The NIS2 directive was adopted by the European Parliament in December 2022 and the Swedish Act that implements the directive is expected to enter into force on 1 January 2025. The NIS2 directive constitutes a general outline, and it has been difficult to predict the more detailed application - until now. The draft legislation for the new Cybersecurity Act was presented in March this year. Below is an overview of the new NIS2 inquiry, what it entails and how you can prepare your business in view of the new regulation. If you would like further information or assistance do not hesitate to contact us. Lindahl has extensive expertise in areas of law such as regulatory compliance, information security, IT/Tech and data protection.
The NIS2 directive has stricter requirements for operators and contains provisions for a more far-reaching collaboration within the EU compared with its predecessor, NIS1. The overall aim of the new rules is to achieve a higher level of cybersecurity for the expanded number of sectors that are specified in the legislation.
On 5 March 2024 ”The inquiry on implementation of the NIS2 and CER directives” submitted an interim report New rules on cybersecurity (SOU 2024:18) together with the proposal for the new Cybersecurity Act.
It is proposed that the Cybersecurity Act, which replaces the current NIS act, enters into force on 1 January 2025, and it entails a number of important changes in the area of information security and cybersecurity.
There are essentially two important differences between current legislation and the new proposal:
- Wider application and number of sectors expanded: The proposal is that the Cybersecurity Act will apply to more actors, with the number of sectors expanded from 7 to 18. Examples of new sectors that will now be included are: waste water, administration of ICT services (between businesses), public administration (which means that almost the entire public sector including municipalities and regions are covered), space, postal and courier services, waste management, manufacturing, production and distribution of chemicals and foodstuffs, manufacturing, digital suppliers and research.
- The entire operation is included: The proposal means that the requirements will apply to the entire operation, not just those parts that are regarded as critical to society or that offer digital services. It also introduces a size requirement for private organisations, with an operation having to employ a minimum of 50 persons or have an annual turnover in excess of 10 million Euros to be covered by the Act's requirements. However, smaller but particularly critical operations can also be specified by the Civil Contingencies Agency (MSB), which must also comply with the Act's requirements.
Besides the two new elements above, we would like to briefly highlight a number of other parts of the new proposal.
New classification: It is proposed that both public and private operators come under the new Cybersecurity Act. However, the operations included shall be classified either as essential or important based on significance and size. In principle, the rules are the same regardless of category, however, depending on classification, they differ in relation to supervision and sanctions.
Liability of the senior management for the operator's violations: The directive places increased requirements on the management's participation in the organisation's cybersecurity work. The inquiry proposes that an option should be introduced for the supervisory authority to apply to a court to prohibit a person with management responsibility at an essential operator from performing management functions. This applies, for example, to board members and chief executive officers. Other sanctions are targeted at the operator in the form of a legal entity. This sanction is instead targeted at natural persons and should be viewed as a last resort in order to achieve a certain action.
Clear requirements for security measures: Operators must institute appropriate risk management measures and conduct risk assessments to protect their networks and informations systems against incidents. The measures must be evaluated and based on a risk assessment, as well as proportional in relation to the risk. Further, it requires that operators register with a supervisory authority. To ensure uniform application and monitoring of these requirements, supervisory authorities are proposed for each sector, with certain authorities having extended areas of responsibility and new supervisory authorities established to manage the expanded requirements. The requirements will probably not be determined in their entirety until these supervisory authorities have issued detailed provisions, as was the case when the NIS1 directive was implemented in Swedish law.
Further, the operator is required to conduct systematic, risk-based work in relation to information security, with the operation's management having to undergo training courses and the employees also offered requisite training.
Requirement for security in supplier chains: The operations' requirement to institute measures also includes the supply chain. However, each operator shall be responsible solely for one link in the supply chain, i.e. need to institute risk management measures in relation to its suppliers and not sub-suppliers. Requirements will be put in place for cybersecurity to be regulated in supplier agreements, which will mean that existing and new agreements will need to be reviewed in order to be adapted according to these requirements.
Extended requirements for incident reporting: Incident reporting will be compulsory and this also includes the supply chain. The operator is consequently obliged to report significant incidents to MSB within certain set time limits. A warning shall be submitted within 24 hours of the operator being made aware of the significant incident. An incident report shall subsequently be submitted within 72 hours and a final report within one month.
Introduction of sanctions: The NIS2 directive contains detailed rules regarding the supervisory authorities' intervention and their capacity to issue penalty fines.
The lowest level of penalties are proposed to be SEK 5,000 (as previously). In terms of the maximum level of penalties, the NIS2 directive sets two different grounds for calculation and amounts, based on whether the operator is essential or important.
For essential operators, the maximum penalty fines shall amount to the highest of 10,000,000 Euros or 2 per cent of the total global annual turnover during the previous financial year. For important operators, the corresponding amounts shall be the highest of 7,000,000 Euros or 1.4 per cent of the total global annual turnover during the previous financial year.
In parallel with the NIS2 directive, the CER directive, which concerns strengthening the resilience of critical operations, shall be incorporated in Sweden. The inquiry will submit proposals for such incorporation in a final report in September 2024. The CER directive comprises some similar requirements to the NIS2 directive, however, it does not only cover cybersecurity but also other threats such as natural disasters, terrorism etc.
According to the CER directive, the member states must identify actors that provide critical public services within selected sectors (energy, transport, banking, finance market infrastructure, health and medical care, drinking water, waste water, digital infrastructure, public administration, space, as well as production, processing and distribution of food). Further, the directive includes an obligation for such actors to institute measures to strengthen their resilience and report incidents. The directive also contains provisions regarding supervision and sanctions. In other words, the CER directive contains similar requirements to the NIS2 directive, but the application is coordinated and if there are overlaps, the NIS2 directive shall apply as long as the CER directive does not set more far-reaching requirements.
Finally, it can also be mentioned that many organisations will come under both the Protective Security Act (2018:585) and the Cybersecurity Act. In that case, the point of departure is that only a limited number of provisions in the Cybersecurity Act apply to the parts of the operation that are covered by the Protective Security Act, those pertaining to notification and reporting obligations.
We recommend all organisations to start work immediately on compliance with the NIS2 directive and the new Cybersecurity Act. Those organisations that are unsure of whether their operations are covered by the Act need to conduct an analysis, including an assessment of which parts of the operation (if any) are affected by the Protective Security Act. Those organisations that have already conducted this analysis need to initiate a risk assessment to establish which IT services are critical for the operation.
Finally, it should be stated that the above is only an overall summary of certain issues relating to the NIS2 directive and the proposal for a new Cybersecurity Act. This article consequently does not constitute legal advice in an individual case.