EU cybersecurity legislation sometimes feels like a never-ending puzzle, a complex picture with several missing pieces. There is a lot of legislation in the pipeline in this area, with the NIS2 and CER Directives, for example, approaching. But fear not, puzzle enthusiasts, the Swedish government has taken action! As a first step in implementing the NIS2 and CER Directives, the government published a partial interim report on the implementation earlier this year (on 5 March 2024, to be precise).[1] The report suggested, among other things, the creation of a new Swedish Cybersecurity Act in order to transpose the renowned NIS2 Directive into Swedish law. However, as is often the case regarding cybersecurity regulations, a critical piece of the puzzle was missing. Namely, the slightly less famous cousin of the NIS2 Directive, the CER Directive. The proposal for a Swedish implementation of the CER Directive was not included in the partial report but was instead postponed until September 2024. Nonetheless, the day has now come when the government delivers the missing piece of the puzzle. On Wednesday, last week,[2] the government's final report was published, including the proposal for implementing the CER Directive into Swedish law.[3] In this article, we aim to shed as much light as possible on the most recent puzzle piece by providing a brief overview of the CER Directive and its proposed Swedish implementation.
What is the CER Directive about?
The purpose of the CER Directive is to safeguard that services which are essential for the maintenance of vital societal functions or economic activities can be provided in an unobstructed manner within the EU internal market. In more understandable language, the CER Directive contains similar requirements as the NIS2 Directive, but unlike the NIS2 Directive, the CER Directive emphasises the premise that resilience should not be limited to cybersecurity but must also extend to physical threats such as terrorist attacks, sabotage, and natural disasters. According to the proposal, the CER Directive will be introduced into Swedish law through a new Swedish Act on Resilience of Critical Entities (hereinafter the “Act”). As if to highlight the fact that the proposed legislation is indeed a puzzle, the Act does not apply to matters already regulated by the Swedish Cybersecurity Act (i.e., the proposed Swedish implementation of the NIS2 Directive). Still, it is closely related as it, by and large, covers the same entities as the Cybersecurity Act.
Who is covered?
he Act will apply to private and public entities that provide essential services identified in the Annex to the CER Directive. The sectors included in the Annex are energy, transport, banking, financial market infrastructure, healthcare, wastewater, drinking water, digital infrastructure, public administration, space, and production, processing, and distribution of food. To be covered by the Act, the CER Directive also requires that the entity has been actively identified as “critical” by the relevant supervisory authority. In Sweden, the supervisory authority for the respective sector will independently decide on which entities are to be covered by the Act. Such decisions shall be based upon the national risk assessment, and three criteria must be fulfilled for an entity to be identified as critical under the Act. The criteria is that the entity; (i) shall provide one or multiple essential services within a sector in the Annex, (ii) shall have critical infrastructure located in Sweden, and (iii) that an incident, as defined in the Act, would have a significant disruptive effect on the provision of the essential service.
What are identified critical entities obligated to do?
When a critical entity has received notification that it has been identified as a critical entity, it must carry out a comprehensive risk assessment. The risk assessment must consider all relevant risks that could lead to an incident. Based on the performed risk assessment, the critical entity shall take technical, security, and organisational measures to ensure its robustness and resilience. The measures taken should be clearly described in a resilience plan, and could, e.g., include appropriate physical protection of facilities and infrastructure, prevention of, response to, mitigation of, and recovery from incidents, and management of personnel security. Critical entities must immediately report any incidents that could significantly disrupt the provision of essential services to the Swedish Civil Contingencies Agency (Swe: Myndigheten för samhällsskydd och beredskap, MSB). Furthermore, the CER Directive introduces an obligation for critical entities to carry out background checks when hiring new staff and consultants for certain positions.
What about sanctions?
The Swedish implementation of the CER Directive proposes that the supervisory authorities may intervene in the form of injunctions, financial penalties, and reprimands. The financial penalties will be the same as for entities covered under the proposed Swedish Cybersecurity Act. In other words, the penalties for private critical entities will be set between SEK 5,000 and whichever is higher of (1) two percent of the entity's annual global turnover (the prior fiscal year), or (2) EUR 10,000,000. For public critical entities, the penalty will be set between SEK 5000 and SEK 10,000,000.
Concluding remarks
The NIS2 Directive aims to improve cybersecurity in the sectors covered by the Directive and focuses on ensuring a common lowest standard of cyber of protection in order to protect the covered entities from cyberattacks. But as ever, digital protection is only one piece of the puzzle. The CER Directive expands that focus to cover the physical dimension as well and, thus, adds an essential piece to the ever-expanding legislative puzzle. By the summer of 2026, the Swedish supervisory authorities will have had to identify the critical entities listed in the Annex to the CER Directive to be covered by the Act. It is proposed that the Swedish Act on Resilience of Critical Entities will enter into force on 1 August 2025. We remain sceptical that the Swedish Cybersecurity Act will enter into force on 1 January 2025 as proposed, and our best guess is that the two acts will enter into force alongside each other on 1 August 2025.As the legislative landscape, the puzzle if you will, continues to evolve and expand, it becomes harder and harder for businesses to navigate the intricacies and interplay between the different legislative obligations they must adhere to. If you and your organisation are in need of guidance, assistance or just somebody to bounce ideas off, our expert lawyers here at Synch are experienced in cybersecurity legislation and happy to assist in whatever capacity is needed, so don’t hesitate to contact us.
[1] SOU 2024:18 - Nya regler om cybersäkerhet.
[2] 18 September 2024.
[3] SOU 2024:64 - Motståndskraft i samhällsviktiga tjänster.
