Brexit v. EU: A Cybersecurity Perspective

The rather surprising outcome of the UK referendum today has emotions running high: shock, glee, anger, fear. But perhaps the predominant feeling is uncertainty. After 43 years of inclusion, the UK is the first country to decide to leave the European Union definitively. As such, the blowout for the British government, the private sector and the population as a whole is as yet unknown. Many believe the departure will have negative repercussions, and a great deal will depend on the UK’s ability to negotiate new terms and conditions on numerous subjects with the EU and other countries around the world.

More specifically for cybersecurity, what does this mean for the upcoming GDPR and NIS Directive which will be formalized over the next few years? Currently, all EU laws still apply in the UK; at least over the course of the next two years as the UK untangles itself from the Union. However, the UK will need to determine not only whether they will (unilaterally) implement similar legislation in the future, but also decide whether to retroactively repeal or keep all past EU legislation adopted to date. This includes a fair few instruments.

The EU's first forays into addressing information security were with the directives on e-Commerce and Data Protection in the early 2000s. The EU Directive on Data Retention followed in 2006.  These three directives lay down the framework for securing information services and data stored using electronic communications systems. Specifically regarding cybercrime, the EU proposed a Council Framework Decision in 2005 on attacks against information systems which was later implemented as Directive on Attacks against Information Systems, adopted in August 2013.  The UK has adapted all of these in some shape or form into national legislation.

The UK will have to rule on the continued applicability of these instruments, as well as how they will address the incoming GDPR and NIS Directive.  It is likely that the UK will not substantially alter existing legislation, as this may potentially jeopardize how UK organizations deal with clients and customers not just in Britain but in the rest of the EU. Going forward, both the GDPR and the NIS Directive state that operators and data controllers will be covered by the legislative requirements if they operate within EU markets and involve EU citizens. Seeing the high level of trade that the open market has brought in the UK in the past 4 decades, many UK organizations will need to comply if they want to continue trading and operating in EU markets. The UK will likely adopt national legislation in line with both instruments.  

In addition to legislation, the UK will need to review its role within EU law enforcement and information security agencies notably the European Police Office (Europol) and the European Union Agency for Network and Information Security (ENISA). The Union has bolstered efforts recent years with the publication of the EU Cyber Security Strategy and the creation of the European Cybercrime Centre (EC3) within Europol in 2013. EC3 has become the focal point in the EU’s fight against cybercrime, supporting member states and EU institutions in building operational and analytical capacity for investigations and cooperation with international partners.  The UK’s involvement in these institutions will again depend on the country’s ability to negotiate favorable terms regarding its role. Organized online criminal activities are undeniably best tackled from a cooperative, supra-national perspective, and the UK’s isolation that may result from Brexit would be an unwelcome development in the fight against cybercrime.  Further to this, new cybersecurity information and asset sharing structures will need to be put in place between the EU and the UK.

It is likely that the UK will continue in a similar direction as the rest of the EU with regards to cybersecurity and cybercrime. However, there may be a dampening impact on the country with regards to the skills pool. The tech industry, and cybersecurity notably, is experiencing a painful shortage of professionals. By opting out of the single market, and free movement of people, the UK’s labor pool will shrink considerably. Again, the outcome of negotiations with the EU as to the single market will largely determine the availability of an EU-wide labor pool. However, current uncertainty may drive cybersecurity firms to relocate in other EU countries in the meantime. While the UK government has placed significant investments in the cybersecurity startup scene in the past few years, it is also uncertain whether this funding will continue to be allocated to EU and UK firms indiscriminately as it has in the past. Much as the UK Annual Cybersecurity Challenge is reserved for British participants only, it would be unfortunate, and detrimental to the cybersecurity industry in the long run, for the UK to take a similar direction with these currently highly successful investment projects.   

The stakes are high for the UK overall. As regards cybersecurity policy and law, the UK will likely align with the EU vision going forward. Cybersecurity is too important, and cybercrime too pervasive, for the UK to take an isolationist approach to the matter. It is highly possible that Brexit may have a negative impact on the UK cybersecurity industry however in the short term, pending successful negotiations for favorable market conditions with the EU.