SWEDEN Trends and Developments Contributed by: John Neway Herrman, Erik Ålander, Dahae Roland and Agne Lindberg, Advokatfirman Delphi AB
provision was added to the Public Access to Information and Secrecy Act (2009:400) ( Offen - tlighets- och sekretesslagen , or OSL), aiming to create better conditions for public authorities to outsource or co-ordinate their IT operations and to strengthen the protection of data when outsourcing IT operations. However, the regulatory framework is relatively complex and, in many respects, difficult to inter - pret. For example, outsourcing is not allowed unless it cannot be deemed as inappropri - ate (this rather peculiar language used by the legislator infers that “not inappropriate” is not equivalent to “appropriate”). Whether outsourc - ing is considered inappropriate or not depends on an overall assessment of the relevant circum - stances. These include the sensitivity of the data disclosed, the applicable contractual terms, the supplier’s ability to protect the data, where the data is processed geographically, and the exist - ence of subcontractors, etc. Swedish implementation of the NIS2 and CER Directives The NIS2 Directive, effective as of 17 October 2024, introduces enhanced security require - ments for essential and important services. The directive brings significant changes, with a broader scope and more detailed security requirements than its predecessor, the NIS1 Directive. Many operators in critical sectors may need substantial resources to comply, particu - larly when renegotiating agreements to align with the new regulatory requirements. The directive’s broadened scope, which includes the first tier of the supply chain, means that many compa - nies not directly subject to the regulation will still be impacted. Although no government bill for incorporating the NIS2 Directive into Swedish law had been published as of February 2025, it is expected to be introduced during the first
half of the year and implemented through the proposed Swedish Cybersecurity Act ( Cybersäk- erhetslagen ). Closely related to the NIS2 Directive is the Criti - cal Entities Resilience (CER) Directive. The CER Directive complements the NIS2 Directive’s focus on cybersecurity by addressing broader physical and operational risks to critical entities. The directive aims to strengthen the resilience of critical infrastructure in sectors essential to society, such as energy, transport and health - care. However, as the CER Directive is being implemented together with the NIS2 Directive, the Swedish implementation of the CER Direc - tive is likewise facing significant delays. In general, cybersecurity in Sweden faces signif - icant challenges due to the inherent vulnerabili - ties of digital solutions. Although often regarded as an IT issue for individual organisations to address, recent legislative initiatives – primar - ily driven by the EU – seek to enhance protec - tion for operators in critical sectors. The regula - tory landscape remains dynamic, with ongoing negotiations and legal uncertainties influencing the adoption and implementation of cybersecu - rity measures. Future and recent EU initiatives, such as the Cyber Resilience Act which came into force on 10 December 2024, are expected to further shape this evolving field. Swedish organisations generally demonstrate a strong commitment to complying with cyber - security laws and maintaining high standards. However, greater focus is needed on the con - tractual implications of regulatory demands, par - ticularly regarding the cascading of requirements to suppliers. These aspects frequently involve complex negotiations around risk allocation. Given the growing complexity of regulations and the increasing obligations stemming from
450 CHAMBERS.COM
Powered by FlippingBook