News Coverage – Data, Privacy and Information Security

Dear readers,

Welcome to a special edition of our Data Privacy Report. On 12 June 2025, the Government of Sweden referred a proposed new Cybersecurity Act and other legislative amendments to the Council on Legislation – an important step in the implementation of the EU’s NIS2 Directive into Swedish law. The new Cybersecurity Act is proposed to enter into force on 15 January 2026.

In this special edition, we summarise some of the more important changes in Government of Sweden’s referral to the Council on Legislation, compared to the previous government inquiry (SOU 2024:18). The focus of this overview is on what may particularly affect operators – both public and private – and what measures may need to be taken prior to the entry into force of the Cybersecurity Act. Finally, we report on the next steps in the Swedish legislative work.

Please note that the contents of this special edition of the Data Privacy Report do not constitute an exhaustive overview of the proposed Cybersecurity Act or its differences from the previous government inquiry’s proposal.

The purpose of the Data Privacy Report is to provide you with the latest and most relevant news in the field of data, privacy and information security.

Welcome to subscribe to our newsletter for regular news updates by signing up here.

 

We wish you a continued great week!

 

Kind regards,

Caroline and the team

 

General overview of the proposed Cybersecurity Act

The new Cybersecurity Act aims to implement the NIS2 Directive, adopted by the EU at the end of 2022, into Swedish law. The Cybersecurity Act is proposed to cover both public and private operators in certain designated sectors and broadly includes, among other things:

• A notification obligation to the competent authority
• Requirements to report significant incidents and provide information to service recipients
• Requirements to implement security measures to protect network and information systems

The referral includes several changes compared to the government inquiry’s proposal (SOU 2024:18). Among other things, the following is proposed:

• Proposed entry into force: January 15, 2026.
• Name change: The Act is now proposed to be called the Cybersecurity Act (formerly: The Act on Cyber Security).
• Clarified purpose: The purpose of the Cybersecurity Act is clarified as achieving a high level of cybersecurity in society.
• Updated and new definitions: Several definitions have been revised, such as the definition of security measures (previously referred to by the government inquiry as risk-management measures), private operator, incident and cyber threats. Additional definitions have also been introduced in the proposed legislative text, such as that of a medium-sized company.

However, it is important to note that many details – such as which authorities will be assigned supervisory responsibilities – have not yet been determined and will instead be regulated through future regulations and provisions. Unlike the previous government inquiry, the referral also does not include a proposal for a regulation to the proposed Cybersecurity Act.

 

Scope

The Cybersecurity Act is proposed to apply to the entire operations of any actor falling within its scope. These actors are referred to as operators and are categorized as either private or public operators.

In the referral’s proposed Cybersecurity Act, the following points are particularly noteworthy:

• Government agencies: Unlike the previous government inquiry, which proposed that all government agencies (with some exceptions) should be covered by the Cybersecurity Act, the Government now proposes that only those government agencies with the power to make decisions affecting natural or legal persons – and their rights in relation to the cross-border movement of people, goods, services, or capital – should fall within the scope of the Cybersecurity Act.
  As an example, the Government states that it, along with government agencies reporting to the Swedish Parliament (Sw. Riksdag), will be exempt from the Cybersecurity Act. Additionally, the Government Offices, Swedish mission abroad (Sw. utlandsmyndigheter) and the committee system (Sw. kommittéväsendet), as well as judicial bodies such as courts and tribunals exercising judicial functions will also be exempt. However, contrary to the government inquiry’s proposal, the Government believes that the Judicial Proposals Board (Sw. Domarnämnden) and the National Legal Aid Authority (Sw. Rättshjälpsmyndigheten) should not be exempt from the Cybersecurity Act.
• Municipal associations: Contrary to the government inquiry’s proposal, the referral proposes that municipal associations (Sw. kommunalförbund) should fall within the scope of the Cybersecurity Act, while the council (Sw. fullmäktige) and the executive board (Sw. förbundsdirektion) are exempt.
• Operators of specific importance to society: An operator that does not meet the size threshold – and would therefore not normally fall under the Cybersecurity Act – may still fall within the scope if it is deemed to be critical due to its specific importance at national or regional level.
  In the referral to the Council on Legislation, the Government clarifies – unlike the government inquiry – that it should be required that the operator is the sole provider in Sweden of a service that is essential for maintaining critical social or economic activities. The criteria for this are proposed to be established through regulations and provisions.

Cirio’s comment: Operators who previously conducted an assessment based on SOU 2024:18 should now reconsider it in light of the changes introduced in the referral regarding the scope of the Cybersecurity Act. Please note, however, that further changes may be introduced in the Government’s bill (see “Next steps” below).

 

Notification

According to the proposed Cybersecurity Act, all operators shall register with the authority designated by the Government. The relevant authority is not specified in the proposed legislative text but will be determined in the forthcoming regulation, as will the content of the notification itself.

The legislative text states that a notification shall be made as soon as possible, which in the referral is clarified to mean:

• Operators already in existence shall submit a notification upon the Cybersecurity Act’s entry into force.
• New operators starting operations that fall within the scope of the Cybersecurity Act shall submit a notification at the time operations commence.
• Existing operators whose operations evolve in such a way that the operator falls within the scope of the Cybersecurity Act, shall submit a notification in connection with this.

Cirio’s comment: The requirement for already established operators to register immediately upon the Cybersecurity Act’s entry into force means that affected operators should begin preparing for the notification well in advance of 15 January 2026. It is also important that operators who are not yet – but may potentially become – subject to the Cybersecurity Act establish routines to ensure continuous monitoring of whether any new or evolving operations or activities would bring them within the scope of the Cybersecurity Act. If so, a notification shall be carried out accordingly and without delay.

