Key Points

• The United Kingdom (UK) officially exited the European Union (EU) on 31 January 2020, nearly four years after a polarising Brexit referendum. Following extended negotiations on future relations, two key agreements entered into force on 1 May 2021 containing sections on trade, cooperation, and security, with the latter including cyber security.
• These new agreements are a positive step towards a new cooperative model, but questions remain over what type of relationship the EU and UK will have in reality when it comes to cyber security.
• Three potential pathways for this future relationship are possible, with each pathway presenting both new opportunities and new challenges for cyber security. These pathways are as follows:
• a completely autonomous UK, which would encourage home-grown national security advances, but would discount the view of cyber security as a collective concern;
• increased international dependence for the UK, which would facilitate greater collaboration with the wider cyber community, but would not acknowledge the unique value of regional coordination; and
• the replication of the pre-Brexit EU-UK partnership through the establishment of new bilateral relations that will preserve the security relationship, but demote Britain’s former leadership status within EU agencies and initiatives to that of a third party.
• The most positive outcome would be a relationship in which both the EU and UK contribute to a professional, transparent and non-political cooperative model that would build on the recent agreements, while remaining open to flexible support in the future given the unpredictable and complex nature of cyber threats.
• If the relationship outcome proves operationally successful, it could be a potential model for non-EU-member entities also seeking cyber security cooperation with the EU.