Introduction

The NIS2 Directive will come into effect on October 17 across the EU. However, its exact implementation and specific requirements will vary from country to country, as each EU member state implements the directive according to its existing needs, legislature, and digital infrastructure.

In Sweden, the proposal is for NIS2 to enter into force on January 1st 2025 and a new SOU defines the cybersecurity rules that Swedish operators and entities will have to comply with. The full SOU, that you can download here, is over 500 pages long, but we have summarised the key parts that the public sector needs to know below.

NIS2 in Sweden: Breaking down SOU 2024:18

Before we review the specific details of SOU 2024:18 and how they will impact public sector entities, a quick recap of NIS2 and the associated CER Directive will be useful.

NIS2 and CER Main Requirements

Amongst other requirements, the NIS2 Directive requires that all critical societal, government, and digital services:

  • Implement higher information security standards.

  • Implement a higher cybersecurity level on all fronts.

  • Ensure participation of management/leadership in cybersecurity work and practices.

  • Conduct comprehensive risk analyses and incident reports

Furthermore, critical public entities must also meet the standards of the CER Directive regarding digital resilience, meaning that all critical entities must be able to maintain activity and ensure availability of services in case of disturbances or attacks.

Sectors affected by NIS2 in Sweden

In Sweden, the NIS2 Directive increases the number of affected sectors from the 7 sectors covered by the original NIS Directive to the following 18 sectors:

  • Energy

  • Transportation

  • Banking operations

  • Financial market infrastructure

  • Healthcare

  • Drinking water

  • Sewage

  • Digital infrastructure

  • Management of ICT services (business to business)

  • Public Administration

  • Space Administration and Exploration

  • Postal and courier services

  • Waste disposal

  • Manufacturing, production and distribution of chemicals

  • Production, processing and distribution of food

  • Manufacturing (medical products, computers, electronics and optics, electrical appliances, other machinery, motor vehicles, trailers, and other means of transport)

  • Digital suppliers

  • Research

In other words, although the NIS2 and CER directives also target parts of the private sector (mainly manufacturers), in Sweden, the majority of the sectors affected belong to the public sector. However, there are some notable potential exemptions (and additions!) that have now been specified in the SOU.

NIS2 Public Sector Exemptions in Sweden

Although the NIS2 Directive affects almost the entire Swedish public sector, exemptions include:

  • The Government (Regeringen)

  • Government Offices (Myndigheter)

  • Government Agencies under the Parliament and the courts

  • Government Agencies involved in security-sensitive activities

  • Regional/Municipal Councils

  • Law Enforcement Agencies

For the time being, this means that the following 20 government entities (of a total of 346) will be exempt:

  • Riksrevisionen

  • Riksdagens ombudsmän

  • Sveriges Riksbank

  • Riksdagsförvaltningen

  • Sveriges Domstolar

  • Regeringskansliet

  • Tullverket

  • Kustbevakningen

  • Rättsmedicinalverket

  • Polismyndigheten

  • Säkerhetspolisen

  • Åklagarmyndigheten

  • Ekobrottsmyndigheten

  • Kriminalvården

  • Brottsförebyggande rådet

  • Försvarsmakten

  • Fortifikationsverket

  • Försvarets materielverk

  • Försvarets radioanstalt

  • Försvarsunderrättelsedomstolen

In other words, all the exceptions are government entities working at the national level. Meanwhile, all regional and municipal entities, even those that touch upon security-sensitive activities, will be subject to the NIS2 Directive.

The logic behind exempting governmental entities that are within security-sensitive-operations or law enforcement is that these entities need to meet a much higher basic security standard than that stipulated by the NIS2 Directive. Furthermore, many of these entities are protected by secrecy laws that interfere with the incident reporting requirements of NIS2.

However, one should not assume this list of exemptions is set in stone, especially for those government entities that do not work with national security or law enforcement as their main area of operation.

MSB has suggested that government entities not working with national security or law enforcement should be covered by NIS2 as NIS2 should represent the minimum cybersecurity standard met by the entire public sector from the national to the local level. This would mean that the authorities under the Parliament, including Sweden's National Bank and the courts, should also be covered by NIS2.

