Cybersecurity 2025

SWEDEN Law and Practice Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling

Obligations for Providers of Digital Services A provider of digital services shall: • implement the technical and organisa - tional measures considered appropriate and proportionate to address risks threatening the security of the networks and informa - tion systems used in the provision of digital services within the European Union; such measures should ensure a level of security in the network and information systems that is appropriate to the risk; and • take measures to prevent and minimise the impact of incidents affecting the network and information systems used; these meas- ures should aim at ensuring the continuity of services. 2.3 Incident Response and Notification Obligations Notification Requirements Operators of essential services and providers of digital services are required to report any inci - dents that occur. This contributes to creating a comprehensive view of the incident situation, enables warnings to others, and facilitates any necessary co-ordinated efforts. Reports are submitted to the Swedish Civil Contingencies Agency, which has a co-ordinat - ing role for the Information Security for Critical and Digital Services Act, which forwards the reports to the respective supervisory authority. The Swedish Civil Contingencies Agency has announced regulations and general advice on incident reporting for providers of essential ser - vices. The Swedish Post and Telecom Authority is the supervisory authority for providers of digital ser - vices.

(b) transport; (c) banking; (d) financial market infrastructure; (e) healthcare; (f) drinking water supply and distribution; or (g) digital infrastructure; • the provision of such service depends on network and information systems; and • an incident would cause a significant disrup - tion in the provision of the service. Digital Service Providers Digital service providers exist in both private and public sectors. A digital service provider is defined as an entity that: • has its main establishment in Sweden; • has an annual turnover exceeding EUR10 million; and • has 50 or more employees. 2.2 Critical Infrastructure Cybersecurity Requirements Obligations for Operators of Essential Services An operator of essential services shall: • conduct systematic and risk-based informa - tion security work concerning the network and information systems used to deliver the essential services; • conduct a risk analysis that will serve as the basis for selecting security measures; • implement appropriate and proportionate technical and organisational measures to manage risks threatening the security of the network and information systems used to provide the essential services; and • take appropriate measures to prevent and minimise the impact of incidents affecting the network and information systems used to provide the essential services.

258 CHAMBERS.COM

Powered by