Ongoing

On 5 March 2024, a Swedish Governmental Official Report entitled ‘New Rules on Cybersecurity’ (SOU 2024:18) was published, which proposed adaptations of Swedish law necessary for the NIS2 Directive and the CER Directive to be implemented in Swedish law. Thereafter, several supplementary Swedish Governmental Official Reports relating to the proposed implementation have been published.

The Reports propose a new Act, the Swedish Cyber Security Act, as well as a supplementary Regulation (the Swedish Cyber Security Regulation).

It was proposed in the Reports that the Act and Regulation was to enter into force on 1 January 2025. However, the Swedish government has not yet published the formal proposal for the Act and it is not likely that the Act will not be implemented before the summer of 2025.”

• Closely modeled on the NIS2 Directive.
• There is some difference in terminology, e.g. that the Act refers to 'operators' rather than 'entities'. However, it is not clear whether such a difference in terminology is intended to have any impact on which organizations the Act will apply to.
• The Swedish Act introduces similar supervision and sanctioning possibilities as those provided for in the NIS2 Directive. However, it is not clear how some of the more specific requirements of the NIS2 Directive, such as the power of competent authorities to suspend certifications, will be implemented in Swedish law.

Unclear, but expected to be summer 2025.