A new cyber security law – The Swedish approach to the NIS 2 Directive

Cyber security has become a hot topic in recent years, both in terms of news coverage on cyber-attacks and of increasing regulatory demands from the EU. Last week the committee report from the Swedish government on the transposition of the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS 2”) was published, which proposes a new Swedish cyber security act. In this article we summarize the key take aways of the Swedish implementation of NIS 2.

Background

The first NIS Directive was implemented in Sweden through the Act on Information Security for Critical and Digital Services.[1] When compared to its predecessor, NIS 2 strengthens the security requirements for risk management, specifies reporting obligations and establishes stricter supervisory measures and potential sanctions in relation to targeted entities. NIS 2 also covers many more entities in identified sectors. About a year ago, the Swedish government decided on a mandate for a committee of inquiry to examine what adaptations of Swedish law are necessary for the implementation of NIS 2, which must be transposed in Member States by 17 October 2024. The committee report (the “Report”) has now been published which includes among other things a proposal for adoption of a new Swedish cyber security act, proposed to enter into force on 1 January 2025 (which is past the NIS 2 deadline).[2] These are the key take aways of the Report.

1. New and extended definition of the scope

In comparison with the first NIS Directive, under which Member States are responsible for identifying the entities covered by the regulation, NIS 2 instead establishes a harmonised criteria for the scope of the Directive.[3] This criterion requires that all entities of a certain size and belonging to a sector identified in NIS 2 are within its scope. Included sectors are inter alia energy, financial market infrastructures, healthcare, digital infrastructure, information and communication technology service management, space, waste management, chemicals, and food. Smaller entities within the identified sectors are usually exempt, but may in some cases still be covered if they e.g. play a key role in society or provide public electronic communications networks.

The current regime in Sweden is based on the principle that the entity itself is responsible for determining whether it is covered by the applicable criteria and, if so, for notifying the supervisory authority. Under the proposed Swedish act, this regime will continue to apply. Such notification is required to include certain information and should be submitted to the supervisory authority by 17 January 2025.

2. Minimum requirements for security measures

NIS 2 strengthens and specifies the obligations on entities in terms of risk management measures in relation to the security of network and information systems. According to the proposed Swedish implementation entities must take technical, operational, and organisational measures based on a risk analysis considering proportionality. The Swedish provision includes a list on specific measures to be taken which generally are aligned with the minimum requirements on actions introduced in NIS 2, such as solutions for authentication, continuity management, strategies for the use of encryption, and security in the acquisition of network and information systems. According to the Report detailed requirements for risk management measures will be issued by the relevant supervisory authority. The Swedish proposal further includes a requirement for entities to conduct systematic and risk-based information security work, in line with the prior Swedish Act but does not follow directly from NIS 2.

3. Third party and supply management

The minimum requirements on security measures stated in NIS 2 include requirements for supply chain security, including security aspects related to the relationships between each entity and its direct suppliers or service providers. It is recognised as important to manage risks stemming from an entity’s relationship with its suppliers, such as providers of data storage and processing services or providers of managed security services and software editors. In the recitals to NIS 2 entities are invited to consider the overall quality and resilience of products and services and are encouraged to incorporate cybersecurity risk management measures into contracts with their suppliers.[4] In the proposed Swedish act, this requirement has been interpreted to mean that each entity only needs to take action in relation to its supplier and is thus only responsible for one link in the supply chain.

According to the Report, more detailed provisions on this will be specified in further Swedish regulations. Covered entities should therefore inter alia ensure that sufficient risk management and control provisions are included in their supplier contracts.

4. Specification of incident reporting

The NIS 2 Directive requires Member States to ensure that entities report incidents with significant impact, e.g. in relation to the provision of their services, to the competent national authority (in Sweden such authority is the Swedish Civil Contingencies Agency). Incidents with significant impact is in the Report interpreted as a very broad concept. Reporting should take place at various points after an incident has occurred. Within 24 hours of becoming aware of the significant incident, an early warning should be submitted, and within 72 hours an incident notification should be submitted. At last, a final report with more detailed information should be provided within one month of the first incident notification being submitted. NIS 2 furthermore provides that recipients of the services must be notified of significant incidents without undue delay, while the Swedish proposed regulation has set a timeframe of 72 hours for this notification. Reporting obligations also follow in relation to significant cyber threats.

5. Enhanced responsibilities for the executive team

NIS 2 sets out detailed requirements for certain enforcement powers to be exercised by the supervisory authorities and for sanctions to be imposed. Generally, the potential sanctions under NIS 2 are significantly more powerful than under the previous regulations. The provisions differ in relation to the classification of the entity, whether it is considered essential or important, and include both proactive and reactive measures. Regarding the structure of supervision in Sweden, the proposal states that a supervisory authority should be appointed for each sector, as opposed to centralising supervisory responsibilities in a central authority. Thus, it is important that each entity knows which authority is linked to the entity’s sector. The Swedish Civil Contingencies Agency will continue to have an overarching responsibility in relation to the regulation.

The NIS 2 Directive further establishes a minimum list of administrative sanctions. In the Swedish proposal sanctions may be imposed for breaches of, inter alia, obligations relating to notification of the entity, risk management measures and incident reporting. NIS 2 provides for several measures that have no direct equivalent in Swedish law. In the case of essential entities, the NIS 2 Directive requires, among other things, the possibility, if other measures prove ineffective, to temporarily suspend a certification or authorisation for the entity’s activities and to temporarily prohibit members of the entity’s management from exercising management functions. The Swedish proposed act does not include the possibility of temporary suspension of an essential entity’s authorisation or certification. It is however proposed to introduce a possibility for the supervisory authority to request the court to prohibit a person in charge of the management of an essential entity from exercising management functions there. Furthermore, significant financial sanctions are proposed to be introduced. For essential entities, the maximum amount of the administrative fine shall be the higher of EUR 10 000 000 or 2 % of the total worldwide annual turnover in the preceding financial year. For important entities, the corresponding amount shall be the higher of EUR 7 000 000 or 1.4 % of the total worldwide annual turnover in the preceding financial year.

All that remains in the legislative process is for the bill to be published, after the committee report has been circulated for consultation, and later voted on in the Swedish parliament. The committee of inquiry proposes that the new legislation should enter into force on 1 January 2025.  However, entities that are expected to be affected by NIS 2 should already start preparing to meet the new requirements.

[1] See Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union and Sw. lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster.

[2] See SOU 2024:18 Nya regler om cybersäkerhet.

[3] Article 2 in NIS 2.

[4] See recital 85 in NIS 2.