Current status of implementation

On 2 May 2017 a Swedish Government Official Report, namely SOU 2017:36, regarding the implementation of the NIS Directive was published. This SOU has been circulated for consultation. A government bill is now being drafted which, subsequently, will be submitted to the Parliament for its decision. According to the SOU, the proposed new act and regulation will enter into force on 10 May 2018.

Implementation Act

The implementation acts are: 

  • Act (2018:000) on information security for certain operators of essential services and digital services providers.
  • Ordinance (2018:000) on information security for certain operators of essential services and digital services providers.
Determination of operators of essential services (Art. 5 NIS)

Pursuant to Art. 5 of the NIS Directive, the Swedish Civil Contingencies Agency (MSB) has specified the criteria to identify operators of the following essential services: a) energy, b) transportation, c) banking, d) financial markets infrastructure, e) health care, f) water management and g) digital infrastructure. The report establishes detailed assessment material to assist operators of essential services in deciding whether the NIS Directive is applicable to their service. The government has requested MSB to present a catalogue of the identified criteria in a regulation. In the report MSB states that such regulation can only be implemented once the final draft of the new legislation is presented. However, MSB do not expect any major changes to the assessment material. The idea is to let the operators/organisations do the assessment on the basis of the guidelines presented.
Reporting obligations

Operators of essential services must immediately report significant disruptions to the Swedish Civil Contingencies Agency. The reporting obligation must not have a negative effect on correcting the disruption. The reporting obligation does not apply to disruptions when operators have a legal obligation to report the disruption to the security police or the national defence.

Providers of digital services must immediately report to the Civil Contingencies Agency any disruptions that have a substantial effect on providing the services.

Sanctions regime

If the relevant authority finds that the supplier does not comply with the act or ordinance they can instruct the supplier to take action. The request can be combined with a penalty fine. Further, the relevant regulatory authority will decide on administrative fines from 5,000 SEK to 10,000,000 SEK for not complying with the security requirements or incident notification.
Competent authorities

The Swedish Civil Contingencies Agency (MSB) is the appointed National Computer Security Incident Response Team unit.                                                

The suggested regulatory authorities for the different sectors are as follows:

  • Energy: Swedish Energy Agency
  • Transportation: Swedish Transport Agency
  • Banking: Swedish Financial Supervisory Authority
  • Finance: Swedish Financial Supervisory Authority
  • Health care: Health and Social Care Inspectorate
  • Distribution of drinking water: The National Food Agency
  • Digital infrastructure: Swedish Post and Telecom Authority
  • Digital services: Swedish Post and Telecom Authority
Jurisdictional applications

Operators of essential services are subject to Swedish law when the supplier is located in Sweden.

Providers of digital services are subject to Swedish law when its main establishment is located in Sweden.

Remarks (if any)

More details to follow.

Last reviewed 28.02.2018