Mobility of researchers

The mobility of research staff—whether incoming or outgoing—is one of the most visible and valued forms of scientific cooperation. For the individual moving, it means access to new techniques, groups, and networks; for the receiving institution, it is an opportunity to incorporate talent and strengthen its capabilities. In Spain, a significant part of a research career is built precisely by linking these mobility experiences, both within Europe and with third countries.
However, from a research security perspective, mobility involves more than just managing visas or administrative procedures. Every extended stay, every invitation, and every flow of foreign personnel to laboratories and research groups inevitably entails knowledge sharing, access to infrastructure, and the building of trust.
If security aspects are not taken into account, this mobility can become a silent avenue for knowledge transfer, as well as a space where pressures are exerted or attempts are made to recruit talent for purposes that go beyond legitimate scientific cooperation.
The mobility of research staff has two complementary perspectives: when a Spanish institution receives foreign researchers, and when its own staff move to institutions abroad. In both cases, the objective is not to restrict mobility, but to ensure that it develops in an informed and proportionate manner, aligned with the protection of projects, data, and strategic capabilities.
This section focuses on how to incorporate the security dimension into mobility management in a proportionate way: what to have depending on whether you are a researcher, institution or funder, and how to continue moving without leaving your work or that of your environment unprotected.
- Reception of research staff
When a university, public research institution, or technology center in Spain hosts foreign researchers—whether for a short stay, a postdoctoral position, joint doctoral supervision, or a one-off collaboration—it opens the doors of its laboratories, its data, and its internal processes to someone who, by definition, brings with them a different institutional affiliation and a different legal and geopolitical context. From an academic perspective, this is positive: it allows knowledge to circulate and enables research groups in Spain to better connect with the international frontiers of their discipline. But from a research security standpoint, it also means that this person may have access to advanced techniques, information on ongoing projects, or unique infrastructure that could be of interest to others.
In this context, the host institution has a responsibility to consider not only whether the person is a scientifically suitable fit, but also what level of access is granted, what information they truly need to carry out their work, and what minimum safeguards should be in place (e.g., confidentiality agreements, limitations on physical and digital access, and clear documentation of the stay and its objectives). For research teams hosting these individuals, this translates into small changes in practice: thinking before granting “default” access to the entire laboratory, clearly explaining what can and cannot be shared, and knowing who to contact if any concerns arise during the stay. For funders, hosting international staff may, in some cases, require additional conditions on grants or projects, particularly in sensitive areas.
Warning signs
The main risk is that visiting staff may obtain information or capabilities beyond what is necessary for their work. Some warning signs include:
- The visitor requests extensive access to multiple laboratories without clear justification.
- He repeatedly asks very detailed questions about other projects.
- It shows a disproportionate interest in scientific infrastructure or equipment.
- Attempts to access shared systems or folders without prior authorization
- The institution of origin has opaque ties to governments, military companies, or sanctioned entities.
Aspects to consider
When a Spanish institution hosts foreign researchers, the core risk lies in the fact that these individuals gain visibility into the institution's inner workings: what projects are underway, what equipment or infrastructure exists, what data is handled, and what technical capabilities are mastered. This doesn't mean that every visitor is problematic, but rather that it's important to avoid the assumption that "the more access, the better," and instead adopt a more deliberate approach: granting access based on what they truly need to achieve the objectives of their stay.
When assessing the necessary security requirements for receiving research personnel, both the institution and the research group should ask themselves three questions:
- What does this person need to see and access in order to do their job well?
- What information, spaces, and systems should be kept out of their reach because they add risks and are not strictly necessary?
- Who within the institution is responsible for authorizing and reviewing that level of access?
Good practices
- The stay has scientific objectives defined in writing.
- An assessment has been made of whether the group, the projects involved, or the associated infrastructures are sensitive.
- Physical access has been specifically configured for that person.
- Digital access is limited to what you need for work.
- The person has received clear instructions regarding confidentiality and use of data and information.
- There is an identified contact person to handle any questions or incidents during your stay.
A non-EU doctoral student in nanotechnology arrives at a Spanish university for a six-month stay with a leading 2D materials research group. He is given unrestricted access to the laboratory and the group's shared servers. During his stay, he copies detailed synthesis and characterization protocols, as well as photographs of the equipment. Three months later, an institute in his home country publishes an article with identical results, citing a "general" collaboration but without specifically mentioning the Spanish group or acknowledging his access to specific techniques.
- Mobility to institutions abroad
When staff from a Spanish institution travel abroad—for a postdoctoral stay, a research visit, a temporary contract, or a rotation at a company or center in another country—the situation is reversed: the individual carries with them techniques, accumulated knowledge, information about projects, and sometimes remote access to systems or data from their home institution. From the perspective of a scientific career, these experiences are valuable and often necessary; from the perspective of research security, they are times when knowledge generated in Spain is more vulnerable to being observed, copied, or influenced.
The key here is that both the visiting researcher and their home institution clearly understand what they will be taking, what they will have access to, and what boundaries they must respect. Before a mobility period, it's advisable to identify whether the researcher's work is linked to projects with sensitive components, whether they will be collaborating with entities located in high-risk countries or contexts, and what the implications might be of sharing certain technical details without filtering. The institution can establish simple guidelines—such as how to manage remote access to its systems, or what to do if uncomfortable situations or pressures arise during the stay—that allow the researcher to fully benefit from the opportunity without being left unprotected.
Warning signs
When traveling abroad, the main risks can come from inadvertently sharing sensitive information or being subjected to pressure. Some warning signs may include:
- Offer of disproportionate work incentives, conditional on specific information.
- Request for access to data or systems of your Spanish institution.
- Insistence on prematurely publishing joint results
- Pressure to openly criticize your home institution.
Aspects to consider
When staff from a Spanish institution are transferred to another entity abroad, the focus shifts to what the person "carries" and what they might share: technical knowledge, information on ongoing projects, an insider's perspective on their unit's or institution's capabilities, and sometimes remote access to source systems and data. Again, the aim is not to be suspicious of the destination, but to help the relocating staff understand that certain details or practices that don't pose a risk in their usual environment may be interpreted differently in other contexts.
Before undertaking the mobility program, the outgoing person should discuss the following issues with the services of their institution:
- Is the researcher working on sensitive projects? Considering content, partners, funding, dual-use, etc.
- What information and materials will you be taking with you (data, code, internal documentation, presentations)?
- What type of relationship is established with the destination entity (structured collaboration, access to critical infrastructure, possible job continuity, etc.) and what implications would sharing certain information have?
Good practices
From there, the institution can establish simple guidelines: what not to carry on personal devices, how to configure remote access (for example, only to specific repositories or services, using secure channels), and what to do if, during their stay, they are asked for information or access that raises concerns. The goal is for staff to move around with confidence, knowing they have institutional support, and not be forced to make decisions alone in potentially sensitive situations.
- It has been reviewed whether the outgoing person's current work is carried out in sensitive projects or areas.
- It has been agreed what information and materials are taken, and on what media.
- Remote access to the institution's systems is configured securely and limited to what is essential.
- The outgoing person knows the basic guidelines on what type of information not to share.
- A point of contact has been agreed upon at the home institution to ask questions or report worrying situations during the stay.
- Upon returning from the stay, a brief debriefing is conducted with the services of the Spanish institution.
A Spanish researcher in artificial intelligence undertakes a nine-month postdoctoral fellowship at a prestigious university outside the European Union. During her stay, she receives a very attractive job offer, conditional on her sharing access to a dataset repository at her Spanish institution for "joint validation." She shares limited credentials, but these allow the download of 40GB of unpublished training data. The Spanish institution detects the anomalous activity two months later, after the models have already been replicated in a parallel project abroad.