UK not ready to say goodbye to EU cyber certification

Cyber certification is seen by many as an important tool in raising security standards and increasing public confidence in the digital, and data, economy. The EU's new Cyber Security Act ('the Act'), which entered into force last June, establishes a cyber security certification framework under which EU-wide certification schemes can be developed and implemented in a harmonised way that prevents unnecessary market fragmentation. The UK Government was actively engaged in the development of the Act, and confirmed in its consultation on cyber certification post-Brexit that it wants to stay involved in the process. It stated that the UK is "committed to maintaining a close relationship with the EU on cyber security following [its] departure from the EU, and will seek to cooperate on approaches to cyber security certification with the EU."

The Government's response to this consultation was published just before Christmas. It confirmed that respondents were generally supportive of the Government's approach, which states that:

• the EU recognises the multi-national nature of cyber security (global supply chains etc.) and the Act therefore makes provision for mutual recognition arrangements on specific cyber certification schemes to be agreed with third countries (such as a post-Brexit UK);
• the UK understands that there is provision in the Act for the UK and EU to mutually recognise one another's cyber security certification schemes (so UK issued certificates would be recognised in the EU and vice versa), and the UK will seek to enter into negotiations with the EU where it seems reasonable to do so (subject, obviously, to agreement with the EU); and
• the UK Government, like its EU counterparts, will consult with stakeholders prior to submitting a scheme to the EU, and has set out a number of principles which would be applied when determining its approach to each EU scheme proposal (for example, that the scheme would contribute to better cyber security in the UK and meet a consumer need).

There does seem to be a desire in the UK to align cyber certification schemes with the EU's certification framework, to limit the risk of regulatory divergence (which often results in increased costs and risks for business) and prevent unnecessary market fragmentation. How willing the EU will be to negotiate with the UK may, however, be influenced by the wider Brexit trade negotiations. Also, no certification schemes have yet been established using the Act's new framework and we will therefore need to wait to see how successfully it works in practice.