Are cybersecurity strategies at risk of losing pace with a changing reality?

How the third edition of the NCS Guide strengthens continuity, governance, and implementation.

By Diplo Team

At the end of last year, a global coalition of 37 organisations concluded more than a year of work to deliver the third edition of the Guide to Developing National Strategy to its third edition (the NCS Guide). Drawing on inputs from governments, industry, academia, and civil society, the updated Guide responds to a clear reality: many national cybersecurity strategies are struggling to keep pace with today’s threat environment, governance demands, and capacity constraints.

The third edition reflects a shift in how cybersecurity strategies need to be designed, governed, and sustained – particularly for countries facing limited resources, institutional fragmentation, and rapidly evolving digital risks. Throughout the update process, DiploFoundation, as one of the contributors, shared its expertise grounded in our long-term work with small and developing countries, where the core challenge is often not drafting a strategy, but keeping it relevant, coordinated, and implementable over time. Below, we outline key insights from this multistakeholder process that informed the update.

Why was an update necessary

Over the past decade, many countries have adopted national cybersecurity strategies. Yet experience has shown that having a strategy is not the same as sustaining one.

Several recurring challenges motivated the update. Many countries experience breaks in policy continuity due to election cycles, institutional reshuffling, or the absence of systematic review mechanisms. Cybersecurity responsibilities are often siloed within defence or security institutions, limiting whole-of-government coordination. Governments also face persistent difficulties in translating strategic objectives into practice, with limited alignment between policy goals, budgeting, implementation, and accountability. These challenges are compounded by rapid technological change, including the growing use of AI-enabled cyber capabilities, which increasingly outpaces traditional policy cycles. At the same time, persistent capacity gaps remain, particularly shortages of skilled personnel across technical, legal, and policy domains.

In a domain as dynamic and multifaceted as cybersecurity, outdated strategies create vulnerabilities. Just as unpatched software exposes systems to risk, static policies weaken national preparedness, especially in areas such as critical infrastructure protection, supply chains, and cross-border cooperation.

The third edition of the NCS Guide responds directly to these realities.

What value the third edition brings, and how

For governments that already have cybersecurity policies in place, the NCS Guide can serve as a strategic benchmark rather than a starting point and an aid in assessing whether existing strategies remain fit for purpose. Additionally, the NCS Guide is also valuable as a tool for strengthening implementation and governance. The updated NCS Guide provides a practical, lifecycle-oriented framework that supports governments not only in drafting strategies but in keeping them relevant, implementable, and resilient over time.

• Continuity of cybersecurity policy

For small and developing governments, a recurring challenge has been the loss of continuity across cybersecurity policy cycles. Election-driven changes, institutional reshuffling, and the absence of systematic review mechanisms frequently result in strategies that are formally adopted but gradually lose operational relevance. Cybersecurity responsibilities are often concentrated in a single ministry or agency, limiting coordination with other authorities whose mandates are directly affected by cyber risks.

This experience informed the third edition’s stronger emphasis on policy continuity as a governance issue, rather than a procedural one. The updated NCS Guide underscores the importance of sustained policy cycles that go beyond one-off planning. To support monitoring, evaluation, and learning loops as part of the strategy lifecycle, countries need to build mechanisms for periodic review and adjustment of national cybersecurity policies. In order to be supported over time, the cybersecurity initiatives need to be integrated with budgeting and resource planning to be supported over time, rather than being subject to stop-start funding.

By framing continuity as a design requirement, the NCS Guide reflects the reality faced by many governments: sustaining cybersecurity policy over time is often a greater challenge than developing it in the first place. Siloed and transient policies that become obsolete quickly can be avoided by putting forward frameworks that incorporate long-term sustainability, meaningful multi-stakeholder engagement, and global collaboration.

• Anticipatory approach in cybersecurity policy development

Another insight consistently emerging from Diplo’s engagement with policymakers is that national strategies tend to lag behind technological change. Rapid developments in automation, AI, and cyber supply chains have shortened the window between the emergence of new capabilities and their operational impact. In many countries, policy frameworks remain largely reactive, updating only after incidents occur.

For instance, according to the first reported AI orchestrated espionage campaign disrupted by Anthropic in November 2025, such agents can identify vulnerabilities, develop exploitation strategies, and execute intrusion campaigns with minimal human oversight. The WEF Global Cybersecurity Outlook 2026 also predicts AI to play a decisive role in determining the balance between offense and defense in cyberspace.

This observation shaped the third edition’s stronger focus on anticipatory and adaptive policymaking. The NCS Guide encourages governments to embed technological foresight, horizon scanning, and structured review mechanisms within national strategies, rather than treating emerging risks as exceptional or external to policy planning.

Crucially, the NCS Guide reflects the understanding that anticipatory capacity rarely resides solely within government. Effective foresight depends on sustained engagement with industry, academia, civil society, and the technical community — an approach informed by Diplo’s experience facilitating multistakeholder dialogue in (sometimes) low-trust and resource-constrained environments.

• Insufficient personnel and a lack of capacities

Across regions, Diplo’s capacity-building work shows that human capacity constraints extend well beyond technical skills shortages. Many governments lack professionals who can act as effective ‘translators’ across cybersecurity, law, public policy, diplomacy, and sector-specific regulation, bridging technical expertise and decision-making across institutions. This challenge is widely recognised: the WEF Global Cybersecurity Outlook 2026 similarly highlights that almost all countries face persistent shortages of professionals across career stages who can operate at the intersection of cybersecurity and broader policy domains.

The NCS Guide therefore encourages governments to promote multidisciplinary education and career mobility to strengthen workforce sustainability. This includes developing joint degree programs, cross-training initiatives, and professional certifications, expanding the talent pool beyond traditional IT backgrounds. This approach also supports more effective governance and decision-making, as cybersecurity policies and operations benefit from professionals who can bridge technical and non-technical perspectives. In reality, such career pathways need to rely on close collaboration with non-state stakeholders to attract and retain talent, especially with the private sector and civil society.

In addition to professional training, the NCS highlights the need to expand cybersecurity education through formal curricula at schools, universities, and technical institutes. It recommends integrating cybersecurity topics into primary and secondary education, embedding them in IT and computer science programs at higher education institutions, and developing dedicated degrees and apprenticeships. This multidisciplinary approach not only increases the overall pool of prospective cybersecurity professionals but also fosters a greater understanding and trust in cybersecurity policy.

Conclusion

Taken together, these elements reflect a clear shift in the third edition of the NCS Guide: national cybersecurity strategies must be treated as living frameworks, not static policy documents. In an environment shaped by rapid technological change, cross-sector dependencies, and persistent capacity constraints, effectiveness depends on continuity, anticipatory governance, and sustained investment in people.

The updated Guide does not prescribe a single model or uniform set of solutions. Instead, it offers a structured reference that helps governments regularly assess whether their strategies remain aligned with evolving risks and institutional realities, and where recalibration is needed. For countries with existing strategies in place, it serves as a reference for recalibration.

The key question, therefore, is not whether a national cybersecurity strategy exists, but whether it can endure, adapt, and be implemented in practice. The third edition of the NCS Guide provides a foundation for that ongoing process, grounded in diverse national experiences and sustained multistakeholder engagement.