Sweden

Yes, please see some of the Swedish laws and regulations that we would like to refer to in this context (as mentioned above, the regulatory landscape is rather fragmented):
1. The Protective Security Act (2018:585) (Sw. säkerhetsskyddslag (2018:585)), which enters into force on April 1, 2019 and then replaces the act currently in force (The Protective Security Act (1996:627) (Sw. säkerhetsskyddslag (1996:627)). The Protective Security Act (2018:585)(the “PSA”) will apply to both public and private sector, to any legal or natural person who operates (i) an activity of importance to the security of Sweden or (ii) an activity covered by an international obligation of Sweden in terms of protective security (referred to as security sensitive operations (Sw. “säkerhetskänslig verksamhet”)). This may entail for instance supply of electricity, air traffic, electronic communications and postal services.
The PSA aims to prevent espionage, sabotage, terrorism and other crimes against national security. In terms of IT security standards, the PSA inter alia covers obligations to
• conduct security analysis
• conduct security measures in order to protect sensitive information and information systems
The PSA is complemented by the Protective Security Regulation (2018:658) (the “PSR”), which covers additional and more detailed requirements concerning information security, such as
• security requirements before going live with a new information system
• security measures
• reporting (qualified) incidents
Supervision is divided between different entities. For instance, supervision over authorities is divided between the Swedish Security Service (Sw. Säkerhetspolisen) and the Swedish Armed Forces (Sw. Försvarsmakten). The supervisory authorities in turn have the right to further set out more detailed requirements based on the obligations set out in the PSA and the PSR (such requirements and instructions exist today based on the Protective Security Act (1996:627) currently in force).
2. Regulation (2015:1052) (Sw. förordning (2015:1052) om krisberedskap och bevakningsansvariga myndigheters åtgärder vid höjd beredskap) covers certain aspects of information security applying to governmental authorities, with requirements concerning for instance
• security measures
• reporting (serious) incidents to the Swedish Civil Contingencies Agency (Sw. Myndigheten för samhällsskydd och beredskap)
Each authority is responsible for implementing security measures. The Swedish Civil Contingencies Agency has issued guidelines concerning risk analysis (MSBFS 2016:7), incident reports (MSBFS2016:1) and (general) governance and procedures for sound IT operations, referring to for instance ISO standards (MSBFS 2016:1).
A similar approach as the abovementioned applies to municipalities and counties.
3. The Security of Network and Information Systems Act (2018:1176) (Sw. lag (2018:1176) om informationssäkerhet för samhällsviktiga och digitala tjänster) corresponds to the Swedish implementation of the NIS-directive . The result of the Swedish implementation of the NIS-directive is one that lies close to the content and scope of the directive.
The sectors covered are energy, transport, drinking water, banking, financial market infrastructures, healthcare, digital infrastructure and key digital service providers. The act furthermore contains obligations corresponding to those in the NIS-directive, i.e. concerning cooperation at a national and European level, incident reporting obligations, obligations to conduct risk analysis and implement security measures. The act is complemented by Regulation (2018:1175) (Sw. förordning om informationssäkerhet för samhällsviktiga och digitala tjänster (2018:1175)) and the further instructions set out by the sector specific supervisory authorities (see below).
Supervision is divided between different governmental authorities, depending on relevant sector. For instance, the Swedish Transport Agency (Sw. Transportstyrelsen) is responsible for the supervision of subjects within the transportation sector, the Swedish Financial Supervisory Authority (Sw. Finansinspektionen) is responsible for the supervision of subjects within the banking and finance sector and the Health and Social Care Inspectorate (Sw. Inspektionen för vård och omsorg) is responsible för the supervision of subjects within the healthcare and social care sector – and so on. The Swedish Civil Contingencies Agency (Sw. Myndigheten för samhällsskydd och beredskap) maintans a central role for coordination at a national and European level.