The Government’s chance to strengthen Sweden’s resilience

Read the article in Swedish here.

Russia’s cyberattacks on Ukraine and the attacks on Ukraine’s critical infrastructure are an obvious example of all the vulnerabilities that are built into a civil society. To address the increasing threat, the EU has introduced two new directives which will have a major impact on how public and private sectors undertake their security and preparedness work, and which will come into force on 18 October 2024.

They will apply to NIS2 with requirements for information and cyber security and to CER with requirements for additional security to enable the maintenance of important societal functions. The directives, which together form a fundamental basis for increasing the overall resilience of socially important activities in Sweden and throughout the EU, set far-reaching requirements for protection against both cyber and other types of threats, such as natural disasters and hybrid and terrorist threats.

A large number of organisations in a number of sectors are covered. The directives bring with them a significant increase in ambition, in terms of risk management and binding requirements for safety work as well as supervision of compliance. Large fines will be imposed on those organisations that fail to meet the requirements.

Further examples of sanctions come from the way individuals at the highest management level will be held accountable in the event of their failure to comply with the requirements of the Directives.

Sweden has a new structure for civil preparedness, and a major effort is now needed, based on the two directives, to be ambitious in their application and develop the legislation required to provide comprehensive protection. This is so Sweden can stand stronger and so that we can jointly manage to deal with the new threat scenario.

However, regulatory governance must be balanced with supporting measures in order for the new level of ambition to be realised. Without the support and resources in place, it will be difficult for the thousands of operators affected by the directives to comply with the requirements.

One of Sweden’s challenges is our fragmented administrative model, where there are many public players who are relatively independent. At the same time, Swedish companies today own a large part of our socially important operations and functions. We therefore believe that the Government should implement several measures now to ensure effective implementation to make it easier for those who will be subject to the new directives:

Cohesive framework

The Government should put the directives in a single act, develop a cohesive national strategy or ensure that the work of producing regulations for, among other things, various risk management measures is coherent. The latter would reduce the risk of fragmentation.

Synchronisation with Sweden’s civil preparedness work

To minimise the risk of overlapping processes, the government needs to map the content of the directives to our existing civil preparedness system. We are talking about the division of sectors, the division of responsibilities and roles, as well as established processes such as risk and vulnerability analyses.

Learn from good practice

In order for the regulations from the EU to have the desired effect, those involved need to be given the right conditions to raise their level of security. In Finland, companies that are critical to the maintenance of important societal functions can apply for financial support. We propose that the Swedish government establish a similar fund.

The proposals above lay a solid foundation that will provide stakeholders with better conditions to implement the requirements of the directives. In addition, the proposals will help Sweden increase its chances of creating more cohesive and comprehensive protection so that we can jointly manage all the different risks and threats that may affect us, now and in the future.