Contributed By Mannheimer Swartling
Sweden’s approach to cybersecurity regulation is characterised by a diverse array of legal frameworks tailored to the specific needs and risks of each sector. Historically, this sectoral approach has allowed for targeted cybersecurity measures that address the unique challenges faced by different industries.
In response to the deteriorating global security landscape and increasing digitalisation, Sweden has initiated several new measures to strengthen its cybersecurity posture and take a more comprehensive approach to cybersecurity. A key development is the formulation of a strategy that addresses the country’s foreign and security policy in relation to cyber and digital issues. The main focus of Sweden’s cybersecurity strategy and efforts is to prevent cyberattacks and build resilience against them. This includes protecting critical infrastructure and sensitive information while ensuring that the country can recover and adapt quickly in the face of cyber threats. By improving resilience, Sweden aims to maintain the integrity and security of its digital environment, thereby safeguarding its national interests and the well-being of its citizens.
Overall, Sweden aims to address transnational cyber threats more effectively and improve its overall resilience through regulation and by working with international partners, particularly within the European Union and NATO, with a focus on protecting national interests and promoting global security.
Note that when Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2) is transposed into Swedish law, it will replace the current regulations.
Scope of Application
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS) was implemented in Sweden through the Act on Information Security for Critical and Digital Services and the Regulation on Information Security for Critical and Digital Services. The legislation entered into force on 1 August 2018. The purpose of the legislation is to enhance the security level of network and information systems for digital services and essential services within certain sectors. Operators covered by the regulatory framework are categorised into:
Operators of Essential Services
Operators of essential services exist in both private and public sectors. An operator of essential services is defined as an entity that:
Digital Service Providers
Digital service providers exist in both private and public sectors. A digital service provider is defined as an entity that:
Obligations for Operators of Essential Services
An operator of essential services shall:
Obligations for Providers of Digital Services
A provider of digital services shall:
Notification Requirements
Operators of essential services and providers of digital services are required to report any incidents that occur. This contributes to creating a comprehensive view of the incident situation, enables warnings to others, and facilitates any necessary co-ordinated efforts.
Reports are submitted to the Swedish Civil Contingencies Agency, which has a co-ordinating role for the Information Security for Critical and Digital Services Act, which forwards the reports to the respective supervisory authority. The Swedish Civil Contingencies Agency has announced regulations and general advice on incident reporting for providers of essential services.
The Swedish Post and Telecom Authority is the supervisory authority for providers of digital services.
The following authorities are, for the specified sectors, the supervisory authority for operators of essential services:
CERT-SE is Sweden’s national CSIRT (Computer Security Incident Response Team) tasked with supporting society in managing and preventing IT incidents. CERT-SE is part of the Swedish Civil Contingencies Agency, which helps integrate their efforts into the broader national security framework.
CERT-SE’s responsibilities include providing assistance and guidance to the public sector, private companies, and organisations in handling cybersecurity threats and incidents. They aim to enhance the overall cybersecurity posture by offering expertise, co-ordinating responses to incidents, and promoting best practices for IT security.
In Sweden, the scope of financial sector operational resilience regulation is primarily governed by DORA. This regulation applies to a wide range of financial entities, including (but not limited to) banks, credit institutions, payment institutions, insurance companies, and alternative investment fund managers. DORA aims to enhance digital operational resilience by setting uniform requirements across the EU, and it is directly applicable in Sweden, requiring national legislation to complement it. The regulation excludes certain small entities and those covered by specific exemptions.
Contractual Requirements
Under the framework of DORA, contractual requirements for ICT service providers include clear terms on service levels, security measures, data protection, incident management, and termination rights. Contracts must also include provisions for audit rights and access to information necessary for the financial institution to comply with its regulatory obligations under DORA.
ICT Service Providers
In Sweden, under the framework of DORA, “ICT service providers” are defined broadly to encompass entities that offer information and communication technology services to financial institutions. These include a wide range of services such as cloud computing, data analytics, software development, and cybersecurity services. The definition is intended to cover any third-party service that could impact the operational resilience of financial entities.
Critical ICT Services
Not all ICT services are classified as critical. The classification of an ICT service as critical depends on several factors, such as the systemic impact of a failure in providing the ICT services, the reliance of financial entities, the degree of substitutability and other relevant factors. While the definition of ICT service providers in Sweden is broad, the classification of services as critical is specific and based on the potential impact on financial operations and stability.
Cloud Service Providers
Not every cloud service provider will automatically be classified as critical. The criticality of a cloud service provider is assessed based on the same criteria mentioned above. For instance:
Objectives
The Swedish implementation of DORA is designed to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions, thereby enhancing their resilience. It also seeks to establish a unified framework for managing ICT risks across the financial sector, standardising risk management practices. By improving incident response, the regulation ensures that financial entities can respond to ICT incidents in a timely and effective manner, minimising their impact. Additionally, the regulation facilitates supervision by enabling effective oversight by regulatory authorities to ensure compliance and resilience.
