Cybersecurity 2025

SWEDEN Law and Practice Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling

3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation In Sweden, the scope of financial sector opera - tional resilience regulation is primarily governed by DORA. This regulation applies to a wide range of financial entities, including (but not limited to) banks, credit institutions, payment institutions, insurance companies, and alternative invest - ment fund managers. DORA aims to enhance digital operational resilience by setting uniform requirements across the EU, and it is directly applicable in Sweden, requiring national legisla - tion to complement it. The regulation excludes certain small entities and those covered by spe - cific exemptions. 3.2 ICT Service Provider Contractual Requirements Contractual Requirements Under the framework of DORA, contractual requirements for ICT service providers include clear terms on service levels, security measures, data protection, incident management, and ter - mination rights. Contracts must also include pro - visions for audit rights and access to information necessary for the financial institution to comply with its regulatory obligations under DORA. ICT Service Providers In Sweden, under the framework of DORA, “ICT service providers” are defined broadly to encompass entities that offer information and communication technology services to finan - cial institutions. These include a wide range of services such as cloud computing, data analyt - ics, software development, and cybersecurity services. The definition is intended to cover any third-party service that could impact the opera - tional resilience of financial entities.

The following authorities are, for the specified sectors, the supervisory authority for operators of essential services: • Swedish Energy Agency: energy; • Swedish Transport Agency: transport; • Swedish Financial Supervisory Authority: banking; • Swedish Financial Supervisory Authority: financial market infrastructure; • Health and Social Care Inspectorate: health - care; • Swedish Food Agency: drinking water supply and distribution; and • Swedish Post and Telecom Authority: digital infrastructure. 2.4 State Responsibilities and Obligations CERT-SE is Sweden’s national CSIRT (Computer Security Incident Response Team) tasked with supporting society in managing and preventing IT incidents. CERT-SE is part of the Swedish Civil Contingencies Agency, which helps integrate their efforts into the broader national security framework. CERT-SE’s responsibilities include providing assistance and guidance to the public sector, private companies, and organisations in han - dling cybersecurity threats and incidents. They aim to enhance the overall cybersecurity posture by offering expertise, co-ordinating responses to incidents, and promoting best practices for IT security.

259 CHAMBERS.COM

Powered by