Updated: 26 December 2020.
The UK and the European Union have finally delivered a deal – which some will see as a bitter end to 2020 or as a ‘Happy Brexmas’. However, what does this mean for cybersecurity? In summary – little is going to happen and it will limit the UK’s influence into the future.
For greater detail – the UK Government asked for nothing according to a (purportedly) leaked assessment of the deal by the UK. It has also loosely offered forms of voluntary participation as detailed in the UK Government’s summary notes to the deal, available here, with the relevant text below.
In the detailed draft EU-UK ‘Trade and Cooperation Treaty’ (pp. 363 – 364) released 26 December 2020, we found some more details into how cooperation in cybersecurity will work into the future. I will step through each of the different articles on Title II: Cyber Security and offer a brief reflection.
Article CYB.1 : Dialogue on cyber issues – Little to no more than preamble
Article CYB.2: Cooperation on cyber issues – General claims to the openness of cyberspace and third-country capacity to fight cybercrime
Article CYB.3: Cooperation with the Computer Emergency Response Team – European Union – There is a required approval of the CERT-EU to permit the UK CERT to cooperate – what’s interesting is its generality – “general threats and vulnerabilities” and other information sharing.
Article CYB.4: Participation in specific activities of the Cooperation Group established pursuant to Directive (EU) 2016/1148 – The voluntary exchange of best practices and information – crucially only by invitation of the group – with reference to NIS.
Article CYB.5: Cooperation with the EU Agency for Cybersecurity (ENISA) – Very general capacity for working with ENISA, by invitation, but this will require some form of financial contribution to be established by ENISA in the future.
… And that’s it. It is very much a bare bones cybersecurity framework based on volunteered data and on much invitation. I cannot see this being necessarily taken up that much – especially with any financial contribution to ENISA. This looks like an invitation to a future UK government with little expectation of participation.
This is not a surprise, as it is likely that institutions such as ENISA (the EU’s cybersecurity agency) provide little perceived additional value to the UK’s own competencies in data compared to that shared with NATO and the Five Eyes. The EU, according to the leaked document, sought to include formal links with ENISA, the NIS Coordination Group, and on CERT-EU and UK CERT Cooperation. It is now confirmed that cybersecurity participation will continue on a voluntary basis.
In summary, in some ways, cybersecurity issues were unlikely to be severely affected unlike other more contentious data sharing on criminal datasets, for instance. This proves to be the case. So there appears to be limited immediate impact on cybersecurity from this deal.
However, it is likely to limit anything fruitful for the UK in the years to come, and it will depend on evolving legislation in the two jurisdictions on whether voluntary participation will continue (especially on things like the NIS Directive). The UK as a lone jurisdiction will increasingly be steered by the EU’s movements on cybersecurity and global conditions rather than being at a larger table. This means that although little will change in the short to medium term (apart from detailed sharing of data – which could impact immediate threats), as cybersecurity is rapidly evolving, this means influence in cybersecurity will be increasingly limited, and will force the UK into equivalence if it wishes to compete in some areas.