Cybersecurity 2025

SWEDEN Trends and Developments Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling

tive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. The directive aims to harmonise and strengthen cybersecurity in the Union. It sets out require - ments for technical, operational and organisa - tional measures to manage risks that threaten the security of network and information sys - tems. These measures should include risk analysis, business continuity measures, supply chain security measures and personnel security measures. The measures should be based on an overall risk perspective and risk analysis and be proportionate to the risk. They should be evalu - ated and include specific elements, including supply chain security. Supply chain security cov - ers security aspects relating to the links between each operator and its direct suppliers or service providers. This means that each operator must take risk management measures in relation to its suppliers and is therefore responsible for its direct suppliers. In addition, NIS2 requires policies and proce - dures to assess the effectiveness of cybersecu - rity risk management measures and to address any deficiencies. NIS2 also requires senior man - agement to monitor the implementation of risk management measures. In the event of an incident that has a significant impact on an entity’s ability to provide its servic - es, the directive requires the entity to notify the competent authority of the incident. If deemed appropriate, service recipients should also be informed of the incident. An incident is consid - ered significant if it causes, or has the potential to cause, severe operational disruption to ser - vices, results in financial losses for the entity, or

has, or could have, an impact on other natural or legal persons by causing considerable damage. As proposed in the Swedish government’s offi - cial report 2024:18, NIS2 will be implemented in Sweden through the Swedish Cybersecurity Act ( cybersäkerhetslagen ) (the “Swedish Cybersecu - rity Act”) and the Swedish Cybersecurity Regu - lation ( förordning om cybersäkerhet ), which will replace the current Act on Information Security for Critical and Digital Services (lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster ) and the Regulation on Informa - tion Security for Critical and Digital Services ( förordning (2018:1175) om informationssäk- erhet för samhällsviktiga och digitala tjänster ). The government has not yet proposed a bill, but it is expected to do so in the spring of 2025. As NIS2 should have been implemented in the member states by 18 October 2024, and Swe - den is already behind, it is expected that the time between the bill being passed and it coming into force will be short. Once the Act comes into force, clarifying regula - tions will be issued by the designated authori - ties and only then will the detailed requirements for affected entities be clear. It has not yet been decided which authorities will be responsible for the regulations. CER To enhance the EU’s resilience in critical infra - structure, the EU has adopted a directive aimed at ensuring that essential services can effectively prevent, withstand, and manage disruptions or interruptions in their operations. The CER is proposed to be transposed in Sweden through the Critical Operators Resilience Act ( lag om motståndskraft hos kritiska verksamhetsutövar e) and the Critical Operators Resilience Regula - tion ( förordning om motståndskraft hos kritiska

269 CHAMBERS.COM

Powered by