A significant step towards a constructive post-Brexit security relationship was taken on 1 May 2021, when the newly negotiated European Union (EU)-United Kingdom (UK) Trade and Cooperation Agreement (TCA) and its complementary Security of Information Agreement (SIA) came into force. On the surface, these agreements represent the launch and successful implementation of a new bilateral security relationship. However, when considering the relatively sparse content of these agreements and recent remarks at the operational level, it is clear that questions remain over what type of future cyber security relationship will emerge. The UK is a global cyber leader and the EU is an important regional hub for cyber security partnerships. The GCSP’s recent analyses, including our recently published Strategic Security Analysis (SSA) paper, ask: How will the EU-UK relationship develop in a future increasingly characterised by cyber security threats and risks?  

The pre-Brexit relationship

Under EU treaties, security remains a national competence, meaning that EU membership should make no difference to state security. Yet, it is evident that as emerging cyber threats have been increasingly placed at the forefront of national security concerns, cyber security has also become increasingly integrated into core EU policy and operations. At the operational level, several EU mechanisms have played important roles in British cyber security. In particular, the UK has both benefitted from and contributed to the forensics, strategy, and operations of EU agencies, including Europol (the EU’s law enforcement agency), the EC3 (the European Cybercrime Centre), ENISA (the EU Agency for Network and Information Security), and CERT-EU (the Computer Emergency Response Team). As a member state, the UK also supported EU policy and transposed EU regulations that have acted as foundational frameworks for national data protection and network and information systems security legislation.

The UK also contributed to EU-level activities and has been regarded as a “strong lead in Europe on tackling cybercrime”. The UK had a noticeable presence in EU activities by providing expertise and staff to EU agencies and through the leadership of Sir Rob Wainwright, director of Europol between 2009 and 2018. Britain also contributed to strategy and policy development, with UK legislation sometimes contributing as a model framework for new EU regulations, and with Sir Julian King acting as the European Commissioner for the Security Union between 2016 and 2019. Despite this, on the 31 January 2020 the UK formally left the EU. While this would not have irreversibly damaged either British or EU-level cyber security (as a national competence), it was expected to reduce “operational effectiveness”, require a reallocation of resources, and add further uncertainty to a range of security and policing areas.

The start of a new relationship? 

A significant step towards a new relationship was taken when the negotiated TCA and complementary SIA entered into force on 1 May 2021. They confirmed the UK will continue to work with the EU in combatting crime by retaining access to critical information databases and exchange platforms, and established a working relationship with Europol (which includes the EC3). The TCA explicitly refers to cooperation with CERT-EU and ENISA, with information exchange being on a “voluntary, timely and reciprocal basis”. It confirms that the UK may participate in a limited number of ENISA activities, but this is “subject to prior approval” and an appropriate financial contribution. The agreements are a step closer to a new cyber security relationship, but provide few details on operational logistics, with day-to-day arrangements still subject to discussions between relevant EU and UK bodies. As Sir Julian King stated, the agreements have “addressed only some of the serious question about future security cooperation … many challenges lie ahead”.

Three future relationship pathways

As we explore further in the SSA paper, three potential pathways for this future relationship are possible, with each pathway presenting both new opportunities and new challenges for cyber security.

1. An autonomous Britain

Firstly, a more digitally autonomous Britain could develop, one where the country “goes its own way” in terms of cyber security policy and operationalisation. This provides the UK with an opportunity to refocus resources and capacities on national security advances, particularly those that had previously lacked EU support. With the new agreements based on “overarching mutual self-interest”, Britain may generate autonomous capabilities that allow for both strengthened national governance over cyber security practices and cooperative support with the EU when this is advantageous to both sides.

However, this model can also pose a challenge if cyber security is considered as a collective risk. As global digitalisation accelerates into the fourth industrial revolution, nations, organisations, and entities are increasingly coming together in support of shared goals in the areas of cyber resilience and digital governance. On the political surface, Brexit undermined this growing drive and necessity to collaborate, as well as a fundamental aspect of cyber security cooperation in this digital age, that of trust.

2. Increased international dependence

Secondly, we could see the UK become increasingly dependent on, and have greater interaction with, other international allies and partners, including NATO, the United Nations and intelligence alliances such as Five Eyes. These wider security alliances could foreseeably act as the UK’s key communication and resource channels in its efforts to achieve foreign policy and security goals, with the cohort of allies also including EU member states.

Nevertheless, a challenge is posed when considering the unique value of regional coordination. With Brexit, the UK has not only lost access to region-specific cooperative platforms, but also the informal networking that occurs within the wider “jigsaw puzzle” of EU architecture. These informal channels of communication can provide secure cross-European exchanges, which can be inherently valuable in time-critical sectors such as cyber security.

3. Replication of bilateral relations

Finally, new bilateral relations secured with relevant EU agencies and states could effectively replicate pre-Brexit cyber security dynamics. With the recent agreements making explicit reference to engagements with Europol, ENISA and CERT-EU, this already demonstrates the potential of this pathway. The UK appears to be aiming for a similar standing to that of Iceland or Norway, both of which have set precedents for non-member state involvement in EU-level bodies.

However, having lost its former leadership and influencing position on the EU level, the UK may be challenged in finding value in its new third-party status. There are also legal, political and practical difficulties to establishing and maintaining these bilateral relations. The SIA itself states that “the Parties shall cooperate as far as reasonably practicable”, implying that if in future Britain diverges from compatible EU cyber standards, cooperation could quickly be termed an impractical option.

With multiple post-Brexit pathways that could still be pursued following the new security agreements, the EU-UK cyber security relationship is still evolving. The most positive outcome would be a relationship in which both the EU and UK contribute to a professional, transparent, and non-political cooperative model that builds on the recent agreements, while remaining open to future flexible support given the unpredictable and complex nature of cyber threats. If the relationship outcome proves operationally successful, it could establish a replicable framework for other non-EU-member entities seeking cyber security relations with the EU.

To explore this topic further please see our latest Strategic Security Analysis paper or join our upcoming virtual course, Meeting the Cyber Security Challenge in November 2021 to discover more cyber security trends.