September 23, 2019

The EU Cyber Security Act entered into force on 27 June 2019. The Act establishes a cyber security certification framework under which EU-wide cyber security certification schemes will be developed and implemented in future.

The Government says that it is “committed to maintaining a close relationship with the EU on cyber security following our departure from the EU, and will seek to cooperate on approaches to cyber security certification with the EU”.

The Government understands that there is provision under the EU Cyber Security Act for the EU and the UK (as a third country after Brexit) to mutually recognise one another’s cyber security certification schemes, meaning that UK issued certificates would serve the same purpose in EU markets as EU issued certificates and vice versa.

The UK will therefore seek to enter into negotiations with the EU on mutual recognition arrangements under the terms set out by those schemes, where it seems reasonable to do so and subject to agreement with the EU.

The Government wants to work with experts and industry on the potential for entering into such arrangements for future certification schemes, as and when they are proposed, through stakeholder consultation groups that will consider each scheme on a sector-by-sector basis.

The Government proposes that the UK would look to ensure that the following principles are applied when determining its approach to each EU scheme proposal:

• the EU scheme proposal would contribute to better cyber security in the UK: the proposal to introduce any EU cyber security certification must be assessed by the relevant UK Government authority and the NCSC to be in the interests of improved cyber security;
• the EU scheme proposal meets a consumer need: there is a clear demand from UK consumers of the certified product, service or process for the UK to engage in the scheme;
• the EU scheme proposal provides economic advantage to UK business: the UK will hold the interests of UK business paramount. The Government will work to ensure that a cost benefit analysis shows an evidence based economic benefit to UK business; and
• the EU scheme proposal must be open and transparent: open and transparent approaches are an essential way of improving global cyber security. The UK will only engage where it believes this to be the case.

It is the understanding of the UK Government that even if the UK does not engage or develop a mutual recognition approach for a specific EU scheme, this will not necessarily preclude UK companies from gaining EU certification for their products or services via an EU Member State. This will depend on the conditions set out within each individual scheme.

The Government is seeking views on this proposed approach together with any supporting evidence. The deadline for response is 8 October 2019. For further information and details on how to respond, click here.