The Government is seeking input on its future relationship with the EU on cybersecurity.

Background: The EU Cybersecurity Act entered into force on 27 June 2019. It is a Regulation which, among other provisions, establishes a cybersecurity certification framework led by the European cybersecurity agency ENISA. Under the framework, EU-wide cybersecurity certification schemes will be developed and implemented in the future, though they will not replace national schemes.

What happens in the UK? With the country poised to leave the European Union, the UK Government is now exploring ways to cooperate on approaches to cybersecurity certification with the EU. The UK will therefore seek to enter into negotiations with the EU on mutual recognition arrangements, subject to agreement with the EU. To this end, this week the Government has published a ‘Call For Views’ on its proposed approach to the future relationship with the EU on cybersecurity, and on the implementation of an EU certification scheme. It proposes a test on four principles: that the scheme contributes to better cybersecurity in the UK; that it meets a consumer need; that it provides economic advantage to UK businesses; and that it must be open and transparent. The Government’s initial stance is that, should the UK not develop a mutual recognition approach for a specific EU scheme, this will not necessarily preclude UK companies from gaining EU certification via an EU member state. This will depend on the conditions set out within each individual scheme.

Next steps: The consultation is open until 8 October 2019. Respondents are invited to share views on the Government’s approach, and any supporting evidence to their views.