As we summarized last fall, the EU Commission published a new Cybersecurity Communication in September that, among other things, sets out proposals for an EU cybersecurity certification framework as part of an EU “Cybersecurity Act” (see our post here and a more detailed summary here). Just before the holidays, on December 20, 2017, the UK Government published a consultation on these proposals, which the UK Government will use to help develop its position. Key elements of the proposals that the UK Government is consulting on include:
- Harmonizing the existing cybersecurity certification landscape to reduce costs and administrative burdens for companies by establishing a common “European Cybersecurity Certification Framework for ICT products and services.”
- Further specifying and publishing best practices relating to incident reporting and security obligations for some digital service providers under the NIS Directive (see our reports here and here).
- Changes to the tasks and functions of ENISA, including providing ENISA with a strengthened and permanent mandate.
The UK Government also welcomes views from stakeholders on the impact of the proposals with respect to the UK’s exit from the EU. The consultation closes on February 13, 2018. Before then, and by January 20, 2018, the UK Government has been asked by the UK Parliament to clarify issues relating to the proposals, including on issues relating to the “Cybersecurity Act” and cybersecurity certification.