Cybersecurity Act – the implementation of NIS2 in Sweden
In 2022, the EU adopted a directive on measures for a high common level of cybersecurity within the Union, the NIS2 Directive. The directive has been implemented in Swedish legislation through the Cybersecurity Act and Cybersecurity Ordinance.
Whether your business is covered depends on the following criteria:
-
The business must be provided or carried out in Sweden within the energy sector as specified in the NIS2 Directive Annex 1. The energy sector also includes the sub-sectors of electricity, district heating or cooling, oil, gas and hydrogen.
-
The business must also meet a size requirement.
Requirements
The Cybersecurity Act requires business entities within its scope to:
-
register with the regulatory authority
-
implement appropriate security measures
-
provide management training
-
report significant incidents.
As a business you must identify if you are covered by the Cybersecurity Act and register with the Swedish Civil Defence and Resilience Agency. The Agency will forward the registration to the Swedish Energy Agency.
The Swedish Energy Agency's regulatory authority
The Swedish Energy Agency is the regulatory authority for the energy sector and has supervision over the Cybersecurity Act and compliance with the regulations. The Agency may:
- notify orders
- apply for a ban on holding a management position
- perform security audits or security scans
- decide on administrative fines.
