3rd Edition of the Guide for developing a National Cybersecurity Strategy

The Guide to Developing a National Cybersecurity Strategy is one of the most comprehensive overviews of what constitutes a successful cybersecurity strategy. It is the result of a unique, collaborative, and equitable multistakeholder effort.

The Contributors came together with an appreciation of the need to strengthen cooperation and coordination across the international community on cyber capacity-building. The objective of this effort is to support national leaders and policymakers in the development of defensive and proactive responses to cybersecurity risks, in the form of a National Cybersecurity Strategy (NCS), and in thinking strategically about cybersecurity, cyber preparedness, response, and resilience, while building confidence and security in the use of digital technologies.

The Guide was developed through an iterative approach that sought to reach agreement through consensus-building. It is based on existing authoritative resources and aims to facilitate their use by national stakeholders. Wherever possible, the relevant sources and tools used in developing each section of this Guide are listed in the Reference section (available on www.ncsguide.org) to encourage their broader use.

Cybersecurity is a foundational element underpinning the achievement of socio-economic objectives of modern economies. The hope is that this third edition of the Guide to Developing a National Cybersecurity Strategy can continue to serve as a useful tool for all stakeholders involved in the development, implementation, and revision of this type of official document, including national leaders, policymakers, legislators, and regulators with cybersecurity responsibilities. In addition, it might have broader applicability, as the concepts introduced can be applied at the regional or municipal levels, and can also be adapted for industry or used for academic research.

Version 3 of the Guide to Developing a National Cybersecurity Strategy (NCS) updates, refines, and expands upon Version 2, which was published in 2021. Since then, the cybersecurity risk environment, technologies, and policy practices have continued to evolve and grow in complexity. This edition captures key developments in cybersecurity as well as emerging and disruptive technologies that governments should consider in their national strategic planning, while preserving compatibility with prior versions and the Guide’s process-plus-content approach.

This new Version focuses on practical recommendations and ease of use, and includes new material where practice has advanced. However, Version 3 remains fully compatible with Version 2 and preserves the Guide’s balance between process (Lifecycle) and content (Overarching Principles and Focus Areas). Countries that adopted earlier versions can use Version 3 to review and update their national cybersecurity strategies or make incremental improvements, particularly in financing, governance, requirements for critical infrastructure, critical information infrastructure, and essential services (CI/CII/ES), risk management, incident response, legislation, and international engagement.

Major updates and additions include:

