Will the new NIS2-framework affect my company?

On 16 January 2023, the new NIS2-Directive entered into force, and the new rules will be incorporated into Swedish law in October 2024. The evaluation of the existing NIS Directive – incorporated through the Swedish Act (2018:1174) on Information Security for Essential and Digital Services (the “NIS-Act”) – shows that progress has been made in increasing the EU level of cyber resilience, but also revealed inherent shortcomings that hinder the effective management of existing and emerging cybersecurity challenges. The fundamental purpose of the NIS2-Directive is to extend the legal framework for actions to counter the increased cybersecurity threat in the EU.

Under the NIS-Act, providers of essential and digital services are subject to certain security and reporting requirements. In the preamble of the underlying NIS-Directive, it is stated that one reason for this distinction between essential services and digital services is that the degree of risk is higher in practice for the former, which is why the security requirements for suppliers of the latter should be lower. In the NIS2-Directive, this distinction has been abolished as it is now considered obsolete and does not reflect the importance of these sectors and services for societal and economic activities in the EU internal market. Instead, two main roles in the new Directive are essential and important entities. We set out the definitions of these terms in the next section. 

The NIS2-Directive includes the following important news:

(i) Relevant entities are now automatically covered by the rules. It is no longer a prerequisite for Member States to identify them. According to the preamble of the NIS2-Directive, the purpose of this amendment is to eliminate the large differences between Member States’ fulfilment of the obligation to identify the entities concerned, thereby ensuring legal certainty with regards to cybersecurity risk-management measures and reporting obligations of all relevant entities.

(ii) The regulatory framework now covers a larger number of sectors and entities. For example, the digital infrastructure sector now includes providers of data center services and content delivery networks. Further, providers of trust services, public electronic communications networks and publicly available electronic communications services are now covered. There is also a new sector for ICT service management (business-to-business). ICT service is defined as a service consisting fully or mainly in the transmission, storage, retrieval or processing of information by means of network and information systems. In this sector, managed service and managed security service providers are covered. Under the NIS2-directive, these service providers are defined as follows:

"Managed service provider" means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.

"Managed security service provider" means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk-management.

However, a prerequisite for the above-mentioned entities to be subject to the obligations under the NIS2-Directive is that they qualify as essential or important entities (explained below).

(iii) The regulatory framework now sets out a list of minimum requirements regarding which cybersecurity risk-management measures that essential and important entities must take. The contents of these minimum requirements are considered below.

(iv) Supervisory authorities now have the power to impose significantly higher administrative fines for non-compliance with the rules. For example, the maximum amount is increased from SEK 10 million (under the NIS-Act) to the equivalent of EUR 10 million or 2% of total global annual turnover in the previous financial year (whichever is higher) for essential entities.

Two main roles: Essential and important entities

The obligations laid down in the Directive for undertakings mainly cover essential and important entities. These terms are defined by factors such as sector, size of the entity, and the type of product or service that the entity provides.

For example, in the digital infrastructure sector, essential entities refers to providers of cloud computing services, data center services, public electronic communications networks and publicly available electronic communications services, provided that the entity is also of a size that falls within, or exceeds, the thresholds for medium-sized enterprises under European Commission Recommendation (2003/361/EC). This requires that the entity shall employ at least 50 persons and have an annual turnover and/or balance sheet total exceeding EUR 10 million per year.

Important entities refers to, for example, those entities in relevant sectors but which, when applying the above size thresholds, are of smaller size than medium-sized enterprises.

Cybersecurity risk-management measures

The NIS2-Directive provides a list of minimum requirements for cybersecurity risk-management measures to be taken by essential and important entities in order to protect network and information systems and their physical environment from incidents. Incident means "an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems". The list of minimum requirements provides, inter alia, for risk-management measures in the form of:

(i) policies on risk analysis and information system security incident management;
(ii) business continuity; and
(iii) policies and procedures regarding the use of cryptography.

However, essential and important entities are required to take all technical, operational, and organisational measures that are proportionate and appropriate to the risk in the specific case.

The Directive requires essential and important entities to report significant incidents. In doing so, an incident shall be considered significant if it meets either of the following two criteria:

(i) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned, or

(ii) it affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Significant incidents should be reported to the Swedish Computer Security Incident Response Team (CSIRT), which is currently the Swedish Civil Contingency Agency.

In short, an ongoing significant incident must be reported to the CSIRT within 24 hours and completed with a final report within one month. The final report must, in principle, contain:

(i) a detailed description of the incident, including its severity and impact;
(ii) the type of threat or root cause that is likely to have triggered the incident; and
(iii) applied and ongoing mitigation measures.

The NIS2-Directive provides that competent supervisory authorities shall be empowered to take a variety of supervisory measures to ensure compliance with the rules, including the issuing of warnings and various forms of binding orders. In the event of a breach of the rules on cybersecurity risk-management measures and reporting, administrative fines may also be imposed. For essential entities, administrative fines may be imposed at a maximum of EUR 10 million or 2% of total global annual turnover in the previous financial year (whichever is higher). For important entities, a limit of EUR 7 million or 1.4% of total global annual turnover in the previous financial year applies accordingly.