 

Security measures

The proposed Cybersecurity Act imposes requirements on operators to implement various security measures (referred to in the government inquiry as risk-management measures). In the referral, several amendments and clarifications are proposed to ensure that the Cybersecurity Act more closely aligns with the structure of the NIS2 Directive. Notably:

• The requirement to implement security measures applies to the network and information systems used by an operator for its operations or for providing its services.
• The security measures shall be based on an all-hazards approach, meaning that operators should aim to assess all risks to the systems being protected and analyse all potential causes of those risks materialising.
• The security measures shall be both appropriate and proportionate.
• The minimum requirements for security measures, listed in Chapter 2, Section 3 of the proposed Cybersecurity Act, have been updated to more closely reflect the structure of the NIS2 Directive. Among other things, a new first paragraph has been added, stating that operators have an obligation to have policies on risk analysis and information system security.
• Provisions promoting the use of European and international standards, as well as technical specifications relevant to the security of network and information systems, are proposed to be issued at a lower regulatory level than the Act itself.
• The government inquiry’s proposal to include a regulation on systematic and risk-based information security management has been entirely excluded, as the Government considers that it would have entailed a double regulation in light of the proposed security measures (see above).

Cirio’s comment: Since several key regulations will be issued through regulations or lower-level provisions, operators should continuously monitor legal developments to ensure that such regulations are identified and implemented in a timely manner.

 

Incident reporting and information to service recipients

Choice of authority for reporting significant incidents

The Cybersecurity Act proposes that significant incidents shall be reported to the authority designated by the Government, within specific timeframes. It is not yet clear whether this will continue to be the Swedish computer security incident response teams (“CSIRT”), or if the responsibility may be transferred to another authority. A clarification is expected in the forthcoming regulation to the proposed Cybersecurity Act.

Under current framework, the Swedish Civil Contingencies Agency (“MSB“) is Sweden’s CSIRT. However, it should be noted that the Government has tasked a special investigator with examining how responsibilities for information and cybersecurity could be transferred from MSB to the National Defence Radio Establishment (“FRA“). This may result in a change to the designated CSIRT. The investigation is due to be presented by 1 July 2025.

Timeframes for reporting significant incidents

The definition of significant incidents is proposed to be further specified in regulations and lower-level provisions. However, the proposed Cybersecurity Act outlines the following timeframes:

• Initial notification (previously referred to as a warning) shall be submitted as soon as possible, but no later than 24 hours after the operator becomes aware of the incident.
• Incident report shall also be submitted as soon as possible. Trust service providers shall report no later than 24 hours, while all other operators shall report no later than 72 hours after becoming aware of the incident.
• A final report – or a progress report if the incident is still ongoing (followed by a final report within one month after the incident has been resolved) – shall be submitted no later than one month after the incident report.

In contrast to the government inquiry, the referral emphasises that these timeframes are outer time limits – meaning that significant incident shall always be reported as quickly as possible.

Information to service recipients

In addition to reporting significant incidents to the competent authority, operators may also need to inform the recipients of their services if the significant incident is likely to adversely affect the provision of services.

However, the referral differs from the government inquiry in that:

• There will be no requirement to inform service recipients at the same time as the incident report is made (see above). Instead, the proposed Cybersecurity Act states that information must be provided as soon as possible.
• Operators will be allowed to conduct a suitability assessment before informing service recipients, which may result in only certain recipients being notified of the significant incident.

Cirio’s comment: The wording in the proposed Cybersecurity Act stating that information provision and incident reporting must be carried out “as soon as possible” leaves room for interpretation. Even if reports are submitted within the specified outer time limits, there is a risk that they may still be considered late. To ensure compliance with the proposed Cybersecurity Act, operators should establish clear internal routines and procedures for incident reporting and information provision, including defined responsibilities and technical support to enable prompt handling.

 

Supervision and enforcement

The proposed Cybersecurity Act also contains provisions on supervision and enforcement measures for operators who fail to comply with the Act’s requirements. Supervision will be carried out by authorities designated by the Government and will include both regular inspections and the possibility to intervene in cases of non-compliance.

Some notable changes compared to the government inquiry are:

• The referral proposes that the costs of a targeted security audit carried out by an independent body should not be charged to the operator, unlike what was proposed in the government inquiry.
• For important operators, supervisory measures may only be taken when there is reason to believe that the Cybersecurity Act, associated regulations, or legal acts adopted under the NIS2 Directive are not being complied with. This is a lower threshold than that proposed in the government inquiry, which required justified reason to believe.
• The referral proposes that the legislation should clearly state that a temporary prohibition from exercising managerial functions within an entity may only be imposed on individuals within essential operators.

 

Next steps

The Government’s referral has now been submitted to the Council on Legislation, which will review the Government’s proposal for a Cybersecurity Act. Following this review, the Government is expected to submit a bill to the Swedish Parliament, which will then vote on the proposal. If a majority in the Swedish Parliament votes in favour of the proposal, the new legislation will be enacted and published in the Swedish Code of Statutes, (Sw. Svensk författningssamling, SFS).

Given that the Swedish Parliament is in summer recess until 9 September, it is likely that a vote on the proposed Cybersecurity Act will take place in early autumn.

 

Read more here (press release from the Ministry of Defence, Swedish) and here (referral from the Ministry of Defence, Swedish).

 

 

This is a special edition of our newsletter Data Privacy Report. The purpose of our Data Privacy Report is to provide you with the latest and most relevant news in the fields of data, privacy, and information security.

You are welcome to subscribe to our newsletter for regular news updates by signing up here.

 

 

For more information, please contact: