study

The State of Cyber Confidence-Building Measures

How Governments Implement Multilateral Measures to Create Trust in the Cyber Domain

The State of Cyber Confidence-Building Measures

Author

Programmes

Published by

Interface

December 16, 2025

Download PDF

This project was funded by the German Foundation for Peace Research (DSF).

Executive Summary

Confidence-Building Measures in the Cyber Domain 

In any political domain, building trust in international relations is essential, but in the cyber domain this is particularly true. Cyber interactions carry high risks of misunderstanding and escalation, as the environment is marked by uncertainty, ambiguity, and anonymity. Factors such as the difficulty of attributing incidents, the potential for false-flag operations, and rapid technological change further increase these risks.

These dynamics are intensified by today’s geopolitical climate of rising tensions, strategic competition, and weakening alliances. In such a context, unintended cyber escalation can occur easily, making mechanisms that reduce uncertainty and foster trust all the more important.

Confidence-Building Measures (CBMs) serve this purpose by enhancing transparency, predictability, and dialogue through practical steps such as information-sharing, notification, and cooperation. They are not an end in themselves but a diplomatic tool to prevent escalation and sustain communication, especially in times of mistrust.

Cyber CBMs in Multilateral Organisations

This poses the question: how can confidence be built in a domain defined by ambiguity? Over the past decade, states have sought to answer this question through the negotiation and implementation of cyber CBMs in unilateral, bilateral, and multilateral settings. Among these, CBMs within multilateral organisations have proven especially effective and durable. 

Regional organisations are well positioned to advance cyber CBMs as they account for differing levels of cyber maturity, political priorities, and cultural contexts. Compared to global forums, regional initiatives can offer more targeted solutions among states with shared threat perceptions. Their proximity to national authorities enhances understanding of national perspectives, while their membership – often including both like-minded partners and neighbours with strained relations – provides valuable platforms for dialogue. Building on established regional processes further strengthens their effectiveness. Examples of such regional cyber CBMs include establishing directories of national Points of Contact (PoCs), sharing cybersecurity strategies, exchanging national views on threats or on the application of international law in cyberspace, conducting joint workshops – often with the private sector, which owns and operates much of the ICT infrastructure – building national capacities, or setting up crisis communication mechanisms.

Mapping the State of Implementation

Despite their growing adoption and widely recognised importance, research on how states actually implement multilateral cyber CBMs remains limited – particularly regarding the practical steps taken to translate commitments into action. Comparative assessments across regional organisations are especially scarce. Yet developing comparative insights into how these measures are implemented is critical for enhancing transparency, informing future policymaking, and helping resource-constrained states navigate an increasingly fragmented landscape of cyber initiatives. 

Mapping implementation reveals which measures are actively applied, which rely on implicit actions, and how national, regional and global practices interact. It also helps pinpoint gaps, best practices, and enabling factors that can guide future cyber CBM design and foster cross-regional cooperation. Responding to this gap, this paper systematically maps state practice in multilateral cyber CBM implementation across several organisations:

  • Organization for Security and Co-operation in Europe (OSCE)

  • Organization of American States (OAS)

  • ASEAN Regional Forum (ARF)

  • United Nations (UN)

  • Economic Community of West African States (ECOWAS)

  • Conference on Interaction and Confidence Building Measures in Asia (CICA)

The analysis focuses on those organisations that have explicitly adopted cyber CBMs and assesses the extent to which political commitments have been translated into practice through concrete actions. Implementation is described based on observable state practice, using different levels of progress.

To provide a balanced picture, the analysis takes into account explicit implementation, where actions are directly linked to specific cyber CBMs (e.g., nominating national PoCs), and implicit implementation, where broader national initiatives indirectly support cyber CBM objectives (e.g., developing strategies or capacity-building programmes). Recognising both modes avoids overstating success while still capturing practical contributions that enhance confidence and enable cyber CBM implementation.

Key Takeaways

  • Formulation is easier than implementation: From the outset, the drafting process emphasised finding language that could secure consensus among states, leaving implementation details to later.

  • Capacity-building is foundational: A lot of cyber CBM activities either aim to build up capacities or are connected to capacity-building measures as capacity itself is a prerequisite for successful implementation.

  • CBMs often work best as interconnected systems: Some cyber CBMs have limited utility alone; taken together with other cyber CBMs, they form a coherent framework or lay the groundwork for more substantive cooperation.

  • Explicit deliverables enable measurability: Cyber CBMs asking for concrete outputs (e.g., nomination of PoCs) are easier to monitor, with progress often published by regional secretariats. In contrast, information on other cyber CBMs is not publicly known, or it is more difficult to identify, especially if the implementation is mostly implicit.

  • Dialogue itself is a core outcome: Beyond measurable outputs, the process of engagement, information exchange, and experience-sharing itself fosters trust and confidence. For some cyber CBMs, this is an explicit objective; for others, it emerges as a valuable by-product. 

  • Success should not be measured by explicit outputs alone: Cyber CBMs’ value lies not only in tangible deliverables of individual cyber CBMs but also in the broader framework of communication and trust they create all together, particularly during geopolitical tensions.

  • Implementation is a continuous process: Regions across the world increasingly view cyber CBMs as a valuable diplomatic tool with many committing to their adoption and implementation. However, implementation remains a work in progress – while some measures are being actively applied, others are still at early stages, and much remains to be done. Even well-established CBMs require sustained engagement, political will, and at times more ambitious interpretation to deepen their impact.

  • No one-size-fits-all model: Regional implementation approaches vary regarding how organisations implement cyber CBMs but also to what they prioritise depending on institutional structures, mandates, and resources as well as the broader regional context.

  • Cross-regional exchange enhances progress: Sharing experiences among regions strengthens mutual learning and fosters convergence around foundational cyber CBMs (like PoC directories and national strategy sharing).

Author

Helene Pleil

Helene Pleil

Senior Policy Researcher Cybersecurity Policy and Resilience

hpleil@interface-eu.org

show more