Two years of the Tallinn Mechanism: Continuous cooperation counters cyber threats

Ukraine faces dozens, if not hundreds, of cyberattacks every day. According to the State Cyber Incident Response Team of Ukraine (CERT-UA), more than 5,600 cyber incidents have been identified this year as of early December. This annual figure has more than doubled since 2023, when there were 2,541 incidents. The actual figures are likely even higher. 

A secure cyberspace is one of Ukraine's priorities, as it is necessary to keep the government and other public services functioning. Over the past 2 years, Estonia and 12 other partner countries have used the Tallinn Mechanism to strengthen Ukraine's civilian cyber defence capabilities. In 2025, partner countries have mobilised €60.9 million to strengthen Ukraine's civilian cyber capabilities. 

As a country, Estonia has contributed at least €500,000 each year to the Tallinn Mechanism's budget and plans to continue doing so. Estonia has also organised cyber exercises for Ukrainian cybersecurity specialists. 

With ESTDEV’s support, five cyber exercises have been conducted in Ukraine since December 2024, training more than 570 Ukrainian cyber experts. Participants in these exercises come primarily from government institutions, as well as from universities and other public-sector organisations. The last exercise of the year took place in early December 2025 in Kyiv. 

Cyber exercises are the foundation for robust cybersecurity measures 

ESTDEV has developed a broad network of partners, with whom it has successfully implemented digitalisation and cybersecurity projects in Ukraine, including cyber exercises. 

According to Nataliia Tkachuk, the head of the Cybersecurity and Information Security Service of Ukraine's National Security and Defense Council, cyber exercises are precisely the kind of practical measure needed by Ukraine, especially during what is currently one of the country’s most challenging years. 

One of the most critical aspects of the exercises, in addition to developing technical skills, is practicing cooperation. "It is important to understand that participants in these exercises are not only learning the technical side, but also cooperation and communication, both within their own teams and between teams. In responding to cyber threats, good teamwork and mutual understanding are essential," said Andres Ääremaa, ESTDEV’s programme manager for e-Governance and Cybersecurity. 

Although a cyber exercise is generally a two-day drill after which participants return to their everyday work, the skills gained and refined during the exercises do not remain confined to the exercise environment. Both technical and broader skills stay with the participants, and their impact is lasting. 

Cyber exercises will continue in 2026, as six exercises have already been planned in cooperation between ESTDEV, the Estonian e-Governance Academy (eGA), the Estonian cyber company CybExer Technologies, and Ukraine's National Cybersecurity Coordination Center. By the end of this series, nearly 500 additional cybersecurity specialists will have had the opportunity to enhance their skills. 

According to Ääremaa, a cyber exercise is not a static product; rather, its content changes and evolves continuously in line with current attack vectors and the threat landscape. 

"Next year, we will definitely try to involve different sectors in the exercises and are also considering sector-specific exercises, where we would focus on one particular sector, such as energy. We also hope, in addition to Ukrainian teams, to involve international teams, which would further develop cooperation and the exchange of expertise," Ääremaa said. 

Estonia’s clear role as a coordinator of international cyber cooperation 

In the international cyber domain, Estonia is a visible and well-known actor. "We have long been an advocate in this field, and we are seen as a country whose competence can be trusted," said Toomas Tirs, ESTDEV's representative in Ukraine. 

One of the most visible signs of trust is that others want to join and fund Estonia's projects. For example, this summer ESTDEV and the Swedish International Development Cooperation Agency (Sida) signed a €12.2 million agreement to implement activities under the Tallinn Mechanism. 

According to Tirs, the Tallinn Mechanism is a good example of how effective donor coordination should work. The countries that have joined share a common desire to do something more for Ukraine. "It is a transparent and very concrete way to help Ukraine in a field that is extremely important to the country. Donors can also be confident in the relevance of the projects and avoid duplication, as the projects included have already been selected and prepared by the Ukrainian side," said Tirs. 

This relatively fast and efficient form of cooperation creates substantive value and provides both sides with experience. "The experience and knowledge Ukrainians are gaining from what they are currently seeing in their cyberspace are something that benefits all partners. Within the framework of the Tallinn Mechanism, partnerships are being laid now that will remain in place for a very long time," Tirs said. 

This year marked the opening of the Tallinn Mechanism Project Office (TMPO) in Kyiv, thanks to support from ESTDEV and EU CyberNet. Its main task is to serve as a bridge between international donors, implementing partners, Ukrainian counterparts and beneficiaries, and the private sector. It aims to strengthen cooperation between partners and ensure stable, long-term support for Ukraine's digital security. While the TMPO's activities have so far been funded by ESTDEV, the United Kingdom and Italy will take over financing the project office in 2026. 

"The world sees that our experience in countering cyberattacks is unique and highly valuable. The Tallinn Mechanism allows us to receive support while also contributing our knowledge and best practices to strengthen our collective security. I believe that Ukraine will begin to play a key role in shaping a new 'digital coalition' in Europe, together with trusted partners, to protect our shared democratic cyberspace," said Olesya Danylchenko, the head of the Tallinn Mechanism Project Office. 

The Tallinn Mechanism was established in 2023 in Tallinn to coordinate international support for strengthening Ukraine's cybersecurity and cyber resilience. In addition to Ukraine, the Tallinn Mechanism's members include Estonia, Finland, Norway, the Netherlands, Canada, Italy, Poland, France, Sweden, Germany, Denmark, the United States, and the United Kingdom. Mechanism observers are NATO, the European Union and the World Bank.