Nonprofit organisations have emerged as indispensable actors in the global cybersecurity ecosystem, providing critical public-interest services that protect vulnerable communities, secure digital infrastructure, and enhance cyber resilience across sectors and regions. Despite their growing importance, these organisations face persistent structural challenges that limit their potential impact and sustainability in an increasingly complex threat landscape.

This paper authored by Kayle Giroud (Global Cyber Alliance) and Rayna Stamboliyska (RS Strategy) on behalf of Common Good Cyber was commissioned by the EU Institute for Security Studies and funded by The Global Gateway. It presents a comprehensive analysis of the nonprofit cybersecurity ecosystem, drawing on an extensive dataset of 334 initiatives and in-depth interviews with sector leaders. It examines how these organisations contribute to global cyber resilience, identifies systemic barriers to their effectiveness, and proposes pathways for strengthening their role in multilateral cybersecurity governance frameworks.

Our research reveals that nonprofit organisations make vital contributions across four functional areas:

• Resilience: Developing standards and certification frameworks that strengthen critical infrastructure protection and workforce capabilities.
• Cooperation: Facilitating information sharing and coordinated incident response through trust networks that span national boundaries.
• Stability: Documenting cyber incidents, analysing attack patterns, and advocating for norms that reduce conflict risks in cyberspace.
• Capacity Building: Addressing knowledge and skill gaps through accessible resources and training programs, particularly in underserved regions.

Despite these contributions, our analysis identifies three interconnected challenges that systematically undermine these nonprofits’ effectiveness:

• Technical solution imbalances: While 73% of public interest cybersecurity solutions are community-driven, most target technical audiences with existing capabilities. Yet, only 25% of all these public-interest cybersecurity solutions serve non-technical or under-resourced users, creating significant protection gaps for vulnerable populations.
• Unsustainable funding models: Cybersecurity nonprofits currently spend up to 30% of their budgets on fundraising rather than their core mission. Short-term, project-based funding creates operational instability and drives resources away from addressing long-term security needs.
• Limited policy influence: When possible, participation in global forums like the UN Open-Ended Working Group (UN OEWG) on security of and in the use of information and communications technologies 2021–2025 remains heavily skewed toward Global North organisations, with substantial procedural, political, and resource barriers preventing equitable representation.

The future of cybersecurity governance requires a fundamental shift in how nonprofits are integrated into multilateral frameworks. The proposed UN Cyber Programme of Action (PoA) presents a promising opportunity to establish more inclusive stakeholder participation mechanisms that leverage nonprofit expertise in implementing global cybersecurity norms.

This paper proposes practical policy pathways to elevate nonprofit voices and capabilities in global governance, including streamlined accreditation processes, dedicated funding mechanisms for participation from underrepresented regions, and formal recognition of operational cybersecurity expertise in policy development. It calls for a collaborative approach that positions nonprofits not at the margins, but at the core of efforts to build a secure and resilient digital future.