Netnod responds to the Swedish implementation of NIS2

On 6 March 2024, Netnod was given the opportunity by the Ministry of Defense to comment on the Swedish implementation of the EU NIS2-directive. Netnod has responded to the request for comments (Fö2024/00496) on the Swedish implementation of NIS2 (SOU 2024:18).

At a high level Netnod has three main concerns with the NIS2 directive and its Swedish implementation in a cybersecurity context. 

1. Neither the EU-directive nor the Swedish implementation present clear and measurable outcomes based on the directive and its accompanying legal framework. It is the opinion of Netnod that all reforms need to be accompanied by a set of objective goals and targets which can be measured after the implementation of the directive.
2. Both the EU-directive and the Swedish implementation focus on an ex-ante regulatory approach which decreases the amount of possible organisational solutions. Netnod is of the opinion that the directive and the implementation should focus on ex-post decrees, and rather manage the complex accountability issues which arise in a digitised world where services are built in layers of functions.
3. Both the EU-directive and the Swedish implementation take an all hazards approach. Netnod is of the opinion that only a subset of actors covered by NIS2 have the competence and the resources to effectively utilise an all hazards approach. Most actors would benefit from being assigned risks and threats to handle and mitigate. An agreed on set of risks and threats would also improve the preconditions for inter- and intra sector training exercises, such as crisis scenarios and civil contingencies.

For further details, please see Netnod’s full response below.

The overall increased focus on cybersecurity in the EU is important and a welcome change, but the implementation does not take into account the way digital services and products are built, maintained and sold