Swedish Goverement report provides further details for NIS implementation

2017-05-03

Swedish Goverment investigation clarifies implementation details for the Network and Information System Security (NIS)applicability, supervision and fines

Albin Zuccato Nationell Affärsområdeschef

Swedish Government report provides further details for NIS implementation

Yesterday, the Swedish government published its preparatory investigation (http://www.regeringen.se/498cec/contentassets/9330610dab214a40a23730d2ef75d274/informationssakerhet-for-samhallsviktiga-och-digitala-tjanster-sou-201736) for the introduction of the EU Network and Information Security (NIS) directive. The NIS directive requires that all suppliers of critical national infrastructure ensure the security of their information systems and networks.

The current suggestion is that all companies that provide services which are critical for the Swedish society shall be subject to NIS and the associated national legislation. As a base to define which organizations are concerned, MSB (Myndigheten för samhällsskydd och beredskap) will maintain an inventory of relevant services that qualify an organization. For those services the crisis and impact assessments, which each municipality and county (län) has to conduct, will define specifically which organizations are concerned.

MSB is central for the NIS as it is tasked with coordination and execution. Specifically, MSB will provide a CSIRT (Computer Security Incident Response Team) for incident reporting as the NIS requires that all security incident information shall be collected and distributed. In respect to audits and continuous supervision the current approach suggests that the sector-specific supervision authorities (e.g. Finansinspektionen for financial sector, Transportstyrelsen for transport …) will be responsible for execution.

In case of violations the supervision authorities have the right to prescribe corrective actions to the relevant party. Meaning that the supervision authorities will have the right to require the implementation of specific security controls (including incident reporting). Furthermore, the supervision authorities will be responsible to issue fines. The fines shall proportional and dissuasive. For Sweden the recommendation is that the fines range from 5000 SEK to 10 Million SEK. As an argument a relation to usual corporate fines (företagsbot) is provided which implies that if those increase so the NIS fines will.

Sweden intents that the laws implementing the NIS shall enter into force already 10.5.2018. This means even earlier then the data protection regulation.