Government seeks views on post-Brexit security alignment

The government has urged cyber security stakeholders to provide input on the UK’s future approach to security certification and alignment with European Union (EU) policy after Brexit, which proposes that the UK remains closely aligned with the rest of Europe.

The EU’s Cyber Security Act, regulated by the EU cyber security agency Enisa, came into force on 27 June 2019 – meaning that the UK currently abides by it as it is still a member of the EU – but after Brexit, currently scheduled for 31 October, it will no longer fall under these regulations.

The goal of the EU security legislation – which like much European law was heavily influenced and steered by the UK at all stages of its development – is to harmonise security certification schemes operated across the block, strengthening the Digital Single Market, and increasing trust for users of ICT products and services.

It operates on the principle that the Digital Single Market can thrive only if there is general trust that digital processes, products and services provide a certain level of security. It does not introduce directly operational certification schemes, but rather creates a basis to enable voluntary certification schemes to be set up by individual EU states but recognised by all.

“The UK is committed to maintaining a close relationship with the EU on cyber security following our departure from the EU, and will seek to cooperate on approaches to cyber security certification with the EU,” said the government in its call to action.

“The EU recognises in the Cyber Security Act that supply chains are global and that the introduction of certification schemes should seek to reduce market fragmentation. The regulation therefore makes provision for mutual recognition arrangements on specific schemes to be agreed with third countries, with cyber security certification schemes implemented under the framework specifying conditions for such agreements.

“It is the UK’s understanding that such arrangements would mean that there is provision within the act for the UK and the EU to mutually recognise one another’s cyber security certification schemes, meaning that UK-issued certificates would serve the same purpose in EU markets as EU-issued certificates, and vice versa.”

To this end, the government would like to enter new negotiations with Brussels on establishing mutual recognition arrangements for security certification on that basis, where reasonable.

Given Enisa requires EU states to conduct consultations on their own schemes, the government has also proposed that the UK do the same – this process will be led by the Department for Digital, Culture, Media and Sport (DCMS) alongside any other relevant departments.

It set out four key principles that it means to apply to any EU certification schemes. First, they must be assessed by the relevant authorities and the National Cyber Security Council (NCSC) to contribute to improvements to cyber security in the UK; second, they must meet a clear need or demand from UK consumers of certified processes, products or services for the UK to engage in the scheme; third, there must be an economic benefit to UK businesses; and finally, they must be open and transparent.

Martin Smith, conference chair of the Cyber Security Connect UK Forum, and chair and founder of the Security Awareness Special Interest Group (Sasig), called on stakeholders to take the opportunity to reinforce the importance of retaining high security standards after Brexit.

“As the data economy and IoT [internet of things] continues to thrive, we must ensure that the general public have trust in the products, services and processes that businesses and government agencies provide,” said Smith.

“It is paramount that the level of cyber security remains robust enough to ensure that our digital economy continues to function safely and securely. I would encourage all cyber security professionals to bring the key issues to the attention of the government.” 

The DCMS consultation will close on 8 October 2019.