Sweden
(a) What is the NIS2 implementation status?
On 5 March 2024, the Swedish government published their partial report on the implementation of NIS2 and CER in the Swedish Government Official Reports series, SOU 2024:18 (the “Report”). An additional report on CER has been published on 18 September 2024. According to the supplementary report, it does not propose any obligations beyond those set out in the CER directive (EU 2022/2557).
The legislative process will now move on to the referral stage where the Report is referred for consideration to the relevant bodies (e.g. public authorities, special interest groups etc).
(b) What is the envisaged NIS2 implementation timeline?
The referral stage is set to be finalized by 28 May 2024. Thereafter, the Swedish government will issue a bill to be adopted by the Swedish Parliament (swe: Riksdagen). According to the implementation timeline published by the Swedish Civil Contingencies Agency, NIS2 is expected to take effect in Sweden by summer 2025 at the earliest.
(c) What does the NIS2 mean for other national cybersecurity legislation?
As no government bill has been issued yet, it is not certain how and to what extent national cybersecurity legislation will be affected. However, the Report recommends that the Information Security Act (2018:1174), which is the current implementation of the NIS directive in Sweden, is wholly replaced by a new cybersecurity act in order to accommodate for the vast amount of changes that NIS2 will introduce.
Currently, the Information Security Act does not apply in situations where the Swedish Protective Security Act (2018:585) apply to an organisation, or part thereof. The Report recommends changing this legislative relationship primarily in two ways. Firstly, in cases where only a part of the business is subject to the Swedish Protective Security Act, the relevant entity should only be exempted from the obligations relating to cybersecurity risk-management measures, cybersecurity training for management and incident reporting (i.e. the main obligations in NIS2). Secondly, such exemptions should only apply to the part of the business that is subject to the Swedish Protective Security Act. Thus, NIS2 would still apply in full for the other parts of the business provided that no other exemption apply (e.g. financial institutions that are already covered by equivalent cybersecurity obligations in the Digital Operational Resilience Act).
It remains to be seen, however, to what extent the upcoming government bill will encompass the conclusions of the Report.
(d) Who will be the supervisory authority and how are they preparing the market?
Sweden’s current implementation of the NIS directive introduced the following six supervisory authorities based on the sectors covered by the directive:
- The Swedish Energy Agency (energy);
- Swedish Financial Supervisory Authority (banking and finance market infrastructures);
- The Health and Social Care Inspectorate (health sector);
- The Swedish Food Agency (drinking water supply and distribution);
- The Swedish Post and Telecom Authority (digital infrastructure and digital services); and
- The Swedish Transport Agency (transport).
As NIS2 will increase the number of sectors and entities that will be covered, the Report recommends introducing additional supervisory authorities and expanding the sectors that existing supervisory authorities will be responsible for (e.g. the Swedish Post and Telecom Authority should also cover the space sector). The Report recommends introducing the Swedish Medical Products Agency and several county administrative boards as new supervisory authorities covering areas such as pharmaceutical products and public administration. Furthermore, the Report recommends that the Swedish Civil Contingencies Agency continues holding its previous role as Sweden’s single point of contact that is responsible for ensuring cross-border cooperation between the supervisory authorities (CSIRT).
(e) What should you be doing/on the lookout for?
Clients are advised to as soon as possible identify whether they will be categorised as either an important or essential entity under NIS2 as it will determine their scope of obligations once the directive is implemented into national law. In this regard, it should be noted that NIS2 significantly expands the scope of relevant sectors and introduces a size threshold (with a few exceptions) that defines which entities will be subject to NIS2.
Clients who anticipate that they will be subject to NIS2, in particular essential entities, should actively prepare for upcoming enforcement by reviewing existing information and cybersecurity practices and policies to determine possible deviations from the minimum requirements set forth in NIS2. Clients should also be on the lookout for possible stricter requirements pursuant to national implementation. However, the Report suggests that it is the committee’s conclusion that the Swedish government should remain within the framework of the NIS2 directive and thus not introduce stricter requirements. If that applies will be evident once the government bill is in place.
Contact
Sara Malmgren E: saramalmgren@eversheds-sutherland.se
Sina Amini E: sinaamini@eversheds-sutherland.se
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page