Global Data and Cyber Handbook

Sweden

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 27 December 2024

Yes.

☒   general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒   reasonable security controls

☒   encryption

Encryption is considered by the GDPR as an example of what can constitute an appropriate technical and organizational measure. According to the Swedish Post and Telecom Authority's binding regulation PTSFS 2014:1, art. 9, the following applies when data is processed when providing an electronic communication service: If the data is transferred over the internet, encryption is a requirement. This does not apply if the transfer is made to the user himself or to another party to whom the user has agreed that the data may be transferred.

Encryption is also a requirement for the processing of patient data in accordance with the regulations of the Swedish National Board of Health and Welfare.

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 27 December 2024

☒   health regulatory requirements

☒  financial services requirements

☒   telecommunication requirements

☒   providers of critical infrastructure

         digital or connected (IoT) products

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

  Data privacy

   Securities or public company

   health

   financial services

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 27 December 2024

Yes.

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Controllers/Owners have to notify:

Last review date: 27 December 2024

☒   data protection authorities

  • in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
  • without undue delay and, where feasible, not later than 72 hours after having become aware of it

  cybersecurity authorities

  • In the new interim report on new cybersecurity regulations announced by Swedish authorities, it is proposed that the notification of “significant incidents” should, for efficiency reasons, be made directly to the CSIRT unit. This unit should promptly make the information in incident reports available to supervisory authorities. An incident is considered significant according to Article 23.3 if:

    (a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;

    (b)  it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

     

  • The report also states that It will be the responsibility of the Swedish Civil Contingencies Agency (MSB) to specify in regulations the detailed meaning of a significant incident.

   affected individuals

  • in accordance with Article 34 of the GDPR: "when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay."
  • if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
  • the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; or
  • the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize.

☒   other

There shall be public communication or similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects) if the communication to the data subject would involve disproportionate effort. The GDPR does not stipulate a precise timeline for such public communication.

Processors/Agents have to notify:

Last review date: 27 December 2024

☒   controller/ owner

  • in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
  • without undue delay after becoming aware of it
Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 27 December 2024

Yes.

☒  cybersecurity authorities

☒   health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)

☒   telecommunication requirements

☒   providers of critical infrastructure

☒   other

Details regarding the identified data security breach notification requirements

Additional requirements to report incidents for ECS providers

Integrity incidents

An integrity incident is an event that leads to the unintentional or unauthorized destruction, loss or modification of, or unauthorized disclosure of or unauthorized access to, any personal data that is processed in connection with the provision of a publicly available electronic communication service.

A breach must be reported to the supervisory authority PTS without undue delay. According to Article 2 (2) EU Regulation 611/2013, the authorities have to be informed within 24 hours after detection of the breach.

If the breach can be assumed to have had a negative effect on the individual user whose personal data has been processed, or if the supervisory authority requests it, then "notification to the subscriber or individual shall be made without undue delay after the detection of the personal data breach", in accordance with Article 3 (3) EU Regulation 611/2013.

The supervisory authority or a court of law can issue a prohibitory injunction against the service provider if it does not comply with the provision to report a data breach. Such a prohibitory injunction can be combined with a fine.

Disruptions or interruptions of a significant scale

In addition, where there is a disruption or interruption of a significant scale, PTS shall be notified the day after the disruption or interruption has been solved and no later than three days after qualifying as an incident that should be notified.

The initial report shall be provided the day after the disruption has been solved, but no later than three days after the disruption/interruption qualified as being mandatory to report. Follow up report shall be provided as soon as possible. The supervisory authority may, if it is in the public interest, order the ECS provider to inform the public about the disruption or interruption.

Providers of essential services and providers of digital services

The breach notification requirement to the competent authority stipulated in sections 18 and 19 of the Swedish the Act on Information Security for essential services and digital services applies (i) to operators of essential services and digital service providers and (ii) for breaches that substantially affect the continuity of essential or digital services.

A data breach occurs when an event has a negative effect on the security of a network or an information system. When a service provider does not comply with the breach notification requirement, then the supervisory agency shall issue an administrative fine.

The fine cannot be less than EUR 500 or exceed EUR 1,000. The individual must not be notified.

Incidents shall be reported to the Swedish Civil Contingencies Agency.

First notification shall be made within six hours from when the incident has been identified as being mandatory to report. Follow-up reporting shall then be made within 24 hours and four weeks.

NIS 2 directive implementation in Sweden

As stated above, the Swedish government has through an inquiry presented its proposal for Swedish implementation of the NIS 2 Directive with the proposed date of entry into force set to 1 January, 2025. However, the new regulation in Sweden, following delays in the legislative procedure, will most likely not enter into force until summer 2025. The proposed changes include, inter alia, requirements for notification obligations, risk management measures, and incident reporting for the operators covered by the regulation. According to the Swedish Government Official Reports, the number of operators that will be covered by the new regulation is expected to increase significantly compared to those currently covered.

The Swedish government will be given authority to decide what government agencies will be tasked with the supervision of the new regulation. It is currently unclear if The Swedish Contingency Agency (MSB), which currently is the coordinating supervising authority of the NIS Directive, will continue in its role after the implementation of the NIS 2 Directive. According to the Swedish Government Official Report, the upcoming decision should be based on the current existing regulatory framework. Therefore, the investigation concludes that a supervisory authority should be appointed for each sector, following the pattern currently in place in Sweden, during the implementation of the NIS 2 Directive. The investigation further suggests that an existing supervisory authority should be assigned oversight responsibility for any new sector included in the NIS 2 Directive. Ultimately, as outlined, the decision will rest with the Swedish government once the law comes into effect.