The so-called NIS Directive[1] has been updated through the NIS2 Directive[2], which is set to be applied no later than October 18, 2024. The update aims to enhance the overall cybersecurity level of the EU and entails tightened requirements for actors in both the private and public sectors.  Further developments of the implementation of the NIS2 Directive in SwedenOn 14 December, 2022, the European Parliament and the Council adopted the NIS2 Directive, which constitutes an EU-wide legislation on cybersecurity. As a result of the adoption of the NIS2 Directive, the Swedish government appointed a special investigator with the task to suggest necessary implementation measures in Swedish law. On 5 March, 2023, the special investigator published an interim report[3] containing suggestions on implementation measures. In accordance with the interim report, such measures would mainly be incorporated through a new Swedish Cyber Security Act (the “Act”). The Act is proposed to enter into force on 1 January, 2025.[4] Which actors will be subject to the new Swedish Cyber Security Act?There are two essential differences between the current legislation in Sweden implementing the NIS1 Directive[5], and the proposed new Swedish Cyber Security Act implementing the NIS2 Directive. Firstly, the Act would apply to a larger number of operators. Operators within sectors covered by the Act would be expanded from 7 to 18 (sectors such as energy, transport, health, financial market infrastructure and digital infrastructure would be included among these new sectors). Secondly, the requirements in the Act would apply to the entire operations of such actors, not only to their essential and digital ser­vices.[6] All private operators of a certain size or specifically identified ones and public operators carrying out activities in any of the envisaged 18 sectors would be required to comply with the new provisions under the Act. With regard to private operators, the Act’s provisions would only apply to such operators which employs at least 50 people or have a minimum global annual turnover of EUR 10 million. As a result, the Act  many small businesses would be excluded. However, certain specifically identified individual operators would be subject to the provisions in the Act regardless of size (e.g. operators providing public electronic communications net­works).[7] What requirements will be stipulated in the new Swedish Cyber Security Act?The proposed Act contains several obligations which operators covered by the Act would be subject to[8]:An operator would have to register with its supervisory authority and provide information such as its identity, contact details and activities. The information would be used by the authority to classify the operators as essential or important, and register them. A separate register for cross-border operators would also be implemented. The operator would have to undertake risk management measures to protect network and information systems and its physical environments against incidents. Such measures should be based on a risk analysis, be proportional to the risk and be subject to evaluation. The operator would be required to carry out systematic, risk-based information security work, require its management to undergo training and offer training to employees. Operators would be obliged to report significant incidents to the Swedish Civil Contingencies Agency in its capacity as Computer Security Incident Response Team (CSIRT) within a specified timeframe. This means that an operator would have to report a warning to the CSIRT within 24 hours of having become aware of a significant incident. Moreover, an incident report would have to be submitted within 72 hours, and a final report within one month. What sanctions may be imposed in case of infringements of the Act?Depending on which provision has been violated, the supervisory authority’s enforcement measures consist of measures such as issuing of orders (which may be combined with a financial penalty) or administrative fines. The administrative fines may be set at no less than SEK 5 000 and no more than SEK 10 000 000.[9] Furthermore, sanctions may also be imposed on natural persons as the possibility of imposing prohibitions on persons with management responsibilities to perform management functions, is introduced in the interim report. What are the next steps?The interim report will now be circulated for formal consultation. Thereafter, the Swedish government will proceed with the preparation the new Act which is, as mentioned above, expected to enter into force on 1 January, 2025. However, until then, it will be uncertain exactly how the Act will be designed. In the meantime, organisations will benefit from reviewing the proposed scope of the Act and analyse whether their operations would be subject to its provisions and what this potentially means. In any case, the NIS2 Directive can be expected to entail major changes for both actors already covered by the NIS1 Directive and for previously unaffected actors, and not least - also for the representatives of all actors concerned. CMS Wistrand will follow the upcoming development. Please do not hesitate to contact us if you have any questions about how your business may be affected.  [1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU). 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive).[3] Nya regler om cybersäkerhet, SOU 2024:18.[4] Nya regler om cybersäkerhet, SOU 2024:18, p. 23 and 31.[5] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.[6] Nya regler om cybersäkerhet, SOU 2024:18, p. 24.[7] Nya regler om cybersäkerhet, SOU 2024:18, p. 25.[8] Nya regler om cybersäkerhet, SOU 2024:18, p. 26.[9] Nya regler om cybersäkerhet, SOU 2024:18, p. 28.

The decision to become a part of CMS, one of the world’s largest law firms, was made to future-proof our position as one of Sweden’s leading law firms and to expand internationally. CMS’s unique structure ensures that CMS Wistrand can continue to be an independent, locally rooted firm for Swedish clients while benefiting from CMS’s global expertise and net­work.‘’Ef­fect­ive and well-structured teams across borders are crucial in today’s legal landscape. It creates value for clients by reducing friction in deliveries and expediting the processes of acquiring legal services’’, says Maria Kosteska Fäger­quist.‘’Sig­ni­fic­ant time and cost savings are achieved for our clients by leveraging unique legal expertise across borders, sectors and practice areas, working in structured teams with common values and focus’’. We now have the opportunity to further drive the innovation necessary to shape the legal services of the fu­ture.‘’Be­ing future-facing means proactively anticipating challenges and driving innovation. Now, we position ourselves to deliver solutions that shape the industry and help our clients confidently navigate the changing landscape’’, says Fredrik Råsberg, Chairman of the Board in Stock­holm.‘’But our commitment doesn’t end with innovation. Successfully steering the ESG agenda with a focus on climate change and social responsibility is of great importance for companies now and in the future, and as a law firm, we have a responsibility to help our clients navigate in the right dir­ec­tion.’’It was announced back in November 2023 that Wistrand would become a part of CMS. For CMS, entering the Swedish market was cru­cial.“De­vel­op­ing a strong Nordic platform is important as our clients expect us to support them in major business hubs around the world,” says Pierre-Sé­bas­tien Thill, CMS Chairman. “We already have CMS Kluge offices in Bergen, Oslo and Stavanger. Now with CMS Wistrand, we can offer clients deep local expertise in Sweden, combined with our global reach.”