CMS Wistrand combines deep local market understanding with a global perspective

The so-called NIS Directive[1] has been updated through the NIS2 Directive[2], which is set to be applied no later than October 18, 2024. The update aims to enhance the overall cybersecurity level of the EU and entails tightened requirements for actors in both the private and public sectors.  Further developments of the implementation of the NIS2 Directive in SwedenOn 14 December, 2022, the European Parliament and the Council adopted the NIS2 Directive, which constitutes an EU-wide legislation on cybersecurity. As a result of the adoption of the NIS2 Directive, the Swedish government appointed a special investigator with the task to suggest necessary implementation measures in Swedish law. On 5 March, 2023, the special investigator published an interim report[3] containing suggestions on implementation measures. In accordance with the interim report, such measures would mainly be incorporated through a new Swedish Cyber Security Act (the “Act”). The Act is proposed to enter into force on 1 January, 2025.[4] Which actors will be subject to the new Swedish Cyber Security Act?There are two essential differences between the current legislation in Sweden implementing the NIS1 Directive[5], and the proposed new Swedish Cyber Security Act implementing the NIS2 Directive. Firstly, the Act would apply to a larger number of operators. Operators within sectors covered by the Act would be expanded from 7 to 18 (sectors such as energy, transport, health, financial market infrastructure and digital infrastructure would be included among these new sectors). Secondly, the requirements in the Act would apply to the entire operations of such actors, not only to their essential and digital ser­vices.[6] All private operators of a certain size or specifically identified ones and public operators carrying out activities in any of the envisaged 18 sectors would be required to comply with the new provisions under the Act. With regard to private operators, the Act’s provisions would only apply to such operators which employs at least 50 people or have a minimum global annual turnover of EUR 10 million. As a result, the Act  many small businesses would be excluded. However, certain specifically identified individual operators would be subject to the provisions in the Act regardless of size (e.g. operators providing public electronic communications net­works).[7] What requirements will be stipulated in the new Swedish Cyber Security Act?The proposed Act contains several obligations which operators covered by the Act would be subject to[8]:An operator would have to register with its supervisory authority and provide information such as its identity, contact details and activities. The information would be used by the authority to classify the operators as essential or important, and register them. A separate register for cross-border operators would also be implemented. The operator would have to undertake risk management measures to protect network and information systems and its physical environments against incidents. Such measures should be based on a risk analysis, be proportional to the risk and be subject to evaluation. The operator would be required to carry out systematic, risk-based information security work, require its management to undergo training and offer training to employees. Operators would be obliged to report significant incidents to the Swedish Civil Contingencies Agency in its capacity as Computer Security Incident Response Team (CSIRT) within a specified timeframe. This means that an operator would have to report a warning to the CSIRT within 24 hours of having become aware of a significant incident. Moreover, an incident report would have to be submitted within 72 hours, and a final report within one month. What sanctions may be imposed in case of infringements of the Act?Depending on which provision has been violated, the supervisory authority’s enforcement measures consist of measures such as issuing of orders (which may be combined with a financial penalty) or administrative fines. The administrative fines may be set at no less than SEK 5 000 and no more than SEK 10 000 000.[9] Furthermore, sanctions may also be imposed on natural persons as the possibility of imposing prohibitions on persons with management responsibilities to perform management functions, is introduced in the interim report. What are the next steps?The interim report will now be circulated for formal consultation. Thereafter, the Swedish government will proceed with the preparation the new Act which is, as mentioned above, expected to enter into force on 1 January, 2025. However, until then, it will be uncertain exactly how the Act will be designed. In the meantime, organisations will benefit from reviewing the proposed scope of the Act and analyse whether their operations would be subject to its provisions and what this potentially means. In any case, the NIS2 Directive can be expected to entail major changes for both actors already covered by the NIS1 Directive and for previously unaffected actors, and not least - also for the representatives of all actors concerned. CMS Wistrand will follow the upcoming development. Please do not hesitate to contact us if you have any questions about how your business may be affected.  [1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU). 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive).[3] Nya regler om cybersäkerhet, SOU 2024:18.[4] Nya regler om cybersäkerhet, SOU 2024:18, p. 23 and 31.[5] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.[6] Nya regler om cybersäkerhet, SOU 2024:18, p. 24.[7] Nya regler om cybersäkerhet, SOU 2024:18, p. 25.[8] Nya regler om cybersäkerhet, SOU 2024:18, p. 26.[9] Nya regler om cybersäkerhet, SOU 2024:18, p. 28.