• Lifecycle financing and long-term sustainment: More detailed language emphasizes strategic resource planning and sustainable funding across the full NCS lifecycle (development, implementation, monitoring, review, and renewal). This includes alignment with national budget and public investment cycles, the use of dedicated funding lines, optimization of existing government resources, and external financing (e.g., multilateral development banks (MDBs), international financial institutions (IFIs), donors, technical assistance). Multi-year sustainment, attention to out-year costs and forward-looking budget projections, and fully funded initiatives are stressed. Resources should be defined in terms of money, people, and material.
• Monitoring, evaluation, and cyclical reviews: Governments are encouraged to incorporate SMART KPIs (Specific, Measurable, Achievable, Relevant, Time-related) into their strategies and action plans, establish clear governance of monitoring and evaluation, and define baseline metrics with scheduled reviews (e.g., mid-term check-ins, 3–5-year renewals) to ensure the strategy remains current with threats, technologies, and national priorities.
• Technological foresight and adaptability (new principle): This principle underscores horizon scanning and policy agility to anticipate evolving digital risks and adapt to emerging technologies (artificial intelligence (AI), automation, quantum computing, Internet of Things (IoT), 5G/6G, distributed ledger technologies), with mechanisms to translate foresight into strategy and regulation.
• Governance and accountability: Guidance is strengthened on lead authority roles, whole-of-government and whole-of-society coordination, stakeholder engagement, and advisory mechanisms. It emphasizes intra-governmental and cross-sector coordination, clear assignment of responsibilities and mandates, and integration of governance into action plans.
• Critical infrastructure, critical information infrastructure, and essential services (CI/CII/ES): Expanded guidance addresses identification, designation, governance, and risk-based requirements for operators. It introduces outcome-focused baselines, tiered expectations, oversight mechanisms, and considerations for cross-border interdependencies and systemic cybersecurity risks (e.g., an incident involving a widely used software provider that leads to the disruption of thousands of its customers, or a failure  of a critical financial institution that disrupts an entire financial system, causing broader economic impact).
• Risk management framework: The updated Guide stresses the importance of having a national approach to assessing and managing cybersecurity risk, including dynamic national and sectoral assessments; a continuously updated national risk register covering critical sectors, services, functions, operators, and assets; adoption of common methodologies aligned with international standards; and feedback loops linking risk insights to policy, investment, and crisis management.
• Incident response and resilience: This version expands guidance on the role of national response teams (Computer Emergency Response Teams (CERTs), Computer Security Incident Response Teams (CSIRTs), Computer Incident Response Teams (CIRTs)) with sectoral counterparts, Security Operations Centers (SOCs), and Product Security Incident Response Teams (PSIRTs) in national cybersecurity architectures. It also reinforces contingency planning, information-sharing mechanisms (including ISACs/ISAOs), national and international exercises, and severity/impact assessments.
• Capability, capacity, and awareness: Deeper guidance is provided on national cybersecurity workforce frameworks, education-to-workforce pathways (from early education to advanced programs and apprenticeships), and inclusive strategies to attract and retain talent, including women and underrepresented groups. The Guide also highlights executive and operational training, certification, dedicated career pipelines, and coordinated national awareness campaigns tailored to diverse audiences.
• Legislation and regulation: The updated Guide presents a holistic approach by mapping policy goals to legal and regulatory instruments. It clarifies mandates and oversight, embeds safeguards in cybercrime and electronic-evidence provisions, and emphasizes proportionality, human rights, due process, and data protection. It also supports legal harmonization and cross-border cooperation.
• International cooperation: This version strengthens links between domestic priorities and foreign policy. It encourages participation in international law and norms processes, confidence-building measures (CBMs), and standards bodies; promotes practical cooperation through formal and informal networks (including CERT/CSIRT/CIRT communities, law enforcement channels, and multistakeholder platforms); and expands on capacity-building for cyber diplomacy and international engagement.
• Reference section (available at www.ncsguide.org): This version of the Guide will provide a dynamic Reference Section on its website, enabling simplified access and maintenance to keep references up to date.

This updated Guide is designed as a practical reference for national leaders, policymakers, regulators, industry representatives, civil society, and other parties involved in the development of an NCS. Recognizing the importance of multistakeholder engagement, the Guide’s emphasis on government entities in some sections seeks to highlight where a government entity’s leadership is pivotal to the sustainability of the process. It aims to help countries develop, implement, and sustain an effective NCS in alignment with evolving risks, emerging technologies, and international good practices.

Technology and connectivity are powerful enablers of inclusive and sustainable development. Technological growth, however, brings persistent and evolving cybersecurity challenges. Experience shows that the full potential of digitalization remains out of reach unless its underlying infrastructure and services are secure, resilient, and reliable.

One of the most important steps governments can take as they seek to promote digital transformation while addressing cybersecurity risks is to invest in long-term strategic planning to guide resource allocation, set priorities, and build capacities. Cybersecurity should be integrated into a country’s broader vision and approached strategically and systemically, through iterative cycles of implementation, monitoring, and evaluation. To this end, many countries have gained valuable experience through the development and successive revisions of their national cybersecurity strategies. This accumulated knowledge provides a solid foundation for drawing conclusions and formulating recommendations that can guide countries with less experience or resources in navigating this ever-evolving domain.

In 2018, to empower and equip national leaders and policymakers with the analytical and conceptual tools needed to craft national cybersecurity strategies, a group of Contributors co-authored the Guide to Developing a National Cybersecurity Strategy (the “Guide”). Building on the positive reception of the first edition, a broader coalition convened to update the Guide and publish its second edition in 2021. 

