In an era of heightened geopolitical tension, research security has shot to the top of policy agendas worldwide. Governments and institutions are implementing new measures intended to safeguard sensitive science against threats like espionage, theft, and undue foreign influence.
The Flagship EU Conference on Research Security, held recently in Brussels, underscored the urgency: for the first time, the European Union announced plans to anchor research security in EU law via a forthcoming European Research Area. It also confirmed proposals for a range of new support measures including a European Centre of Expertise, an international collaboration due diligence platform, and a common resilience testing methodology.
Yet amid these proactive steps lurks a critical question: are current research security frameworks genuinely reducing risk, or merely redistributing it across borders? There is growing evidence that without careful coordination, well-intentioned safeguards in one country can simply deflect threats to less-regulated arenas. In its recent note on “Research Security as a Shared Responsibility”, conference co-organiser CESAER noted the need to build resilience in Europe through “collective responsibility and trust.” It emphasised that “making a level playing field across the continent” is essential. But why should the level playing field stop there?
The waterbed effect
Across the world – and even within Europe – research security frameworks vary wildly. This fragmentation is more than just a bureaucratic quirk; it can actively undermine the intention to reduce risk. If one institution or country imposes rigorous security checks, a hostile actor can simply target a more permissive collaborator elsewhere, bypassing the tightest gate by entering through an unlocked side door.
Research managers from across European countries and beyond recently voiced a clear message through the “Stronger Cooperation, Safer Collaboration” project: divergent national approaches are creating duplication, confusion, and vulnerability in research security. Some nations have strict regulatory frameworks; others rely on informal guidelines and self-regulation, and some have yet to implement any framework at all. This disharmony forces collaborating institutions to navigate a patchwork of rules. Crucially, it creates a race to the bottom: “The first to act loses out,” as one research manager put it, meaning institutions that impose tougher controls risk losing collaborations or talent that underpin their institutions impact and financial resilience. Conversely, overly open environments risk becoming safe havens for those trying to evade stricter jurisdictions, leading to longer term losses through knowledge leakage from the same global collaborative projects.
This dynamic has played out in anecdotal reports: one trusted research manager at a research-intensive university in the UK shared that they had experienced a recent case in which a PhD candidate who had unsuccessfully appealed an Academic Technology Approval Scheme (ATAS) refusal told their UK institution not to worry, as they had received an offer from elsewhere in Europe. Colleagues elsewhere in the UK and in Denmark confirmed similar experiences – Denmark and the UK being two countries now taking a firm line on vetting international research ties.
The pattern highlights a potential unintended consequence: was the risk eliminated, or was it shifted to another institution? It raises the question as to whether early inward-facing approaches have inadvertently created a “waterbed effect”: press down on risk in one place, and it pops up elsewhere, undermining the overall goal of a safer global research environment.
Shifting risk to the Global South
The “risk transfer” phenomenon in research security isn’t just a North Atlantic or European problem. It can play out globally, often to the detriment of researchers in the Global South. Many high-income countries (such as the US, UK, Canada, Australia, and some EU states) have ramped up protections for their own institutions. This includes stricter export controls on sensitive technologies, visa vetting of foreign researchers, requirements for disclosure of overseas ties, and due diligence on international partners. But those seeking access to advanced research can respond by targeting less fortified partners in countries where such measures are not yet in place or enforced.
This dynamic means that Global South collaborators sometimes become passive recipients of risk. I spoke with Dr Palesa Natasha Mothapo, Director of Research Support and Management of Nelson Mandela University and an alumnus of the Women Advance Research Security Fellowship, who has led initiatives to engage institutions in South Africa and beyond on research security. She noted that South Africa has a thriving research and innovation ecosystem with highly sensitive research, but discussions on research security remain at a very early stage. Even so, Mothapo noted that institutions in South Africa generally benefit from greater financial security due to national investment and infrastructure and colleagues from elsewhere in the Global South feel even more exposed to the risks.
When working with international funders, institutions are often forced to accept onerous funding terms and conditions set by wealthier partners and conditions which aim to shift responsibility and liability downward. Those terms and conditions have often not been formulated fully considering the local context or capacity. For example, a major research funding agreement from a US or European sponsor might require the African or Asian sub-grantee to comply with strict cybersecurity protocols, international export-controls or vetting of staff. Lacking an equal say in drafting these terms, the partner institution does its best to comply, effectively shouldering the security burden – but it may not have the inhouse experts, resources or infrastructure that its counterparts are able to rely on. But if something goes wrong, who bears the blame or consequences? If our actions only result in shifting the blame but fail to mitigate the likelihood or consequences, they have failed altogether. This inequity can erode trust and perpetuate harm.
To counteract this erosion, changes in terms and conditions need to accompanied by the capacity strengthening, partnership and co-creation that accounts for what each collaborator values and seeks to protect. In the last three years, I have worked with researchers, research managers, innovation professionals and policy makers from over 50 different countries on capacity strengthening in research security. While the contexts vary greatly, there are still commonalities in the challenges we face and significant opportunity for cooperation and knowledge exchange. Raising standards everywhere is not a zero-sum game but creates a more stable, level playing field for all. This is the solution to truly reduce risk globally, instead of shifting it around.
Towards harmonisation and mutual support
If current research security measures risk shifting problems around, what is the remedy? The experts and stakeholders convened in Europe and elsewhere seem to converge on a key principle: harmonisation and capacity-building. Rather than each country acting in isolation (or worse, in competition) on research security, there’s a call for joint action to raise the floor globally and key actions have begun in this direction.
There is also a growing recognition that culture change is as important as policy change. The concept of research security is relatively new in academia’s culture of openness. We need to foster a culture where security is seen not as a hindrance or a nationalist agenda, but as a shared duty to protect the integrity of science. That means those implementing security must do so in a way that is transparent and respects values like academic freedom and open science.
To return to our original question: are we actually reducing risk or just shifting it elsewhere? At present, the answer is: a bit of both. The flurry of research security policies in recent years has plugged many gaps that were previously exploitable. Major economies are certainly harder targets for espionage and IP theft than they were a decade ago, thanks to these efforts.
However, as protections evolve so do threats and tactics and there is little room for complacency. Some of those same efforts have diverted actors to take different approaches, including in some cases exporting the risk to less prepared quarters, or creating new frictions in the research enterprise. A chain is only as strong as its weakest link, and right now the “chain” of global science has some weak links open to exploitation. The good news is that the solution is within reach through international cooperation.
We reduce research security risk only when we reduce it for everyone. If instead we simply push the risk around, it will eventually circle back and hit us from behind. The current trends – increased awareness, dialogue, and alignment – give reason for optimism. The UK government has indicated that international capacity strengthening will form part of their anticipated research security strategy.
The next few years will be critical in translating these insights into practice. If we succeed, we will be on track to celebrate a genuinely safer, more collaborative global research environment – one where risk is tackled collectively, not passed like a hot potato.