This year’s NATO summit attracted notice for two reasons: allies pledged to boost defence spending to 5% of GDP by 2035 and issued an unprecedently brief summit declaration – just 427 words, a far cry from the 10,000-word tomes of previous years.
For members of the cyber community, the Hague Summit Declaration was also noticeable for something else: this year was the first since 2006 when the word ‘cyber’ was not included in the public statement.
The absence of evidence is not evidence of absence
This omission, however, does not mean the cyber agenda has become less important to the alliance. On the contrary, cyber efforts are well-rooted and integral parts of the NATO ecosystem, with multiple projects currently being implemented.
The North Atlantic Council has recently made a flurry of cyber-related statements. In May, the council condemned a ‘malicious cyber campaign’ against the Czech Republic, mentioning that this ally had ‘attributed the responsibility to the People’s Republic of China, specifically APT31’. This language toward China was unprecedented.
NATO does not define China as a threat in the same way it describes Russia, but the language used in the May statement is just as strong as earlier condemnations of Russian activity. Such statements require consensus and show where NATO allies have found common ground in cyberspace. This demonstrates that the perception of China in cyber defence has shifted significantly, a change that can be traced back to the publication of the NATO 2022 Strategic Concept.
A North Atlantic Council statement on malicious Russian activities published in July is also novel: It is the first council condemnation of continuous cyber activities, not merely an expression of solidarity in response a concrete cyber attribution made by a NATO ally. Additionally, this is the first council cyber statement to mention the European Union. The EU issued its own statement on this matter, on the same day and mentioning NATO in return; it is obvious that both organisations are searching for common ground when it comes to the cyber threat landscape.
Of course, NATO’s cyber involvement goes deeper than simply releasing statements. At the 2023 Vilnius Summit, it launched the Virtual Cyber Incident Support Capability (VCISC), a mechanism for mutual assistance in the event of serious cyber incidents. The VCISC links allies requesting support with counterparts offering mostly technical support. In April, the Czech Republic organised an exercise to practice readiness and provision of mutual support between allies in case of serious cyber incidents through the VCISC mechanism.
The NATO Integrated Cyber Defence Centre, a key initiative to enhance the network protection, increase situational awareness, and implement cyberspace as an operational domain, was approved in 2024. Implementation is ongoing – establishing a new platform in this complex international environment, merging civilian and military personnel from multiple bodies and locations, is no easy task. Once implemented, this major project will provide a much-needed boost to civil-military cooperation.
Finally, defence ties between NATO and its four Indo-Pacific partners (Australia, Japan, South Korea and the New Zealand, known as IP4) have been strengthening for years; the alliance has just recently expanded its defence industry collaboration with IP4. These increasing partnerships are apparent in cyber defence as well, with South Korea hosting this year’s Cyber Champions Summit, an annual event that brings together cyber officials from NATO and IP4 partners to discuss common agendas and threats. In the face of ongoing malicious Chinese cyber activities targeting allies (see cases in Belgium, the Netherlands, the United Kingdom, the United States, the Czech Republic, and Canada), one could actually expect deeper and wider engagement.
It is clear that although the Hague declaration omitted the alliance’s cyber defence agenda, public cyber collaboration has continued and grown since previous summits – and that’s just based on what is public. There are likely other classified and secret projects in the works.
Defence spending remastered
While the Hague summit did not have a direct cyber agenda, the defence spending agreement could have major implications for cyber. NATO allies agreed to allocate at least 3.5% of GDP annually to ‘core defence requirements’ and 1.5% of GDP annually to indirect defence requirements, including protection of critical infrastructure, network defence, civil preparedness and resilience, innovation, and strengthening the defence industrial base. This increase, up from the previous 2% pledge, provides new possibilities for allies to rethink and expand their cybersecurity investments, especially by tapping into the indirect defence funds.
Of course, some cyber spending already falls within the 3.5% core defence category. Military budgets for cyber commands, security of military networks, and conducting military cyber operations should remain unchanged or increase.
National cybersecurity authorities can use this moment to re-evaluate their needs, strengthen national cyber postures, and articulate demands for increased financial resources. Amidst ever-growing cyber threats, widening attack surfaces, and increasing geopolitical tensions, dedicating financial support to strengthen the allied cyber posture is an obvious benefit to all involved.
And so, with the Hague summit concluded, it is now time for NATO allies to spend this summer reconsidering their approaches to defence spending under the new 5% target and come up with concrete proposals, hopefully including support for strengthened cybersecurity and cyber defence.
Disclaimer: The views expressed in this article are those of the authors and do not reflect the official policy or position of the National Cyber and Information Security Agency or the Czech Government, respectively.
Related Posts
Hooked! #7: I love a parade (but what does it mean?)
18 September 2025
Another year of Binding Hook!
23 December 2025
NATO must ‘contingency campaign’ in cyberspace
16 December 2025