience.

Conclusion

Because civilian actors predominantly operate the cyber domain, civil-military cooperation is essential. Today’s cyber threats remain deliberately below the threshold of armed conflict, requiring new approaches within existing legal frameworks. This challenges international law, as civilian actors—who are supposed to be protected in conflicts—are also the foremost experts in the cyber domain. Similar to how humanitarian organizations establish situational awareness and expertise in conflict zones before military forces arrive, a comparable rapport must be developed within the cyber community.

Continuous cyber threat response improvement requires collaboration between civilian and military entities. The authors emphasize the importance of joint learning efforts. Defence agencies, governments, and industry leaders must adopt a bold approach to information sharing and cooperation to strengthen cyber resilience and effectively combat cyber crises. Because cyber responsibilities span both civil and military sectors, new challenges will emerge. These issues should be addressed rather than avoided. The authors welcome ongoing initiatives and recognize that progress will involve difficulties, mistakes, and public debate, all of which are essential to refining cyber defence strategies.

The authors encourage leadership from all sectors to participate in cyber exercises, contributing their perspectives and expertise. While the cyber domain is complex on both technical and practical levels, exercises provide a controlled environment in which to assess solutions.

For the Netherlands, the NATO Summit in The Hague offers a critical moment to demonstrate leadership in cyber crisis response. Highlighting both the urgency and the potential of civil-military collaboration and reaffirming its role as a key partner in crisis response within the Alliance. Before moving on to the next challenge, the authors propose using the NATO Summit as a catalyst to advance lasting civil-military cooperation in the cyber domain.

Den Haag, [website], 2005, ‘The City of Peace and Justice’, https://denhaag.com/en/tips-for-you/the-city-of-peace-and-justice (accessed 15 May 2025).

European Union, Network and Information Systems Security Act, Article 3.

European Union Agency for Fundamental Rights, Official Journal of the European Union C 303/17, 2007, https://fra.europa.eu/en/eu-charter/article/51-field-application (accessed 15 May 2025).

North Atlantic Treaty Organization, ‘Collective Defence and Article 5’, 2023, https://www.nato.int/cps/en/natohq/topics_110496.htm (accessed 15 May 2025).

North Atlantic Treaty Organization, ‘Statement by the North Atlantic Council concerning malicious cyber activities against Germany and Czechia’, 2024, https://www.nato.int/cps/en/natohq/official_texts_225229.htm#:~:text=We%20strongly%20condemn%20malicious%20cyber,is%20contested%20at%20all%20times. (accessed 15 May 2025).

International Standards Organization, ‘ISO 22361:2022’, [website], 2022, https://www.iso.org/standard/50267.html (accessed 15 May 2025).

Ibid, section 3.2

European Union Agency for Cybersecurity, ‘Best Practices for Cyber Crisis Management’, [website], 2024, https://www.enisa.europa.eu/publications/best-practices-for-cyber-crisis-management (accessed 15 May 2025).

European Commission, ‘NIS2 Directive: new rules on cybersecurity of network and information systems’, [website], 2025, https://digital-strategy.ec.europa.eu/en/policies/nis2-directive (accessed 15 May 2025).