US Cyber Agreements Withdrawal Signals Corporate Risk

By Danny Bradbury • 12 March 2026

Recent actions by the US administration make multilateral cybersecurity coordination between that government and others less certain in the future. What does this mean for boards struggling to get their arms around cybersecurity and compliance risk?

In January, the Trump administration withdrew the US from 66 international organisations. These included three with clear cybersecurity mandates: the Global Forum on Cyber Expertise, Freedom Online Coalition, and European Centre of Excellence for Countering Hybrid Threats.

These groups help coordinate cyber policy, share expertise, and support cross-border incident response. Two were initiatives the US helped establish. Leaving them signals a more inward-facing cybersecurity posture and raises questions about how much international collaboration will continue to underpin cyber governance.

This is not the administration’s first move affecting cyber cooperation. Earlier decisions saw staff reductions at CISA and changes to some of its operational priorities, which inevitably affect its capacity for international engagement.

For businesses operating across the US, UK and Europe, the issue is less about any individual decision and more about what it signals: a gradual shift toward a more fragmented, regionally driven cybersecurity environment.

The Challenge For Coordinated Incident Response

Multilateral frameworks provide the connective tissue for intelligence sharing between national cybersecurity authorities. That infrastructure becomes especially important during large-scale incidents that cross borders.

When crises hit, national CERTs and cybersecurity agencies manage domestic response. But complex cyber incidents often affect multiple jurisdictions simultaneously, requiring coordination at the regional or international level.

Agreements such as the ENISA–CISA cooperation arrangement signed in late 2023 were designed to strengthen transatlantic coordination during major incidents. With the geopolitical environment shifting, the durability of these arrangements is less certain.

Major cyber incidents already strain the response capacity of individual states. Cross-border events rely on cooperation between national authorities and regional institutions.

UK and EU organizations will likely assume a greater share of that coordination role. The EU Cyber Blueprint, adopted last June, enhances crisis coordination at both political and technical levels. ENISA already has a mandate to support and coordinate responses to significant cross-border incidents.

In the UK, the NCSC manages cross-government coordination for major cyber incidents and can work directly with affected organizations on response and communication.

The infrastructure for international cooperation still exists. The question is whether it scales effectively in a more regionally fragmented environment, particularly if US participation in multilateral coordination becomes less central.

Expect Regulatory Divergence

That fragmentation also applies to regulation. US, UK, and EU cyber regulations have never been fully aligned. But as geopolitical priorities diverge, so too may regulatory expectations.

Multilateral forums previously helped smooth those differences by creating spaces for coordination. Without that alignment, regulatory frameworks are likely to drift further apart, particularly around incident disclosure timelines, breach notification thresholds, and what counts as ‘significant.’

The EU has moved furthest toward prescriptive, cross-sectoral mandatory regulation. NIS 2 covers 18 critical sectors and imposes 24-hour early warning and 72-hour incident notification, with fines of up to €10 million or 2% of global turnover.

The US regulatory environment is evolving in a different direction. The Trump administration’s approach is largely deregulatory. The SEC’s cybersecurity disclosure rules face political opposition, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) has been delayed, and there is no federal privacy law.

For multinational organisations, the result is a more complicated compliance landscape.

Companies may need to build parallel compliance programmes to cover multiple jurisdictions or accept greater exposure to local enforcement risk. Organisations operating across the US, UK and EU will need to navigate increasingly distinct regulatory expectations.

Supply Chain and Third-Party Risk

Third-party risk management was already an ongoing challenge, but the less that nation states collaborate on best practises and protections, the more complex that becomes.

The EU Cyber Resilience Act will mandate software bill of materials (SBOMs) for all products with digital elements sold into the EU. The Digital Operational Resilience Act (DORA) adds another layer by giving EU regulators direct oversight of critical ICT providers, including US cloud companies serving EU financial institutions.

The proposed EU Cybersecurity Act 2 goes further, introducing supply chain security frameworks specifically targeting third-country supplier risk.

Meanwhile, the US approach is narrower, applying SBOMs primarily to federal procurement under EO 14028. The UK has no legislative equivalent.

The result is three major markets operating under increasingly different product security expectations.

A US company selling software into Europe faces product-level compliance obligations its domestic regulatory environment does not prepare it for. Without strong international coordination mechanisms, businesses themselves must manage that complexity.

Why This Makes ISO 27001 More Valuable

All of this means that corporate playbooks need updating. The smart money is betting on jurisdiction-agnostic frameworks. ISO 27001 suddenly looks prescient, because it translates across borders. Five controls in the 2022 version specifically address third-party security, reflecting the growing importance of vendor assurance.

Perhaps more importantly, regulators from Singapore to Stockholm recognise it. While it does not replace jurisdiction-specific compliance requirements, it provides a consistent foundation organisations can use to manage security across multiple regulatory environments.

In a fragmented governance landscape, that consistency becomes strategically useful.

A Board-Level Risk, Not Just a Diplomatic One

For boards, the withdrawal from international cyber cooperation frameworks may not represent an immediate operational threat. But it does point to a structural shift in how global cybersecurity governance is evolving.

Cyber cooperation between governments has long helped reduce regulatory divergence, improve crisis coordination and create shared expectations around security practices.

As those mechanisms weaken or evolve, businesses face greater responsibility for maintaining resilience, interoperability and supply chain assurance themselves.

Global cybersecurity does not collapse when one major actor steps back from multilateral engagement. But it does become more complex.

And for organisations operating across the US, UK and Europe, complexity is risk, one that must increasingly be managed within the enterprise rather than assumed to be stabilised by international coordination.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work.