Both editions of the Guide coincided with a significant rise in the adoption of national cybersecurity strategies worldwide. In 2018, only 76 countries had adopted a formal strategy; by 2021, that number had increased to approximately 127. Today, 136 countries have a national cybersecurity strategy in place, with many now on their second or even third iteration. Throughout this process, the Guide has become a widely recognized resource, an authoritative reference, and a blueprint for national leaders and policymakers.

This third edition sharpens the focus on practical measures to safeguard the national cybersecurity posture, addressing the latest cybersecurity risks, including those driven by emerging technologies, the proliferation of connected devices, and complex supply chains and threats, while offering actionable protections to strengthen resilience in an increasingly dynamic landscape. It places greater emphasis on implementation roadmaps, measurement, and continuous improvement, as well as cross-border cooperation. The objective of the Guide remains to inform strategic thinking and support national leaders and policymakers in the development, implementation, and revision of national cybersecurity strategies and policies, anchored in appropriate legal and operational frameworks. We are confident that this new edition will serve as a valuable tool for all stakeholders with cybersecurity responsibilities. 

As with previous editions, this Guide is the result of a unique, collaborative, and inclusive multistakeholder effort, bringing together organizations working in the field of national cybersecurity strategies, policies, and cyber capacity-building. In 2021, twenty organizations contributed to the second edition. For this third edition, the group has nearly doubled in size: thirty-seven organizations from the public and private sectors, academia, and civil society contributed their knowledge and experience. This edition draws on their collective expertise and references complementary publications and additional resources. 

We express our sincere gratitude to the Contributors involved for their invaluable support and commitment, which have made this project a concrete example of effective multistakeholder collaboration. We encourage continued partnership and look forward to deepening our engagement with governments, regional and international bodies, law enforcement, academia, the private sector, civil society, and United Nations entities to accelerate implementation, and foster strategic dialogue on cybersecurity, cyber capacity-building, and cyber resilience. 

Jointly signed by:

Mr. Holger Zwingmann
Security Transformation Associate Director,
Head of Cyber at Technology Strategy & Advisory
IX EMEA, Accenture

Mr. Álvaro Neira
Partner, Axon Partners Group

Ms. Bernadette Lewis
Secretary General, Commonwealth Telecommunication Organisation

Mr. Virgil Spiridon
Head of Operations, Cybercrime Programme Office of the Council of Europe

Prof. Wallace Chigona
Director, Cybersecurity Capacity Centre for Southern Africa, University of Cape Town, South Africa

Dr. Jovan Kurbalija
Executive Director, DiploFoundation

Mr. Hannes Astok
Chairman of the Management Board,
e-Governance Academy

Ms. Liina Areng
Project Director, EU CyberNet

Mr. Roi Yarom
Associate Director, Cybersecurity Policy Specialist, Digital Hub, European Bank for Reconstruction and Development (EBRD)

Mr. Alessandro Ortalda
Founder and Managing Director, Experirē
Strategy & Advisory

Mr. Chris Gibson
Executive Director, FIRST

Ambassador Nathalie Chuard
Director, Geneva Centre for Security Sector Governance (DCAF)

Prof. Sadie Creese
Director, Global Cyber Security Capacity Centre

Mr. David van Duren
Director, Global Forum on Cyber Expertise
(GFCE) Secretariat

Ms. Lea Kaspar
Executive Director, Global Partners Digital

Ms. Melissa Hathaway
President, Hathaway Global Strategies, LLC

Ms. Paula Acosta
Institutional Capacity of the State Division Chief, IADB

Mr. Tobias Adrian
Financial Counsellor and Director of the IMF’s Monetary and Capital Markets Department.

