The UK and EU face a defining challenge—and opportunity—as they chart their digital economic futures. How can we unlock the full value of transformative technologies like AI, quantum computing, and cloud infrastructure while managing the growing tide of cyber threats?
The answer lies not in choosing between innovation and regulation, but in reimagining cybersecurity policy as a strategic lever for economic growth.
Today, trust in digital systems is a prerequisite for digital transformation. From small businesses to multinational firms, no organization can scale without confidence in the security of its infrastructure.
However, trust doesn’t emerge on its own—it’s built through smart, risk-informed policy. That’s why cybersecurity must be at the center of economic strategy, not an afterthought to it.
VP of Global Government Affairs and Public Policy at Rapid7.
Growing recognition
Across the UK and Europe, there’s growing recognition of this link. For example, the UK’s Cyber Security and Resilience Bill positions cyber readiness as a core part of economic resilience. The EU’s cybersecurity policies also explicitly supports digital skills, market development, and cross-border data flows.
But to truly crystalize this moment, a clearer statement of how these policies are being designed to meet the moment is needed from government officials.
I recently attended the RSA Conference in the US and then travelled across both the UK and EU. Speaking with a variety of policymakers in different regions reminded me of the need we have to focus on partnerships, procurement and pivot in our cyber policy frameworks. I call these the “three Ps.”
Partnerships – Getting governments and the private sector on the same side of the table
High profile attacks such as those on the NHS, retailers and TfL over the past year have really brought into focus the impact cyberattacks can have on the wider population, and how fragile our digital systems are.
Cyber threats and how cyber policy can protect AI, cloud systems, and critical infrastructure were among the top concerns in every conversation I had with government stakeholders across the UK and EU.
To deliver cyber policy, however, governments and industry must sit on the same side of the table, working together to reduce systemic risk; cybersecurity cannot be delivered top-down. This means moving beyond passive compliance checklists toward dynamic, data-driven collaboration.
Private sector businesses often possess advanced technological capabilities and gather vast amounts of data through their daily operations, offering invaluable insights into emerging cyber threats.
Government agencies, on the other hand, bring a broader geopolitical and strategic understanding that helps interpret private sector data within the context of national and international security threats.
Bringing the government’s geopolitical context and regulatory levers together with the private sector’s technical capabilities and real-time intelligence, creates far more effective policies and faster threat responses.
Governments need to go beyond self-attested best practices and design partnerships that actively analyze the data gathered to identify which behaviors and deterrents actually work within a nation’s unique risk environment.
For small and medium-sized businesses in particular, clear, practical guidance shaped in collaboration is often the difference between resilience and risk exposure.
Some governments are doing better than others in recognizing the ability to translate complex policy goals into actionable, plain-speak directives, but this needs more intentional thought and design.
Procurement – Building success for the future
Economic growth will continue to increasingly depend upon digital infrastructure. For example, the UK government announced this year the AI Opportunities Action Plan and a £121 million investment boost for quantum technology. At the core of both announcements was how AI and quantum support the government’s economic mission.
Cybersecurity also plays a foundational role in the creation of resilient economic strategies. However, similar to intelligence sharing between the public and private sectors, the two parties often develop capabilities in silos that don’t work together. This leads to gaps in terms of the capabilities governments need and the solutions available to them on the market.
Cyber policy should guide how governments buy, fund, and signal the technologies they want to see in the market. This essentially means thinking about how the systems you build today will support success tomorrow.
We’re seeing governments improve in this area. For example, the NCSC’s guidance on post-quantum cryptography is a great example of future-focused leadership. While we don’t yet know when the "quantum year" will arrive, it’s encouraging to see progress and growing awareness that organizations need to be ready.
However, this alone is not enough. More incentives are needed to signal this as a priority for the private sector. Remember, procurement isn’t just a back-office function—it’s an economic strategy.
Research and Development (R&D) projects are an effective way to encourage collaboration and build momentum, and this is particularly needed in AI.
Britain, for instance, has some of the best universities and R&D centers in the world but loses talent to better-funded AI hubs. Governments have to create a long-term AI skills and R&D strategy that not only develops expertise but retains it.
Pivot! Pivot! Pivot!
In many of my conversations, stakeholders repeatedly used the word “pivot.” I was intrigued as to why this word came up so often. When pressed, I learned that what they really meant was “review.”
This is because not all regulations age well. You just have to look at the growing calls to review the Computer Misuse Act, for example. There’s a growing recognition among the UK and EU that some aspects of tech policy and investment need reviewing.
Some cybersecurity rules, though well-intentioned, may add a compliance burden—which in itself is a risk—without reducing actual cyber or business risk. Software misconfigurations, third-party supply chain risks, and emerging threats are not always addressed by the ever-growing complexity of overlapping regulations and rules designed to manage cyber risk.
This isn’t particularly new—we’ve long debated the balance between regulation and building trusted partnerships. While we want to open new frontiers for investment and innovation, it shouldn’t come at the expense of public trust.
However, this age-old argument is starting to shift. There’s greater recognition that the best way to maintain public trust isn’t necessarily through universal regulations, but through considered trade-offs.
Policymakers must be willing to pivot—reviewing what’s working, sunsetting what isn’t, and designing regulation that is adaptive, risk-based, and innovation-friendly.
The key is balance. Governments have to keep in mind the overall goal of policy: understanding the security of systems, minimizing the impact on resilience, and ensuring long-term economic growth.
Cyber is at the forefront of policy
Although I’ve had many different conversations with decision-makers, what struck me most was that security is no longer an afterthought, it’s now a central focus for governments.
From a private sector standpoint, cybersecurity is no longer a cost of doing business—it’s a condition for doing business. And it’s a competitive advantage waiting to be seized.
If the UK and EU want to continue enabling the next era of digital growth, they must address cybersecurity policies as a suite of policies that enable economic growth, focusing on partnerships and procurement, and having the courage to pivot when necessary.
We list the best Request For Proposal (RFP) platform.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.