Cybersecurity 2025

SWEDEN Law and Practice Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling

4. Cyber-Resilience 4.1 Cyber-Resilience Legislation The EU Cyber Resilience Act

sible for, among other things, establishing and implementing the procedures necessary for the assessment, designation, and notification of conformity assessment bodies; and • make any other proposals, including legisla - tive proposals, that are necessary or other - wise deemed appropriate to complement the Cyber Resilience Act. The inquiry chair has to present its proposals in a report no later than 15 December 2025. 4.2 Key Obligations Under Legislation Scope of Application The Cyber Resilience Act applies to “products with digital elements” whose purpose or use involves a logical or physical data connection to a device or network. The Cyber Resilience Act covers a wide range of software and hardware products that connect, either directly or indirectly, to other devices or networks. This includes smart home devices, wearable technology, internet-connected toys, and industrial Internet of Things (IoT) devices. Non-commercial open-source software prod - ucts are not covered by the Cyber Resilience Act. The Cyber Resilience Act targets manufac - turers, producers, and importers, requiring them to ensure that their products are safe to use, resilient to cyber threats, and that their security features are properly disclosed. Objectives The Cyber Resilience Act establishes compul - sory cybersecurity standards for products with digital components available in the EU market.

On 10 December 2024, Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (“Cyber Resilience Act”) entered into force. Implementation Timeline Although the Cyber Resilience Act took effect on 10 December 2024, its full implementation is phased across three key dates: The main obligations introduced by the Cyber Resilience Act will apply from 11 December 2027, with the exception of Article 14 which will apply from 11 September 2026 and Chapter IV (Articles 35-51) which will apply from 11 June 2026. The Inquiry Stage On 28 November 2024, the Swedish government appointed an inquiry chair who will analyse the need for and propose measures and supplemen - tary legislative provisions necessary to adapt Swedish law to the Cyber Resilience Act. The work consists, inter alia, of identifying which provisions in Swedish legislation are affected by the Cyber Resilience Act and analysing whether they need to be repealed or amended, or if new provisions are needed as a result of the Cyber Resilience Act. The investigator will, in particular: • propose which existing authority or authori - ties should be designated as the national market surveillance authority; • propose which existing authority should be designated as the notifying authority respon -

262 CHAMBERS.COM

Powered by