Investments in defence and related sectors
What falls under NATO’s 5% standard is laid out in detail in a comprehensive NATO statement. The definition is broad, and includes investment in sectors related to the military and in R&D:
Expenditure for the military component of mixed civilian-military activities is included, but only when the military component can be specifically accounted for or estimated. For example, these include airfields, meteorological services, aids to navigation, joint procurement services, research and development.
Research and development (R&D) costs are included in defence expenditure. R&D costs also include expenditure for those projects that do not successfully lead to production of equipment.
Also investments in cybersecurity
One of NATO’s core tasks is to defend against cyber threats. According to NATO, this involves close cooperation with the private sector:
The private sector is a key player in cyberspace, and technological innovations and expertise from the private sector are crucial to enable NATO and Allies to respond effectively to cyber threats.
In line with the 2023 concept to enhance the contribution of cyber defence to NATO's overall deterrence and defence posture, as endorsed by Allies at the 2023 Vilnius Summit, NATO and its Allies are working to strengthen their engagement with industry and academia through information-sharing, exercises, and training and education.
It is therefore only logical to expect a significant boost in cybersecurity investments in the near future.
Considerations when investing in cybersecurity
This raises several legal and practical issues worth highlighting briefly.
- Clear agreements
Cybersecurity often involves a broad spectrum of services, ranging from network security (SIEM/SOC) to penetration testing, patch management, training, coaching, and more. These services are offered by a wide variety of providers—of varying levels of maturity. Contractually, there is also great variation. While no security provider can guarantee perfection, it is notable that some providers go to great lengths to limit expectations, at times effectively disclaiming core responsibilities. Be mindful of exactly what you are purchasing. - Raising the bar
If NATO is substantially investing in improved cybersecurity, the rest of the economy can hardly afford to lag behind. What qualifies as “adequate security” is context-dependent. If your peers are enhancing their digital locks, you may have to do the same. Meanwhile, various legislative developments are already raising the bar. Ironically, organisations that fail to keep up with cybersecurity improvements may actually become more exposed—sooner rather than later. - Monitoring and AI
Robust cybersecurity increasingly involves digital behaviour monitoring. This frequently entails the processing of personal data—including, at times, sensitive data. It is also likely that artificial intelligence (AI) will be deployed to enable swift and decisive action. It is crucial to anticipate and embed such measures in your organisation. This could include the need to carry out a Data Protection Impact Assessment (DPIA) in advance and to address specific requirements from forthcoming AI legislation. - Innovation
New collaborations are likely to emerge, resulting in the development of new products and services. Research has shown that defence-related investment often accelerates innovation. It is essential to make clear contractual arrangements in advance about intellectual property ownership of any resulting inventions. - Emergency situations and state secrets
Specifically in collaboration with defence bodies, a stricter confidentiality regime often applies. In some cases, organisations may need to plan ahead for emergency or exceptional situations. This is one reason why contracts in this context require a distinct legal approach.
In conclusion
Do you have questions about the legal aspects of cybersecurity, about cooperating with third parties to drive cyber innovation, or about other issues at the intersection of cyber and law?
We are happy to assist you.
