SWEDEN Law and Practice Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling
Critical ICT Services Not all ICT services are classified as critical. The classification of an ICT service as critical depends on several factors, such as the system - ic impact of a failure in providing the ICT servic - es, the reliance of financial entities, the degree of substitutability and other relevant factors. While the definition of ICT service providers in Sweden is broad, the classification of services as critical is specific and based on the potential impact on financial operations and stability. Cloud Service Providers Not every cloud service provider will automati - cally be classified as critical. The criticality of a cloud service provider is assessed based on the same criteria mentioned above. For instance: • If a cloud service provider supports a signifi - cant portion of a financial entity’s operations or hosts critical applications, it may be classi - fied as critical. • Cloud service providers offering infrastructure as a service (IaaS) or platform as a service (PaaS) that are integral to the financial entity’s operations are more likely to be considered critical compared to those offering less essential services. 3.3 Key Operational Resilience Obligations Objectives The Swedish implementation of DORA is designed to ensure that financial entities can withstand, respond to, and recover from ICT- related disruptions, thereby enhancing their resilience. It also seeks to establish a unified framework for managing ICT risks across the financial sector, standardising risk management practices. By improving incident response, the regulation ensures that financial entities can respond to ICT incidents in a timely and effec -
tive manner, minimising their impact. Addition - ally, the regulation facilitates supervision by ena - bling effective oversight by regulatory authorities to ensure compliance and resilience. Key Obligations Financial entities are required to implement com - prehensive ICT risk management frameworks, which include regular risk assessments and miti - gation strategies. They must also manage risks associated with ICT service providers, ensur - ing that contracts include necessary provisions for resilience and security. Regular testing and monitoring of digital operational resilience are required, including threat-led penetration testing for critical entities. Furthermore, clear govern - ance structures for ICT risk management must be established, with defined roles and respon - sibilities. Incident and Reporting Obligations Financial entities must classify ICT-related incidents based on their impact and severity. Significant incidents must be reported to the Swedish Financial Supervisory Authority with - in a specified timeframe, typically within 24 to 72 hours, depending on the severity. Reports should include details such as the nature of the incident, its impact, and the measures taken to address it. Entities are also required to conduct a post-incident analysis to identify root causes and implement measures to prevent recurrence. In certain cases, entities may be required to dis - close incidents to the public, especially if they have a significant impact on customers or the financial system. It should be noted that entities that carry out operations covered by both DORA and the Protective Security Act must adhere to both in case of incidents, and that the incident reporting under DORA needs to take the obli - gations under the Protective Security Act into
260 CHAMBERS.COM
Powered by FlippingBook