Dr. Cosmas Luckyson Zavazava
Director of the Telecommunication
Development Bureau (BDT), International Telecommunication Union

Mr. Cyril Gout
Acting Executive Director of Police Services, INTERPOL

Mr. Khaled Wali
Minister Plenipotentiary, Director ICT Department, League of Arab States

Ms. Kaja Ciglic
Senior Director, Cybersecurity Policy and Diplomacy, Customer Security and Trust, Microsoft

Mr Tõnis Saar
Director, NATO Cooperative Cyber Defence Centre of Exellence

Dr. Vilius Benetis
Director, NRD Cyber Security

Mr. Guillermo Moncayo
Deputy Executive Secretary in charge, Inter-American Committee against Terrorism (CICTE), Organization of American States (OAS).

Mr. Mauro Miedico
Director, United Nations Counter-
Terrorism Centre

Mr. Robert Opp
Chief Digital Officer, United Nations
Development Programme

Dr. Robin Geiss
Director, United Nations Institute for
Disarmament Research

Mr. Leif Villadsen
Acting Director, United Nations Interregional
Crime and Justice Research Institute

Dr. Jingbo Huang
Director, United Nations University Institute in Macau

Ms. Izumi Nakamitsu
Under-Secretary-General and High Representative for Disarmament Affairs, UNODA

Ms. Brigitte Strobel-Shaw
Officer in Charge of the Division of Treaty
Affairs, UNODC

Ms. Christine Zhenwei Qiang
Global Director, Digital Transformation, World Bank

Mr. Tal Goldstein
Head of Strategy and Growth, Centre for Cybersecurity, World Economic Forum

The purpose of this document is to guide national leaders and policymakers in the development, implementation, and revision of a National Cybersecurity Strategy (NSC), and in thinking strategically about cybersecurity, cyber preparedness, and resilience.

This Guide aims to provide a useful, flexible, and user-friendly framework to set the context of a country’s socio-economic vision and current national cybersecurity posture and to assist national leaders and policymakers in the development or revision of a Strategy that takes into consideration a country’s specific situation, cultural norms, and societal values, while encouraging the pursuit of secure, resilient, digitally empowered, and connected societies.

Since their emergence, information and communication technologies (ICTs) and digital services have evolved to become the backbone of modern business, critical services and infrastructure, social networks, and the global economy as a whole.

As a result, national leaders have launched digital strategies and funded projects to increase internet connectivity and leverage the benefits of digital technologies to stimulate economic growth, enhance productivity and efficiency, improve service delivery and capacity, provide access to business and information, enable e-learning, strengthen workforce skills, and promote good governance. Countries cannot ignore the opportunities associated with greater connectivity and participation in the digital economy.

This Section provides an overview of the phases in the development of a National Cybersecurity Strategy, which include:

• Phase I – Initiation
• Phase II – Stocktaking and Analysis
• Phase III – Sustainable Funding and Resource Planning
• Phase IV – Production
• Phase V – Implementation
• Phase VI – Monitoring and Evaluation

It also introduces the key entities that should be involved in the development of the Strategy and highlights other relevant stakeholders that can contribute to the process.

This section presents ten cross-cutting principles, which, when taken together, can help in the development of a forward-looking and holistic National Cybersecurity Strategy.

These principles are applicable to all key focus areas identified in this document. They should be considered in all steps of the Strategy development process, from the drafting of the Strategy document to its implementation.

Cybersecurity affects many areas of socio-economic development and is influenced by several factors within the national context.

Therefore, this section introduces a set of good-practice elements that can make the Strategy comprehensive and effective, while allowing for tailoring to the national context.

These good-practice elements are grouped into distinct focus areas, overarching themes for a comprehensive NCS. While both the focus areas and the good-practice elements have been put forward here as examples of good practice, it is particularly important that the latter are viewed in the national context, as some may not be relevant to a country’s specific situation. Countries should identify and follow the good-practice elements that support their own objectives and priorities in line with the vision defined in their Strategy (Section 4.1). The order of the individual elements or focus areas below should not be seen as indicating a level of importance or priority.