The Council of Europe opened the Budapest Convention on Cybercrime for signature, creating a shared legal framework for investigating cybercrime and handling electronic evidence across borders. Even though it is not cable-specific, it helped normalize international cooperation that later became important when governments treated subsea networks as critical infrastructure.
The International Ship and Port Facility Security (ISPS) Code entered into force under the SOLAS treaty, strengthening global maritime security rules. While focused on ships and ports, it reinforced the broader idea that maritime-domain security includes protecting infrastructure and managing risks in international waters.
The United States issued NSPD-54/HSPD-23, which adopted the Comprehensive National Cybersecurity Initiative (CNCI) as national policy. This strengthened federal coordination on cybersecurity and helped drive later expectations for protecting critical infrastructure, including communications systems that depend on undersea cables.
NATO approved its first Policy on Cyber Defence, recognizing cyberattacks as a core security concern for the Alliance. This set the stage for later resilience work, where protecting critical infrastructure—including undersea systems—became part of collective defense planning and cooperation.
The U.S. Department of Homeland Security opened the National Cybersecurity and Communications Integration Center (NCCIC) to coordinate cyber and communications incident response. A centralized 24/7 operational hub supported faster information sharing and response, which is critical when disruptions can cascade across networks that rely on subsea connectivity.
Security researchers identified the Stuxnet worm, which targeted industrial control systems used in physical infrastructure. The incident helped shift security planning toward “cyber-physical” risks—attacks that begin in software but can cause real-world damage—an idea that later informed resilience planning for subsea systems and their landing-station operations.
NIST released the Cybersecurity Framework 1.0 to give critical infrastructure organizations a shared structure for managing cyber risk. Its common “Identify–Protect–Detect–Respond–Recover” model supported more consistent security and resilience planning for systems that connect to, manage, and monitor subsea networks.
The European Union adopted the first NIS Directive (Directive (EU) 2016/1148), requiring many essential service operators to manage cybersecurity risks and report incidents. This was a major policy step linking cybersecurity to continuity of critical services, including the digital services that depend on undersea cable networks.
Cambridge University Press published Tallinn Manual 2.0, summarizing expert views on how international law applies to cyber operations in peacetime and conflict. While not binding law, it influenced policy discussions about state responsibility and responses to cyberattacks that could affect critical infrastructure systems.
The NotPetya malware outbreak began and spread internationally, causing major disruption across multiple sectors. It demonstrated how a destructive cyber incident can ripple through global supply chains and communications dependencies, strengthening the case for resilience planning around “single points of failure,” including subsea connectivity paths.
Explosions damaged multiple Nord Stream pipelines in the Baltic Sea, widely treated by governments as suspected sabotage. The event intensified attention on the vulnerability of undersea energy and communications corridors and accelerated new security and resilience initiatives in Europe and NATO.
The United States published a National Cybersecurity Strategy that emphasizes defending critical infrastructure and shaping market incentives for more secure technology. Although it is broad, it reinforced a policy direction toward stronger baseline expectations and shared responsibility across operators and suppliers that support critical connectivity.
NATO and the European Union launched a task force focused on the resilience of critical infrastructure, including energy, transport, digital infrastructure, and space. This created a standing mechanism for shared situational awareness and coordinated approaches after high-profile undersea incidents.
A sudden pressure drop led Finland and Estonia to shut down the Balticconnector undersea gas pipeline, and a nearby telecommunications cable was also damaged. Investigations treated the damage as external interference, reinforcing the need for better monitoring, faster repair capacity, and cross-border coordination for undersea infrastructure.
NATO Defence Ministers agreed to stand up a Critical Undersea Infrastructure Network, aimed at improving information sharing and situational awareness. It also advanced work to establish a Maritime Centre for the Security of Critical Undersea Infrastructure at NATO Maritime Command, linking military planners and industry operators.
EU rules under the Critical Entities Resilience (CER) Directive began applying after the transposition deadline, requiring Member States to strengthen protection and resilience for essential services against physical and digital risks. This supported a more systematic approach to resilience planning that can include subsea-related dependencies in energy and digital infrastructure.
The European Commission opened infringement procedures against many Member States for failing to fully transpose NIS2 by the deadline. The action underscored that resilience initiatives depend on implementation, not just adoption, especially for critical sectors that rely on cross-border digital links.
The ITU and the International Cable Protection Committee launched an International Advisory Body for Submarine Cable Resilience to promote best practices and faster repair and recovery. This marked a clear “end state” shift for the period: subsea cable resilience became a coordinated, explicitly global policy-and-industry agenda rather than a set of separate national efforts.
Protection and resilience initiatives for critical subsea infrastructure (2000–present)