Key Obligations
Financial entities are required to implement comprehensive ICT risk management frameworks, which include regular risk assessments and mitigation strategies. They must also manage risks associated with ICT service providers, ensuring that contracts include necessary provisions for resilience and security. Regular testing and monitoring of digital operational resilience are required, including threat-led penetration testing for critical entities. Furthermore, clear governance structures for ICT risk management must be established, with defined roles and responsibilities.
Incident and Reporting Obligations
Financial entities must classify ICT-related incidents based on their impact and severity. Significant incidents must be reported to the Swedish Financial Supervisory Authority within a specified timeframe, typically within 24 to 72 hours, depending on the severity. Reports should include details such as the nature of the incident, its impact, and the measures taken to address it. Entities are also required to conduct a post-incident analysis to identify root causes and implement measures to prevent recurrence. In certain cases, entities may be required to disclose incidents to the public, especially if they have a significant impact on customers or the financial system. It should be noted that entities that carry out operations covered by both DORA and the Protective Security Act must adhere to both in case of incidents, and that the incident reporting under DORA needs to take the obligations under the Protective Security Act into consideration (which may curb the ability of an entity to report certain information under DORA).
Enforcement in Regard to Critical ICT Service Providers
The supervision of critical ICT service providers is to be carried out at Union level by the Lead Overseer. One of the three European Supervisory Authorities (European Banking Authority, European Securities and Markets Authority or European Insurance and Occupational Pensions Authority) is to be designated as Lead Overseer for each of the critical third-party service providers. In order to fulfil its tasks under DORA, the Lead Overseer may, inter alia, conduct general investigations and inspections. Within three months of the conclusion of an investigation or an inspection, the Lead Overseer shall adopt recommendations addressed to the critical third-party provider.
The Lead Overseer can impose a periodic penalty payment on the critical ICT service providers. Decisions on periodic penalty payments taken by the Lead Overseer should therefore be enforceable under the Swedish Enforcement Code (Utsökningsbalken (1981:774)) in the same way as a Swedish judgment that has acquired legal force. The Swedish Enforcement Authority (Kronofogden) is the Swedish authority that will be responsible for the practical enforcement and its decisions can be appealed to the Swedish court.
Enforcement in Regard to Financial Entities
In regard to financial entities, the enforcement of operational resilience obligations is carried out by the Swedish Financial Supervisory Authority. The authority has the power to conduct inspections, request information, and impose sanctions or corrective measures on financial institutions and critical ICT service providers that fail to comply with operational resilience requirements. This includes fines, orders to cease certain activities, or other regulatory actions to ensure compliance.
There is no applicable information in this jurisdiction.
In Sweden, DORA mandates threat-led penetration testing (TLPT) for financial entities. These tests must be conducted every three years, or more frequently if required by the competent authority. The tests simulate cyber-attacks to identify vulnerabilities in an organisation’s ICT infrastructure.
The tests must be executed by an external party every third time, while internal testers can be used but require specific approval and must meet conflict-of-interest requirements. The Swedish authorities, primarily the Swedish Financial Supervisory Authority and the Swedish Central Bank, share responsibilities for the TLPT process. The Swedish Financial Supervisory Authority determines which entities must undergo testing and the frequency of tests, while the Swedish Central Bank co-ordinates and monitors the tests, ensuring compliance and certifying that the tests meet the required standards. After completing the tests, entities must submit results, corrective action plans, and receive certification. This certification facilitates mutual recognition of tests across EU member states.
The EU Cyber Resilience Act
On 10 December 2024, Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (“Cyber Resilience Act”) entered into force.
Implementation Timeline
Although the Cyber Resilience Act took effect on 10 December 2024, its full implementation is phased across three key dates: The main obligations introduced by the Cyber Resilience Act will apply from 11 December 2027, with the exception of Article 14 which will apply from 11 September 2026 and Chapter IV (Articles 35-51) which will apply from 11 June 2026.
The Inquiry Stage
On 28 November 2024, the Swedish government appointed an inquiry chair who will analyse the need for and propose measures and supplementary legislative provisions necessary to adapt Swedish law to the Cyber Resilience Act.
The work consists, inter alia, of identifying which provisions in Swedish legislation are affected by the Cyber Resilience Act and analysing whether they need to be repealed or amended, or if new provisions are needed as a result of the Cyber Resilience Act.
The investigator will, in particular:
The inquiry chair has to present its proposals in a report no later than 15 December 2025.
Scope of Application
The Cyber Resilience Act applies to “products with digital elements” whose purpose or use involves a logical or physical data connection to a device or network.
