What does the future hold for cyber security cooperation between the UK and the EU?

• United Kingdom
• Europe

• Brexit
• Privacy, data protection and cybersecurity

08-03-2021

Thematic Cooperation on Cyber Security

Less than two of the 1449 pages of the EU-UK Trade and Co-operation Agreement (“TCA”) are devoted to cybersecurity (and then only in the context of a desire to create a framework for co-operation and allow UK limited participation in ENISA and other EU-wide cyber advisory bodies). This is despite Michel Barnier’s remarks in his speech summarising the outcome of the negotiations in respect of the aims of protecting citizens in the Single Market and building a new partnership with the UK (an“entente cordiale” rather than an “entente familiale”).

The cybersecurity provisions of the TCA appear in the section entitled “Thematic Cooperation” and amount only to vague obligations in respect of encouraging regular dialogue and cooperation between the EU and the UK “aimed at promoting and protecting an open, free, stable, peaceful and secure cyberspace based on the application of existing international law and norms for responsible State behaviour and regional cyber-confidence building measures”. This is a weakening of the previous pre-Brexit position – as the UK now sits outside the EU framework, it has no specific obligations to co-operate whilst at the same time losing the benefit of early warning around critical incidents or events that may impact on the stability of the UK’s own critical national infrastructure. Even the obligations to co-operate with the EU Agency for Cybersecurity (“ENISA”) in the TCA are limited to certain activities which make up only a part of ENISA’s regulatory mandate. With a new (more outward looking) administration in the White House, we may see more cooperation between US and UK

Adequacy in respect of Personal Data but not Critical National Infrastructure?

The fact that these provisions do not appear in the part relating to “liberalisation” of digital trade nor in the nonregression level playing field provisions is interesting in itself. Whereas the protection of personal information and data is partially dealt with in the context of what the TCA says about the EU considering an adequacy decision for the UK (under GDPR), in respect of securing critical national infrastructure we are left with this 1 page of general “collaborative” language.

Of course the protection of personal data is important, but so is the security and integrity of our hospitals, ports, airports, railways, waterways, energy sources, financial systems and drinking water.

Divergence or Assimilation? Financial and Telecoms Sectors

The silence of the TCA in other aspects is also relevant. For example, it makes no mention of participation by the UK in  the EU’s proposed digital operational resilience regime: the Digital Operational Resilience Act (or “DORA”). The Act was published in draft by the European Commission to build on existing information and communications technology risk management requirements and to establish a clearer foundation for EU financial regulators over operational resilience, including expanding their remit to bring into scope critical technology service providers, including Cloud providers. Without any mention of this regime in the TCA, there is therefore no attempt to ensure the UK and EU streamline their approaches to ensure the resilience and integrity of financial institutions (despite the best efforts of the Financial Stability Board – the “FSB”). We anticipate that we may see some regulatory arbitrage around digital resilience, as both the EU and UK vie to establish more effective regimes to regulate big tech companies and manage concentration risk (in other words the reliance of financial institutions on an increasingly small number of large Cloud service providers).

Staying with the theme of regulatory divergence, we have already seen the UK Government wanting to follow its own direction of travel in cybersecurity regulation with the publication of the Telecommunications (Security) Bill last year and we can expect to see more of our own UK policy and regime for 5G rollout, particularly with the proposed powers to remove high risk vendors from the 5G network. At the same time the current network and information systems security regulations in both the UK and the EU (based originally on an EU directive) are being reviewed. From the UK side, the UK Government has proposed technical amendments to the UK Network and Information Systems Regulations 2018 but with the aim of ensuring that the regulation remains proportionate and targeted.  From the European side, there were already differences in national implementation of the underlying Directive on Security of Network and Information Systems (Directive (EU) 2016/1148 – the “NIS Directive”) in each of the EU’s Member States, resulting in discrepancies between member states even at the level of which services were within scope. Again, there is going to be a divergence of approach here: the UK’s approach on its review is to seek to reduce the burden of the regulations by ensuring proportionality and a targeted approach, whereas the EU seeks to reduce the areas of divergence between member states and increase the scope of its regulatory reach.

What does the future hold?

Whether the co-operation between the UK and the EU suggested by the TCA will evolve into a more standardised approach to enforcement remains to be seen, but the current signals suggest otherwise. Perhaps the negotiators of the Trade and Cooperation Agreement recognised the difficulties involved in framing a response in a world where risk increases as connectivity increases (whilst at the same time trying to protect the national infrastructure of individual member states) and that a generalised framework of cooperation is perhaps the most practical outcome for now. Or perhaps they simply ran out of time to negotiate anything better.

At a global level, multinational organisations and financial institutions appear to be converging in spite of (and not because of) legislation. Standards (such as the ISO suite, NIST, SOC controls and PCI-DSS) promulgated by international standards-setting and accreditation bodies (and not governments) are commonly the benchmark used to test “what good looks like” in the absence of a consensus.

Cyber security legislation and regulation throughout the world varies significantly depending on the sophistication of the local regulators and government agencies and their ability to stay abreast of the rapidly evolving risk landscape. As such, a technology neutral, risk-based framework, which encourages early reporting of incidents and collaboration between government agencies, remains the best way to manage what is increasingly regarded as a shared risk.