The first Tallinn Cyber Capacity-Building Fellowship Programme has come to an end. Over two weeks, twenty cybersecurity professionals from across the globe met online and in Estonia to learn, exchange experiences, and work together on practical solutions to the challenges they face at home.
What made the Fellowship stand out was its focus on turning knowledge into action. Each participant began by drafting a problem statement based on their national reality. These were then developed into policy briefs, project proposals, and roadmaps that outlined concrete ways forward.
Looked at together, the problem statements revealed a clear pattern. Regardless of their origin, many countries are facing similar challenges: outdated laws, weak governance, shortages of skilled professionals, low digital literacy, and institutions that are unprepared for modern cyber threats. The fellows’ final outputs addressed these issues head-on, and in doing so, reflected both their own national contexts and the lessons they had drawn from Estonia’s digital journey during the online and on-site programme.
Governance, institutions, and regulation
Weak governance and outdated legislation were among the most pressing challenges identified. Fellows observed that in many contexts, political will to drive digital reforms remains fragile, institutions lack clear mandates, and citizens see little communication about the benefits of digitalisation. They proposed to launch a National Strategy 2025–2035, built on three pillars: digital transformation, cybersecurity and personal data protection, and digital sovereignty.
This would mean not just passing laws but building the institutions to carry them out — specialised cybersecurity agencies, empowered data protection authorities, and well-resourced CSIRTs. Fellows stressed that without institutional change, laws alone remain symbolic. Estonia’s own example was central to this discussion.
The fellows noted how Estonia’s long-term investment in secure digital identity, interoperability, and independent oversight bodies has given its digital government both credibility and resilience. For them, this underlined the idea that digital transformation is not only technological but cultural: it requires trust between citizens and the state, and visible benefits that make people part of the change.
Skills and workforce development
The shortage of qualified cybersecurity professionals was identified as a critical bottleneck. Fellows noted that, while the threat landscape is evolving rapidly, education systems and professional pipelines have not kept pace with this evolution. Their project, titled Cyber Resilience for Education and Workforce Development, offered a multi-country initiative that would embed cyber resilience into schools and professional training.
The plan was ambitious: to train 7,000 teachers in the safe and ethical use of digital tools, to integrate cyber resilience into 160 schools, and to establish Cyber Resilience Clubs where students could learn from peers, with a particular focus on empowering girls. At the institutional level, they proposed establishing a Cyber Workforce Development Council and a national Cyber Coordination Platform to align government, industry, and civil society.
Estonian examples strongly shaped these ideas. At the University of Tartu, fellows observed how cybersecurity and AI literacy are already being integrated into higher education curricula. At the same time, visits to the Information System Authority highlighted the importance of coordination among government, academia, and industry. These experiences helped fellows imagine how their own countries could build sustainable pipelines of cyber talent — starting from the classroom and extending into national institutions.
Citizen awareness and protection
The fellows also highlighted the vulnerability of citizens and small businesses to scams, phishing, and online fraud. They noted that while national strategies often focus on critical infrastructure, everyday users receive little protection, despite being the target of cybercriminals.
Their policy brief recommended a National Cybersecurity Awareness and Education Programme. This would combine mass media campaigns with community workshops, school curricula, and partnerships with banks and telecoms to make sure citizens know how to recognise fraud and where to report it. Fellows also proposed creating a central portal for alerts, verified information, and reporting tools — a simple, multilingual, and accessible platform for all. Stronger cybercrime laws, obliging financial institutions to adopt robust fraud prevention measures, were also part of the package.
The fellows had seen in Estonia how awareness campaigns can be practical and close to citizens. They were especially impressed by the role of the Police and Border Guard Board’s web constable Maarja Punak, who interacts directly with communities online, and by the way digital safety is being introduced in schools. These examples demonstrated how awareness-raising efforts could be made both credible and sustainable and how they could help rebuild trust in digital services.
Organisational preparedness
For many organisations, resilience against modern cyber threats is still a work in progress. Fellows noted that ransomware, outdated infrastructure, and weak legal enforcement are undermining public trust. To address this, their roadmap, Strengthening Organisational Preparedness Against Cyber Threats, laid out a phased plan covering the years 2025 to 2030.
The first phase focused on mapping capacities, upgrading obsolete systems, and building leadership awareness. The second phase outlined national incident response frameworks, ransomware playbooks, and cross-border cooperation under the Budapest Convention. The final phase aimed to institutionalise preparedness by embedding it in national strategies, creating continuous training programmes for judges and prosecutors, and establishing annual Cyber Resilience Indexes to track progress.
Here, too, Estonian examples were visible. The fellows cited the role of CR14 and the Estonian Cyber Defence League in testing organisational preparedness through live-fire exercises and simulations. They also drew on discussions with Estonian CERT officials and judicial experts, noting how preparedness depends as much on executive commitment and cross-sector cooperation as it does on technical tools.
From problems to shared solutions
The Fellowship showed how national problems can be reframed as global challenges, and how international cooperation can help translate lessons into solutions. By engaging with ministries, universities, cyber defence units, and industry leaders in Estonia, fellows were able to move from problem statements to actionable proposals rooted in both local realities and global best practices.
The Tallinn Cyber Capacity-Building Fellowship is designed to empower cybersecurity experts from around the world. Its mission is to strengthen practical knowledge and policy skills while building a global network of professionals. Through lectures, study visits, and in-depth discussions, the programme provides a comprehensive view of the cybersecurity ecosystem, highlights EU and Estonian best practices, and equips fellows with the tools to strengthen resilience at home.
Ultimately, the Fellowship contributes to a more inclusive, cooperative, and resilient cyber environment by building capacity where it is needed most. Co-organised by the e-Governance Academy and the Ministry of Foreign Affairs of Estonia, and funded by the European Commission (DG INTPA) under the Tallinn Cyber Diplomacy Summer School project, it marks a new step in how countries learn from one another to face shared challenges in cyberspace.