The Cyber Resilience Act covers a wide range of software and hardware products that connect, either directly or indirectly, to other devices or networks. This includes smart home devices, wearable technology, internet-connected toys, and industrial Internet of Things (IoT) devices. Non-commercial open-source software products are not covered by the Cyber Resilience Act. The Cyber Resilience Act targets manufacturers, producers, and importers, requiring them to ensure that their products are safe to use, resilient to cyber threats, and that their security features are properly disclosed.
Objectives
The Cyber Resilience Act establishes compulsory cybersecurity standards for products with digital components available in the EU market.
Its primary objectives are to:
The Cybersecurity Act
The Cybersecurity Act entered into force on 27 June 2019. The primary goal of the Cybersecurity Act is to enhance protection against cybersecurity threats across the EU. The Cybersecurity Act also enables manufacturers and service providers to use one mutually recognised certificate throughout the EU.
Main Elements
The regulation has two main functions and purposes:
National Cybersecurity Certification Authority
In Sweden, the Swedish Defence Materiel Administration acts as the national cybersecurity certification authority. It is the cybersecurity and certification department at the Swedish Defence Materiel Administration that is responsible for matters related to cybersecurity certification, supervision, collaboration, and external monitoring. The department consists of the Swedish Certification Body for IT Security and the Swedish Cyber Security Certification Authority.
Furthermore, the Swedish Defence Materiel Administration is tasked with overseeing and co-ordinating certification activities at the national level and collaborating with EU entities such as the EU Agency for Network and Information Security and the European Commission. It also serves as Sweden’s representative in the European Cybersecurity Certification Group.
Additionally, the Swedish Defence Materiel Administration is responsible for notifying the EU about accredited bodies and those authorised under the Cybersecurity Act.
GDPR and Swedish Supplementation
The GDPR aims to protect natural persons when processing personal data. In Sweden, the GDPR is supplemented by the Data Protection Act, which contains supplementary provisions to the GDPR.
Controller Responsibilities and Data Processing Agreements
A legal entity that determines the purposes and means of processing personal data is a controller under the GDPR. While a controller can appoint a processor to process data on its behalf, the ultimate responsibility for compliance remains with the controller. To ensure the processor adheres to GDPR requirements, the parties must enter into a data processing agreement that governs the processing activities and outlines both parties’ obligations and rights.
Protective Measures and Data Subject’s Rights
The GDPR requires controllers to implement appropriate technical and organisational measures to protect the processed personal data from unauthorised access. The appropriate measures should be determined based on the risk of the processing. This may include:
The controller must also inform data subjects about the processing of their personal data and of their rights. The data subject’s rights include:
Data Breach
Entities processing personal data must adhere to the GDPR’s specific provisions regarding personal data breaches. A personal data breach involves a security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.
If a breach risks individuals’ rights and freedoms, the controller must notify the Swedish Authority for Privacy Protection within 72 hours of awareness.
The notification shall at least include a description of:
If a breach likely poses a high risk to individuals’ rights and freedoms, the data subject should generally be informed. All breaches must be documented by the controller, regardless of risk level.
However, it should be noted that the Data Protection Act stipulates that if an incident that constitutes a personal data breach is to be notified under the Protective Security Act, the notification and information obligations under Articles 33 and 34 of the GDPR shall not be applicable.
The Swedish government has launched an inquiry to evaluate the need for national adjustments in response to the AI Act. The inquiry will recommend necessary legal changes and measures for transparency and oversight, with the final report due by 30 September 2025.
The AI Act, effective from 1 August 2024, establishes a unified framework for AI development and use within the EU. It categorises AI systems based on risk levels, imposing stricter requirements on high-risk applications, such as those in critical infrastructure, healthcare, and law enforcement. For Sweden, this means adapting national regulations to comply with EU standards, ensuring AI systems are human-centred, reliable, and aligned with fundamental rights. This includes mechanisms for oversight and enforcement to maintain high protection levels for health, safety, and fundamental rights.
The AI Act imposes obligations primarily on AI providers, developers, and commercial users to ensure compliance with its standards. Such obligations include:
The Patient Data Act and the Patient Data Regulation
The healthcare sector must systematically address the security of healthcare information management. Cybersecurity in healthcare focuses on safeguarding electronic information and assets against unauthorised access, use, and disclosure.
The Patient Data Act contains explicit provisions to prevent unauthorised dissemination by electronic means of data relating to patients undergoing treatment. It contains the provisions specifically needed for the processing of patient data by healthcare providers in relation to other personal data processing. Otherwise, the provisions of the GDPR apply to the processing of patient data and other personal data by healthcare providers. The Patient Data Act governs several aspects, including:
Norrlandsgatan 21
111 43
Stockholm
Sweden
+46 859 506 000
+46 859 506 001
felicity.trocme@msa.se www.mannheimerswartling.se/