Cybersecurity 2025

SWEDEN Trends and Developments Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling

verksamhetsutövare ) as described in the Swed - ish government’s official report 2024:64. The government has not yet proposed a bill, but it is expected to do so in the spring of 2025. Once transposed, there will be an increase in cybersecurity requirements, and other related measures, for critical entities in Sweden as the Directive replaces the previous Council Directive 2008/114/EC of 8 December 2008 on the iden - tification and designation of European critical infrastructures and the assessment of the need to improve their protection, which was more lim - ited in scope. The CER applies to critical entities providing ser - vices in the following sectors: • energy; • transport; • banking; • financial market infrastructure; • health; • drinking water; • waste water; • digital infrastructure; • public administration; • space; and • production, processing and distribution of food. Each EU member state must list all essential services within each sector and conduct a risk assessment based on the list. Following the risk assessment, each EU member state will deter - mine which entities are considered critical enti - ties within each sector. For an entity to be considered a critical entity in Sweden, the following is required: • the entity must provide an essential service;

• the entity must operate in Sweden and have its critical infrastructure in Sweden; and • an incident affecting the entity must signifi - cantly disrupt its ability to deliver its essential services or impact other essential services within the sectors covered by the law. Once identified, a critical entity must perform a critical entity risk assessment. The assessment aims to identify any relevant risks associated with the delivery of the essential service and consider interdependencies with other sectors covered by the law. Based on the risk assessment, the criti - cal entities must implement appropriate and pro - portionate technical, security and organisational measures to ensure resilience. These measures include preventing incidents, ensuring physical protection, mitigating the consequences of inci - dents, and recovering from them. Further, a criti - cal entity must also report incidents that have or may have significant disruption to the competent authority without undue delay. CRA Act The Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amend - ing Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (CRA) was adopted in the EU on 10 December 2024 and will enter into full force on 11 December 2027. However, certain parts of the CRA will enter into force during 2026. The objective of the CRA is to strengthen EU cybersecurity and ensure cyber resilience by establishing a legal framework for essential cybersecurity requirements for digital elements in the EU. This will be implemented through restrictions on the development of secure prod - ucts with digital elements to ensure that prod -

270 CHAMBERS.COM

Powered by