DCMS Publish Call for Views on EU Cybersecurity Act

Friday 13 Sep 2019 @ 08:05
techUK

Call for Views published on the UK's proposed approach to cyber security certification following the UK’s departure from the EU

The Department for Digital, Culture, Media and Sport (DCMS) has published a Call for Views on the UK’s proposed approach to cyber security certification, as currently regulated under the EU Cybersecurity Act, following the UK’s departure from the EU.

Background

The EU Cyber Security Act entered into force on 27th June 2019. It provides the EU Cyber Security Agency (ENISA) with a strengthened and permanent mandate and establishes a cyber security certification framework under which EU-wide cyber security certification schemes will be developed and implemented.

The UK has previously operated a number of assurance schemes involving certification, such as Common Criteria and Commercial Product Assurance, and also participates in two mutual recognition arrangements which are based on Common Criteria, including CCRA and SOG-IS MRA.

The EU Cyber Security Act looks to harmonise those certification schemes operated within the EU. The Act does not introduce directly operational certification schemes but creates a framework which allows voluntary cyber security certification schemes to be established and recognised across the EU.

These certification schemes would attest that the ICT products, services and processes that have been evaluated comply with specified security requirements. Connected and automated cars, electronic medical devices, industrial automation control systems and smart grids are provided as some examples of sectors in which certification is already widely used or is likely to be used in the near future.

The framework requires that each certification scheme:

is designed to achieve a number of security objectives as set out in the Act
may specify one or more assurance levels (basic, substantial, high)
may allow for conformity self-assessment
includes a number of other elements such as: scope, reference to standards, evaluation criteria, conditions for marks or labels, rules concerning vulnerability disclosure, validity period, conditions for mutual recognition with third countries
provides supplementary cybersecurity information as set out in the Act

The UK’s Proposed Approach

The UK is committed to maintaining a close relationship with the EU on cyber security following our departure from the EU and will seek to cooperate on approaches to cyber security certification with the EU.

The EU recognises in the Cyber Security Act that supply chains are global and that the introduction of certification schemes should seek to reduce market fragmentation. The Regulation therefore makes provision for mutual recognition arrangements on specific schemes to be agreed with third countries, with cyber security certification schemes implemented under the framework specifying conditions for such agreements.

It is the UK’s understanding that such arrangements would mean that there is provision within the Act for the UK and the EU to mutually recognise one another’s cyber security certification schemes, meaning that UK issued certificates would serve the same purpose in EU markets as EU issued certificates and vice versa.

The UK will therefore seek to enter into negotiations with the EU on mutual recognition arrangements under the terms set out by those schemes. The UK would look to work with experts and industry on the potential for entering into such arrangements for future certification schemes, as and when they are proposed, through its own stakeholder consultation groups which will consider each scheme on a sector by sector basis.

It is proposed that the UK would look to ensure that the following principles are applied when determining its approach to each EU scheme proposal:

that the proposed EU scheme has been assessed by the relevant UK Government authority and the NCSC to be in the interests of improved cyber security
that it meets a consumer need and there is clear demand from UK consumers of the certified product, service or process for the UK to engage in the scheme
that is provides economic advantage to UK business, with a cost benefit analysis showing an evidence based economic benefit to UK business
that the proposed scheme is open and transparent

It is the understanding of the UK Government that even if the UK does not engage or develop a mutual recognition approach for a specific EU scheme this will not necessarily preclude UK companies from gaining EU certification for their products or services via an EU member state. This will depend on the conditions set out within each individual scheme.

The Government is seeking views on this proposed approach and techUK will be responding on behalf of its members. If you have any views or supporting evidence to this approach, please send them in to Dan Patefield (dan.patefield@techuk.org) by the close of play on Monday 30 September.

Channel website: http://www.techuk.org/

Original article link: https://www.techuk.org/insights/news/item/16020-dcms-publish-call-for-views-on-eu-cybersecurity-act

Share this article

Latest News from
techUK

techUK leads members delegation to the 8th edition of the UK-US SME Dialogue in Belfast

17/04/2024 16:25:00

On 15 and 16 April, techUK organized a members delegation to the 8th edition of the UK-US SME Dialogue in Belfast, Northern Ireland.

techUK announces its first delegation to VivaTech Paris

17/04/2024 13:20:00

techUK is delighted to announce its first-ever delegation to VivaTech on 22-25 May in Paris. VivaTech is France’s biggest technology conference and one of the largest in Europe with over 11,400+ startups and 2600+ investors in attendance covering every tech vertical. The key themes of the conference are AI, Climate Tech, Smart Mobility, Deeptech, Internet & Democracy, the Creative Economy and Gaming & E-Sports. You can see all the sessions here.

AUKUS Trilateral Advanced Capabilities Forum bring industry together for first time

17/04/2024 12:05:00

Four UK trade associations have partnered to form the first Trilateral AUKUS Advanced Capabilities Industry Forum.

The UK's Competition Authority seeks to address concerns in markets for AI Foundation Models

16/04/2024 09:05:00

A summary of the CMA's latest paper on AI Foundation Models (FM), and its plans to help encourage open, fair competition and good consumer outcomes in the FM sector.

UK Government to partner on AI Safety with The Republic of Korea

15/04/2024 14:05:00

The strategic partnership announced recently (12 April 2024), bolsters the UK Government's ambition to be world leader in AI.

UK to partner on AI Safety with The Republic of Korea

12/04/2024 16:20:00

The UK and the Republic of Korea announced today, they are pressing forward with plans for the upcoming wave of global discussions on the safe development of Artificial Intelligence technologies, with the AI Seoul Summit scheduled for May 21st and 22nd, which will take place partially virtually.

As the Data Protection and Digital Information (No. 2) Bill progresses through the Parliament, techUK addresses some of the misconceptions around this legislation

11/04/2024 11:20:00

Concerns have been raised about some of the DPDI Bill’s provisions, some of which stem from misunderstandings of the Bill’s approach and its legislative intent. techUK addresses these misconceptions.

Explaining AUKUS – What is it?

11/04/2024 10:25:00

Announced in September 2021, AUKUS is a trilateral Defence and Security agreement between the United Kingdom, United States and Australia.

Our Ask from the Next Mayor of West Midlands

10/04/2024 10:05:00

As the Mayoral election is approaching, techUK asked the Centre for the New Midlands for their ‘asks’ of the winning candidate.

WIREDGOV