Cyber resilience in Sweden: The impact of NIS2 and DORA

As cyber insurance claims continue to rise in the Nordics, Swedish companies are preparing to navigate new EU regulations that could reshape the landscape of cyber resilience.

Cyber risk remains a key concern for organizations across Europe and the Nordics, regardless of size or industry.?

Nordea CEO Frank Vang-Jensen painted a grave picture in a recent interview, referring to attacks as more aggressive, sophisticated, and organized than ever before.

“These aren’t the work of a single actor in a basement somewhere,” he told Swedish business daily Dagens industri.

While Vang-Jensen's comments may have been specific to banks, findings from a 2024 Marsh report on cyber claims show that concerns about cyber resilience extend beyond the finance sector.

According to Marsh’s The changing face of cyber claims in Europe report, cyber claims rose again in 2023, continuing a trend dating back to 2016, with financial institutions accounting for the highest share – 21%, followed by communication, media, and technology (17%); professional services (13%); manufacturing (9%); and healthcare (7%).

“The situation in Sweden largely mirrors what we see across Europe,” says Roman Kovalchuk, Marsh’s Head of Cyber Consulting Nordics.

“Ransomware and extortion are the most frequently reported incidents, followed by data breaches.”

NIS2: Tougher cyber risk management

The increasing burden of cyber threats faced by European companies and consumers hasn’t gone unnoticed by EU policymakers, who have introduced two new directives meant to update cybersecurity rules and strengthen cyber resilience.

The first, known as NIS2, updates the original Network and Information Security Directive (NIS), which dates back to 2016. NIS2 came into effect in January 2023 and was transposed into law by all member states by October 2024.

In Sweden, NIS2 has been incorporated in the country’s new cyber security law (2024:18). The government is currently reviewing proposals submitted by a special investigator in September 2024, with final legislation expected in early 2025.

The updates aim to enhance cyber resilience across the EU in light of increased digitalization and a more complex cyber threat landscape.

Companies now face stricter cyber risk management requirements, including risk management, incident management, business continuity, digital supply chain security, and identity management.

NIS2 also expands the directive’s scope to 18 critical sectors, spelling out specific measures required for companies in those sectors and adding the prospect of penalties for non-compliance. Swedish authorities are still determining the exact criteria for which types of businesses will be covered.

“The goal is to have a more harmonized approach to cyber security across the EU and minimize the risk of a cyberattack knocking out critical functions by exploiting vulnerabilities at a specific company or country,” Kovalchuk explains.

“It also means that companies – and their executives – can now be held liable for negligence. And this is a significant change for companies in Sweden and the rest of the EU.”

Sanctions for non-compliance with NIS2 can be both “personal and organizational” he adds.

Failure to comply can result in financial penalties, as well as the suspension of authorization certificates to conduct certain business activities or a prohibition to perform management functions.

DORA: A ‘step change’ in cyber resilience

In addition to NIS2, companies in the financial sector will also soon have to comply with the Digital Operational Resilience Act (DORA), which entered into force on January 16, 2023, and will apply from January 17, 2025.

DORA aims to create a unified framework for digital resilience in the EU financial sector by requiring stricter measures for ICT risk management, such as annual resilience testing, incident reporting, and third-party risk assessments.

“With 80% of payments in the EU processed electronically and an estimated 200% growth in data stored in the cloud in the next three years, it’s clear that cyber resilience is even more important for the financial sector,” says Kovalchuk.?

He says DORA represents a “step change” in digital operational resilience regulations, in particular when it comes to third-party risk and how financial institutions report and manage cyber incidents.

The new regulation applies to a wide range of financial entities covering banking, insurance, financial services, and financial markets. Requirements will be proportionally scaled based on the institution’s size, cyber exposure, and other factors.

“You’d be surprised by how common it is for board members or senior managers at financial institutions to not really grasp the level of cyber risk they face,” he adds.

“DORA helps put digital and cyber risk management high on the agenda through regulations that require leaders have a tighter grip on operational resilience across their organization.”?

The impact in Sweden?

As Swedish authorities and lawmakers put the finishing touches on how NIS2 and DORA will be implemented into law, companies need to make sure they stay ahead of the curve.?

“Sweden is unique due to a high level of digitalization, which means the potential risks for society may be greater compared to other countries in Europe,” says Kovalchuk.

“Domestic legislation is strong, but adding the NIS2 and DORA regulations are a welcome boost that will hopefully motivate companies that haven’t yet made cyber resilience a priority to take action.”

Examples of concrete steps companies can take include conducting regular risk assessments and implementing technical and organizational measures to prevent, detect, and respond to cyber security incidents.

“It’s not too late to move your organization toward operational compliance,” he adds.?

“With proactive measures, companies can mitigate risks before they become incidents, ultimately safeguarding their future in an increasingly digital and interconnected world.”?

Want to learn more how NIS2 and DORA can impact your organization??

Feel free to email Roman Kovalchuk at [email protected] or connect with him on LinkedIn https://www.dhirubhai.net/in/roman-kovalchuk-335b0963/ to continue the discussion and explore these topics further.