Sweden

Law on information security for social and digital services (SFS 2018:1174)
Background:
The law transposes the Directive on security of network and information systems (the NIS Directive, an EU-wide legislation on cybersecurity) into national law.
Purpose and area of application:
The purpose is to achieve a high level of security in networks and information systems used (i) by operators of essential services to provide such services in the following sectors: energy, transport, banking, financial market infrastructure, healthcare, supply and distribution of drinking water, digital infrastructure, and (ii) digital service providers.
Obligations (operators of essential services):
• Conduct a systematic and risk-based information security work on networks and information systems used to provide the services.
• Make a risk analysis that will serve as a basis for selecting security measures. The analysis must include an action plan. The analysis shall be documented and updated annually.
• Take appropriate and proportionate technical and organizational measures to address risks that threaten the security of networks and information systems used to provide the services.
• Take appropriate measures to prevent and minimize the effects of incidents affecting networks and information systems used for providing the services. The measures shall aim at ensuring continuity of the services.
• Make a notification to the Swedish Civil Contingencies Agency (Sw: Myndigheten för samhällsskydd och beredskap) (“MSB”) stating whether the supplier provides a service in two or more member states in the EU.
• Report incidents that have a significant impact on the continuity of the social services without undue delay to MSB.
Obligations (digital service providers):
• Take the technical and organizational measures deemed appropriate and proportionate and deal with risks that threaten the security of networks and information systems used for providing the digital services within the European Union.
• Take action to prevent and minimize the effects of incidents affecting networks and information systems used. The obligation applies only in relation to the effects of such incidents on digital services offered by the supplier within the European Union. The measures shall aim at ensuring continuity of the services.
• Report incidents that have a significant impact on the provision of a digital service offered within the European Union without undue delay to MSB.
Obligations to cooperate with the authorities:
The supervised shall, upon the supervisory authority’s request, provide the information required for the supervision.
Regulation on information security for social and digital services (SFS 2018:1175)
Background:
The regulation supplements the Law on information security for social and digital services (SFS 2018:1174).
Standards and specifications:
When designing security measures, operators of essential services and digital service providers should take into consideration European and internationally accepted standards (as set out in article 2.1 of Regulation (EU) No 1025/2012) and specifications (as set out in article 2.4 of Regulation (EU) No 1025/201).
Freedom of Press Act (1949:105), Public Access and Secrecy Act (2009:400) and
Public Access and Secrecy Regulation (2009:641)
Background:
The Freedom of Press Act, having constitutional status, recognizes the fundamental principle of public access to official records. However, certain official records containing sensitive information such as information related to national security and sensitive personal data are under secrecy. The Public Access and Secrecy Act specify which information and official records that are under secrecy.
Purpose and area of application:
The purpose of the Public and Secrecy Act is to regulate the secrecy and confidentiality obligations of (i) public authorities and (ii) other legal entities under decisive legal influence by municipality or county, concerning personal and business data, including trade secrets.
Obligations:
The Public Access and Secrecy Act regulate secrecy for the protection of public interests, individuals’ personal or economic conditions and secrecy in certain official organs (e.g. in courts, parliament, government etc.).
According to chapter 18 section 8 in the Public Access and Secrecy Act, secrecy applies on information related to security or surveillance measures, if the purpose of the measure is counteracted if the information is revealed and the measure relates to e.g. facilities, premises, manufacture, storage, transport of money or other transportation of valuables or storage of weapons, ammunition, explosives, radioactive substances, telecommunications or systems for automated processing of information, civil aviation or shipping, land transport of dangerous goods or harbor protection.