SWEDEN Law and Practice Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling
2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation Note that when Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amend - ing Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2) is transposed into Swedish law, it will replace the current regulations. Scope of Application Directive (EU) 2016/1148 of the European Parlia - ment and of the Council of 6 July 2016 concern - ing measures for a high common level of security of network and information systems across the Union (NIS) was implemented in Sweden through the Act on Information Security for Critical and Digital Services and the Regulation on Informa - tion Security for Critical and Digital Services. The legislation entered into force on 1 August 2018. The purpose of the legislation is to enhance the security level of network and information sys - tems for digital services and essential services within certain sectors. Operators covered by the regulatory framework are categorised into: • operators of essential services, and • digital service providers. Operators of Essential Services Operators of essential services exist in both pri - vate and public sectors. An operator of essential services is defined as an entity that: • provides a service crucial for maintaining criti - cal societal or economic activities within one of the seven sectors listed below: (a) energy;
Their authority covers all personal data pro - cessing activities within Sweden. • The Patient Data Act and the Patient Data Regulation: The Swedish Authority for Privacy Protection is the supervisory authority that supervises the application of data protection rules by healthcare providers, which means, for example, checking that healthcare provid - ers take security measures to protect patient data. • DORA: The Swedish Financial Supervisory Authority is the supervisory authority that ensures that financial entities comply with DORA. • The Cybersecurity Act: The ENISA is the key regulator for this regulation. ENISA develops cybersecurity certification frameworks to enhance trust and security in the digital mar - ket. Their authority covers ICT products and services across the EU, promoting a common approach to cybersecurity certification. • The AI Act: The European Commission also oversees this regulation, establishing rules for artificial intelligence systems. The AI Act includes security requirements to ensure AI systems are safe and trustworthy, which are integral to cybersecurity. Its scope covers AI systems and applications throughout the EU. • The eIDAS Regulation: In Sweden, the Swedish Agency for Digital Government is responsible for implementing this regulation. The Swedish Agency for Digital Government oversees electronic identification and trust services, ensuring secure electronic transac - tions.
257 CHAMBERS.COM
Powered by FlippingBook