SWEDEN Law and Practice Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling
consideration (which may curb the ability of an entity to report certain information under DORA). 3.4 Operational Resilience Enforcement Enforcement in Regard to Critical ICT Service Providers The supervision of critical ICT service providers is to be carried out at Union level by the Lead Overseer. One of the three European Supervi - sory Authorities (European Banking Authority, European Securities and Markets Authority or European Insurance and Occupational Pensions Authority) is to be designated as Lead Overseer for each of the critical third-party service pro - viders. In order to fulfil its tasks under DORA, the Lead Overseer may, inter alia, conduct gen - eral investigations and inspections. Within three months of the conclusion of an investigation or an inspection, the Lead Overseer shall adopt recommendations addressed to the critical third- party provider. The Lead Overseer can impose a periodic pen - alty payment on the critical ICT service provid - ers. Decisions on periodic penalty payments taken by the Lead Overseer should therefore be enforceable under the Swedish Enforcement Code ( Utsökningsbalken (1981:774) ) in the same way as a Swedish judgment that has acquired legal force. The Swedish Enforcement Authority ( Kronofogden ) is the Swedish authority that will be responsible for the practical enforcement and its decisions can be appealed to the Swedish court. Enforcement in Regard to Financial Entities In regard to financial entities, the enforcement of operational resilience obligations is carried out by the Swedish Financial Supervisory Authority. The authority has the power to conduct inspec - tions, request information, and impose sanctions or corrective measures on financial institutions
and critical ICT service providers that fail to com - ply with operational resilience requirements. This includes fines, orders to cease certain activities, or other regulatory actions to ensure compliance. 3.5 International Data Transfers There is no applicable information in this juris - diction. 3.6 Threat-Led Penetration Testing In Sweden, DORA mandates threat-led penetra - tion testing (TLPT) for financial entities. These tests must be conducted every three years, or more frequently if required by the competent authority. The tests simulate cyber-attacks to identify vulnerabilities in an organisation’s ICT infrastructure. The tests must be executed by an external party every third time, while internal testers can be used but require specific approval and must meet conflict-of-interest requirements. The Swedish authorities, primarily the Swedish Financial Supervisory Authority and the Swed - ish Central Bank, share responsibilities for the TLPT process. The Swedish Financial Supervi - sory Authority determines which entities must undergo testing and the frequency of tests, while the Swedish Central Bank co-ordinates and monitors the tests, ensuring compliance and certifying that the tests meet the required standards. After completing the tests, entities must submit results, corrective action plans, and receive certification. This certification facilitates mutual recognition of tests across EU member states.
261 CHAMBERS.COM
Powered by FlippingBook