Furthermore, according to the Security Police, there is no reason to exempt authorities that conduct security-sensitive activities or law enforcement as they should meet this minimal standard and build on it to reach their required level of security and secrecy.

Additional Sector affected by NIS2 in Sweden

A notable additional sector that will fall under NIS2 jurisdiction in Sweden is Education, specifically higher education. The SOU indicates that higher education institutions capable of conferring official degrees must be covered by NIS2 and the new Cyber Security Act.

The reason Sweden is including colleges and universities in the NIS2 framework is that research in Sweden is conducted, for the most part, at state universities and colleges. There is very little research happening outside university settings and therefore, in order to protect research, as required by NIS2, universities and colleges must be protected as well.

In Sweden, there are 49 institutions of higher learning that have degree approval. Of these, 24 that conduct scientific and technical research have been found in a recent investigation to not have sufficient information security to protect research data.

The 24 institutions are the following:

  • Mälardalens universitet

  • Malmö universitet

  • Linnéuniversitetet

  • Kungliga Tekniska Högskolan

  • Karlstads universitet

  • Göteborgs universitet

  • Örebro universitet

  • Försvarshögskolan

  • Högskolan Dalarna

  • Högskolan i Borås

  • Högskolan i Halmstad

  • Högskolan Väst

  • Linköpings universitet

  • Lunds universitet

  • Mittuniversitetet

  • Södertörns Högskola

  • Uppsala universitet

  • Blekinge Tekniska Högskola

  • Högskolan i Gävle

  • Högskolan i Skövde

  • Högskolan Kristianstad

  • Luleå Tekniska universitet

  • Stockholms universitet

  • Umeå universitet

All of these institutions will now have to meet the minimal security standards set by NIS2.

Cost of non-compliance for the Public Sector

For all those institutions, organisations, and entities that will be affected by NIS2, the cost of non-compliance is significant. The SOU proposes three levels of financial penalties for different operators depending on how critical they are to the functioning of society and whether they are public or private entities. We will not get into fines for private operators in this article.

For public sector operators, administrative sanction costs will range from a minimum of SEK 5,000 to a maximum of SEK 10,000,000. When determining the size of the administrative sanction cost, the supervisory authority shall take into account the circumstances that follow from Chapter 5, sections 3-5 of the proposed Cyber Security Act. depending on the level of infringement and how critical the operator is for society.

A good way to gauge how critical a public sector operator is is to calculate how many people would be impacted by a data breach or service interruption. The more people are affected, the more critical an operator is, and the higher the fine for non-compliance.

Public-Private partnerships for NIS2 implementation in Sweden

The public sector in Sweden is ill prepared for NIS2. From the governmental to the municipal level, public entities need to implement quite a few features into their security systems and infrastructure in order to meet the minimum security standards set by NIS2. To learn more about exactly what these features are, read our article "Preparing Sweden for the Future: What the Public Sector needs to do to be NIS2 compliant."

The good news is that the public sector is not alone. Sweden has some advanced cybersecurity service and technology providers in the private sector that can help the public sector implement all the necessary upgrades for NIS2.

However, the number of private providers that the public sector can partner with for NIS2 implementation in Sweden is limited as the public sector must meet the supply chain security requirements of NIS2. This means the public sector can only work with private providers of cybersecurity, electronic communications, DNS, or hosting services that meet certain security and information management criteria.

Aside from meeting all the NIS2 requirements, public sector cybersecurity technology partners should also:

  • Have EU service level agreements and be based in the EU. For critical entities, it is better still if they are Sweden-based and fall under Swedish jurisdiction.

  • Conduct systematic and risk-based information security work.

  • Provide the right level of digital redundancy and resilience required of the public sector.

These requirements create a significant limit in the number of providers the Swedish public sector can work with if they want to be NIS2 compliant.

Are you a Swedish organization that needs help implementing all the necessary changes for NIS2?

Book a free consultation with our senior experts for a free NIS2 review: