What is the aim?

The aim is to transfer knowledge between countries about how institutions, policies and context influence the development of national cyber security capacity. The host country will share lessons learned with a view to avoiding similar mistakes being made and to augment the beneficiary planning around capacity priorities.

Why do it?

To share institutional and strategic lessons on the development of a country’s national cyber security capacity.

What are typical outputs?

The team responsible for developing national cyber security capacity institutions is challenged to consider how the lessons shared by the host government are relevant to its own capacity.

How is it delivered?

The host government provides access to cyber security and associated institutions within their government and, where relevant, industry sectors to provide a broad understanding of the institutional complexity of the host’s cyber security framework.

How easily can a country do it themselves?

A country could request bilateral engagement with a host government, but this would place the financial burden on the two governments and may lead to a more political rather than working-level engagement.

What good practice guidance is available?

Some governments publish the details of their institutions, frameworks and strategies, but these rarely provide a clear understanding of how the different functions were developed and operate.

  • Timing and need are key to this form of engagement. To be of most benefit to the beneficiary, such an engagement will take place before the implementation of a national strategy, in advance of the setting up of – or proposed changes to – the cyber security institutions and framework of the country.
  • It is vital that the right beneficiaries attend the engagement. Particularly those with decision-making authority in order to apply the lessons learned effectively.
  • Consider program funding restrictions when considering the wider engagement as the host government may wish to coordinate its own social or cultural functions outside of the capacity-building activities.


Travel and subsistence costs for beneficiary attendees, possible costs for venue if host government does not use own premises.


Multiple days of engagements 2-5 days depending on the number of host government departments visited. Plus the planning and preparation time.

Sri Lanka was a phase 1 beneficiary country of EU Cyber Resilience for Development. They had just commenced implementation planning for the delivery of their first national cybersecurity strategy when the program initially engaged. Beneficiaries were keen to learn from the experience of European countries that had more recently gone through the same institutional journey. In particular those which had been willing to consider whole-of-government structures as part of the delivery of the first national cybersecurity strategy.

The study visit concept arose in meetings with the Sri Lankan Minister for Information Technology and Digital Infrastructure, the program delivery team and EU officials. The Minister felt that it would be of value to engage at a strategic level with a country of similar size which had recent lessons to share about cybersecurity capacity development. The program team and EU Officials worked with the government of Portugal to assess the viability and logistics of such an engagement.

The Sri Lankan Minister responsible for the cyber portfolio, accompanied by senior cybersecurity, legal and wider government officials, travelled to Portugal for 5 days including travel time. The Cyber4Dev team deployed supporting experts with experience of direct engagement with Sri Lanka, to provide neutral institutional and programmatic context in addition to translation and logistics support from the UK government. The delegation met with a wide range of Portuguese government departments from ministerial to working level, to share the full spectrum of lessons from their journey of capacity building. Structured engagements set across multiple days enabled the sessions to be host-led initially and then interactive latterly, based on what beneficiaries learnt and the questions which arose. Meeting with such a spectrum of officials in the host meant that peer relationships were formed for continuity of engagement.

Presence of program staff meant the capacity-building team was able to identify, validate and then support follow on activities which arose from the study visit. These ranged from a technical focus on certain solutions, to wider strategic considerations around the proposed structure of Sri Lanka’s new cyber security agency.

Study visits which provide a whole-of-government perspective on cybersecurity capacity are valuable to countries which are early on in their journey. Such engagements aid the understanding of why a country has its particular cybersecurity framework of institutions. This assists beneficiaries in exploring different models and avoiding adopting a model which may not be the right fit in their national context.

Cyber4Dev has made use of other such visits by bringing together groups of beneficiaries to the countries which support the program. For instance, the government of Estonia has hosted working-level delegations to its cybersecurity agencies in order to showcase Estonian cyber capacity and to share lessons learned.