To print this article, all you need is to be registered or login on Mondaq.com.
The NIS2 directive was adopted by the European Parliament in
December 2022 and the Swedish Act that implements the directive is
expected to enter into force on 1 January 2025. The NIS2 directive
constitutes a general outline, and it has been difficult to predict
the more detailed application – until now. The draft legislation
for the new Cybersecurity Act was presented in March this year.
Below is an overview of the new NIS2 inquiry, what it entails and
how you can prepare your business in view of the new regulation. If
you would like further information or assistance do not hesitate to
contact us. Lindahl has extensive expertise in areas of law such as
regulatory compliance, information security, IT/Tech and data
protection.
The NIS2 directive has stricter requirements for operators and
contains provisions for a more far-reaching collaboration within
the EU compared with its predecessor, NIS1. The overall aim of the
new rules is to achieve a higher level of cybersecurity for the
expanded number of sectors that are specified in the
legislation.
On 5 March 2024 ”The inquiry on implementation of the NIS2
and CER directives” submitted an interim report New rules
on cybersecurity (SOU 2024:18) together with the proposal
for the new Cybersecurity Act.
It is proposed that the Cybersecurity Act, which replaces the
current NIS act, enters into force on 1 January 2025, and it
entails a number of important changes in the area of information
security and cybersecurity.
There are essentially two important differences between current
legislation and the new proposal:
- Wider application and number of sectors
expanded: The proposal is that the Cybersecurity Act
will apply to more actors, with the number of sectors expanded from
7 to 18. Examples of new sectors that will now be included are:
waste water, administration of ICT services (between businesses),
public administration (which means that almost the entire public
sector including municipalities and regions are covered), space,
postal and courier services, waste management, manufacturing,
production and distribution of chemicals and foodstuffs,
manufacturing, digital suppliers and research. - The entire operation is included: The
proposal means that the requirements will apply to the entire
operation, not just those parts that are regarded as critical to
society or that offer digital services. It also introduces a size
requirement for private organisations, with an operation having to
employ a minimum of 50 persons or have an annual turnover in excess
of 10 million Euros to be covered by the Act’s requirements.
However, smaller but particularly critical operations can also be
specified by the Civil Contingencies Agency (MSB), which must also
comply with the Act’s requirements.
Besides the two new elements above, we would like to briefly
highlight a number of other parts of the new proposal.
New classification: It is proposed that
both public and private operators come under the new Cybersecurity
Act. However, the operations included shall be classified either as
essential or important based on significance and size. In
principle, the rules are the same regardless of category, however,
depending on classification, they differ in relation to supervision
and sanctions.
Liability of the senior management for the
operator’s violations: The directive places
increased requirements on the management’s participation in the
organisation’s cybersecurity work. The inquiry proposes that an
option should be introduced for the supervisory authority to apply
to a court to prohibit a person with management responsibility at
an essential operator from performing management functions. This
applies, for example, to board members and chief executive
officers. Other sanctions are targeted at the operator in the form
of a legal entity. This sanction is instead targeted at natural
persons and should be viewed as a last resort in order to achieve a
certain action.
Clear requirements for security measures:
Operators must institute appropriate risk management measures and
conduct risk assessments to protect their networks and informations
systems against incidents. The measures must be evaluated and based
on a risk assessment, as well as proportional in relation to the
risk. Further, it requires that operators register with a
supervisory authority. To ensure uniform application and monitoring
of these requirements, supervisory authorities are proposed for
each sector, with certain authorities having extended areas of
responsibility and new supervisory authorities established to
manage the expanded requirements. The requirements will probably
not be determined in their entirety until these supervisory
authorities have issued detailed provisions, as was the case when
the NIS1 directive was implemented in Swedish law.
Further, the operator is required to conduct systematic,
risk-based work in relation to information security, with the
operation’s management having to undergo training courses and
the employees also offered requisite training.
Requirement for security in supplier
chains: The operations’ requirement to institute
measures also includes the supply chain. However, each operator
shall be responsible solely for one link in the supply chain, i.e.
need to institute risk management measures in relation to its
suppliers and not sub-suppliers. Requirements will be put in place
for cybersecurity to be regulated in supplier agreements, which
will mean that existing and new agreements will need to be reviewed
in order to be adapted according to these requirements.
Extended requirements for incident
reporting: Incident reporting will be compulsory and
this also includes the supply chain. The operator is consequently
obliged to report significant incidents to MSB within certain set
time limits. A warning shall be submitted within 24 hours of the
operator being made aware of the significant incident. An incident
report shall subsequently be submitted within 72 hours and a final
report within one month.
Introduction of sanctions: The NIS2
directive contains detailed rules regarding the supervisory
authorities’ intervention and their capacity to issue penalty
fines.
The lowest level of penalties are proposed to be SEK 5,000 (as
previously). In terms of the maximum level of penalties, the NIS2
directive sets two different grounds for calculation and amounts,
based on whether the operator is essential or important.
For essential operators, the maximum penalty fines shall amount
to the highest of 10,000,000 Euros or 2 per cent of the total
global annual turnover during the previous financial year. For
important operators, the corresponding amounts shall be the highest
of 7,000,000 Euros or 1.4 per cent of the total global annual
turnover during the previous financial year.
In parallel with the NIS2 directive, the CER directive, which
concerns strengthening the resilience of critical operations, shall
be incorporated in Sweden. The inquiry will submit proposals for
such incorporation in a final report in September 2024. The CER
directive comprises some similar requirements to the NIS2
directive, however, it does not only cover cybersecurity but also
other threats such as natural disasters, terrorism etc.
According to the CER directive, the member states must identify
actors that provide critical public services within selected
sectors (energy, transport, banking, finance market infrastructure,
health and medical care, drinking water, waste water, digital
infrastructure, public administration, space, as well as
production, processing and distribution of food). Further, the
directive includes an obligation for such actors to institute
measures to strengthen their resilience and report incidents. The
directive also contains provisions regarding supervision and
sanctions. In other words, the CER directive contains similar
requirements to the NIS2 directive, but the application is
coordinated and if there are overlaps, the NIS2 directive shall
apply as long as the CER directive does not set more far-reaching
requirements.
Finally, it can also be mentioned that many organisations will
come under both the Protective Security Act (2018:585) and the
Cybersecurity Act. In that case, the point of departure is that
only a limited number of provisions in the Cybersecurity Act apply
to the parts of the operation that are covered by the Protective
Security Act, those pertaining to notification and reporting
obligations.
We recommend all organisations to start work immediately on
compliance with the NIS2 directive and the new Cybersecurity Act.
Those organisations that are unsure of whether their operations are
covered by the Act need to conduct an analysis, including an
assessment of which parts of the operation (if any) are affected by
the Protective Security Act. Those organisations that have already
conducted this analysis need to initiate a risk assessment to
establish which IT services are critical for the operation.
Finally, it should be stated that the above is only an overall
summary of certain issues relating to the NIS2 directive and the
proposal for a new Cybersecurity Act. This article consequently
does not constitute legal advice in an individual case.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Proposal #Cybersecurity #Act #Implementation #NIS2 #Directive #Swedish #Law #Security
