As you know, the news headlines over the past couple of weeks have been dominated by Brexit: the U.K.’s decision to leave the European Union (EU). But what does Brexit mean for information security in general, and cybersecurity in particular?
From my perspective, it means the forces of innovation and the global digital economy have lost their strongest advocate in the halls of EU institutions. Whether it was the Network and Information Security Directive or the General Data Protection Regulation – both of which are scheduled to take effect in 2018 – the Brits were the most market-based voice, working hard to temper the stronger, more regulatory ‘urges’ of many other EU members on cyber issues. While both of these new pieces of legislation will impose some additional regulations on enterprise networks, they would have been much more complex without the influence of the U.K.
The U.K. voice will also be lost in the implementation stages of these pieces of legislation. On the national security side, the impact may not be as obvious as national security issues are reserved for individual EU members, not the full EU Commission. However, even in this situation, the U.K. was helpful. For example, when certain EU members proposed regulation of commercial networks that would have impacted national security networks, the U.K. tempered this by urging the Commission to incorporate provisions that would look to international standards when determining minimum security standards.
Brexit will also impact the Transatlantic Trade and Investment Partnership (TTIP). Security and privacy issues haven’t been introduced in this pending deal, yet, as the non-regulatory U.S. won’t cede to the regulatory EU, and vice versa. However, the loss of the U.K.’s market-based voice in this discussion might impact the final deal.
Will Brexit lead to an even more regulated approach to cybersecurity from Brussels? For now, there’s no way of knowing. We’ll have to wait and see.