Cybersecurity 2025

SWEDEN Law and Practice Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling

• The Accounting Act ( Bokföringslagen (1999:1078) ) contains provisions on the secure handling and storage of financial data, which is crucial for cybersecurity in financial reporting. • The Camera Surveillance Act ( Kamerabev- akningslagen (2018:1200) ) regulates camera surveillance, balancing security needs with privacy rights, and ensuring that surveillance systems are secure against unauthorised access. • The Protective Security Act ( Säkerhetsskydd- slagen (2018:585) ) and the Protective Security Regulation ( Säkerhetsskyddsförordningen (2021:955) ) focus on protective security, and require organisations to protect information that concerns security-sensitive activities from cyber threats, thus playing an important role in the broader cybersecurity framework. • The Information Security for Critical and Digital Services Act ( Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster ) and the Information Security for Critical and Digital Services Regulation ( Förordning (2018:1175) om informationssäk- erhet för samhällsviktiga och digitala tjänster ) transpose Directive of the European Parlia - ment and of the Council (2016/1148) of 6 July 2016 concerning measures for a high com - mon level of security of network and informa - tion systems across the Union. The act and the regulation impose obligations on opera - tors of essential services and digital service providers to take appropriate and proportion - ate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. See 2 Critical Infra- structure Cybersecurity . • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with

regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), sets the standard for data protection and privacy in the EU, and requires organisations to imple - ment robust security measures to protect per - sonal data. The Data Protection Act contain - ing supplementary provisions to the GDPR ( Lag (2018:218) med kompletterande bestäm- melser till EU:s dataskyddsförordning ) com - plements the GDPR by providing additional national rules for data protection in Sweden, ensuring comprehensive data security. See 6.1 Cybersecurity and Data Protection . • The Patient Data Act ( Patientdatalag (2008:355) ) and the Patient Data Regulation ( Patientdataförordning (2008:360) ) comple - ment the GDPR and include regulations for handling personal data in the healthcare sector. • Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 Decem - ber 2022 on digital operational resilience for the financial sector and amending Regula - tions (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (DORA) aims to enhance digital operational resilience within the financial sec - tor by setting uniform requirements across the EU. See 3 Financial Sector Operational Resilience Regulation . • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (“Cybersecurity Act”) establishes the European Union Agency for Cybersecurity (ENISA) and a framework for cybersecurity certification of ICT products, see 5.1 Key Cybersecurity Certification Legislation .

255 CHAMBERS.COM

Powered by