Last week, the Department for Digital, Culture, Media & Sport issued a Call for Views on the certification scheme currently anticipated by Regulation (EU) 2019/881 (the Cybersecurity Act) after Brexit. The closing date for responses has been extended to 15 October 2019. In the issued document, the UK Government proposes to maintain “a close relationship with the EU on cyber security following our departure from the EU, and will seek to cooperate on approaches to cyber security certification with the EU”.
The current legislation under the EU regulation sets out a cyber security framework for ICT products, services and processes. Recital 43 of the preamble to the act outlines the principles behind the activities of ENISA (the European Union Agency for Network and Information Security), including the management of the European Cybersecurity Certification Framework. These principles include “inclusivity, reciprocity and the decision-making autonomy of the Union, without prejudice to the specific character of the security and defence policy of any Member State”. These principles rightly frame extended cooperation in the face of cyber threats as a desirable goal for countries to achieve through mutual recognition.
In contrast, despite the assurance that the UK seeks greater cooperation at the beginning of the proposals in the Call for Views, the proposal goes on to identify four principles in future certification schemes that only partially align with this goal, namely: improved cyber security in the UK, meeting UK consumer need, providing economic advantage to the UK, and transparency.
Even though the certification schemes that are envisaged are said to be voluntary, this is nevertheless going to be of key importance for companies that provide products and services which are within the scope of such certification. It is envisaged that compliant products and services will be able to be labelled as such which, as the public and business become more cyber savvy, may start to influence the market share of companies whose products and services cannot apply those labels through non-compliance. This consultation is therefore likely to be of interest to a wide range of companies offering a wide range of ICT-enabled products and services.
The proposal clearly outlines the strategic importance of cyber security in the digital sector – from emerging technologies such as automated cars to established market realities like the global supply chain, and emphasises the commitment to that, even post-Brexit.