Information security for essential services and digital services (NIS)
Companies that supply certain types of digital infrastructure and certain digital services are now subject to new information security requirements following the transposition of the NIS Directive in Swedish law on 1 August 2018.
Today’s digitised society is dependent on functioning network and information systems. A fundamental requirement is that such services are reliable and secure. The EU has decided that the requirements relating to information security are to apply to companies supplying these services within the EU.
In accordance with the regulations, these companies are to work with information security systematically and based on risk, and are to report any incidents to the Swedish Civil Contingencies Agency (MSB). The Swedish Post and Telecom Authority (PTS) is the supervisory authority for digital infrastructure and digital services.
Operators of essential services (OES) in the digital infrastructure sector are according to the Swedish transposition of the NIS Directive required to register with PTS. In addition, OES:s and Digital Service Providers are required to register an incident reporting account with the Swedish CSIRT, MSB. For information on incident reporting we refer to MSB.
MSB has a coordinating role when it comes to NIS in Sweden. This means, among other things, that MSB issues regulations for all sectors subject to the legislation.
Who is subject to the legislation?
Services subject to the NIS Directive are categorised as essential services and digital services.
Several sectors are supplying essential services, such as energy, transport as well as health and medical care. The sector that PTS supervises is digital infrastructure, which includes operators such as DNS service providers and TLD registry for top level domains.
Digital service providers include cloud service providers, online marketplaces and online search engines.
More information on which organisations are concerned can be found on MSB’s website (in Swedish).
Registration as an operator of essential services
Operators that provide any of the service listed below, and that are established in Sweden, are for the purpose of the notational Swedish NIS legislation considered to be operators of essential services (OES).
Essential services for digital infrastructure, where incidents could entail a significant disruption in the provision of the service, refer to:
- administration and management of domain names on the Internet, performed by registration units for top-level domains with more than 250,000 active domains, or
- DNS services in the form of
- an authoritative name server service with more than 25,000 active, connected domain names, or
- a recursive name server service used by more than 100,000 users.
PTS is one of the supervisory authorities for the NIS Directive in Sweden. We are responsible for the supervision of essential services within the digital infrastructure and for digital services. Our supervision involves monitoring the companies’ compliance with the law and with MSB’s regulations. The primary aim is to assess whether the providers meet the requirements for security measures and incident reporting.
PTS is also responsible for providing information and guidance to companies that are subject to the NIS Directive.
PTS is entitled to issue more sector-specific regulations regarding security measures in addition to those set out in MSB’s regulations.
Questions about NIS
If you have general questions about the Swedish implementation of the NIS Directive, please contact MSB via e-mail: firstname.lastname@example.org.
If you are an operator of essential services or a digital service provider affected by the NIS Directive, contact PTS via e-mail at email@example.com, or via telephone at +46 (0)8-678 55 00 (operator) for any specific questions.