COUNTRY: SWEDEN
Sweden does not have a national cybersecurity strategy,
but one is being developed. There are no laws in
Sweden that specifically deal with cybersecurity.
Sweden does, however, have a functioning computer
emergency response team, CERT-SE, which has
QUESTION
jurisdiction over all Swedish networks. Furthermore, the
Swedish Civil Contingencies Agency (MSB), which is
the national authority in charge of information security,
has helped Sweden establish a good reputation on
cybersecurity. MSG is the centralised information security
entity and has a prominent public presence.
RESPONSE EXPLANATORY TEXT
LEGAL FOUNDATIONS
1. Is there a national cybersecurity
strategy in place?
6
According to the European Union Agency on Information Security (ENISA) <www.
enisa.europa.eu>, Sweden is preparing a cybersecurity strategy. As of August 2014,
the expected date of release is unknown.
A high level Strategy for Information Security 2010-2015 has been published, but it
does not address specific issues in cybersecurity or set out actions and responses.
2. What year was the national
cybersecurity strategy adopted?
–
3. Is there a critical infrastructure
protection (CIP) strategy or plan in
place?
4
Sweden adopted the National Strategy for the Protection of Vital Societal Functions
in 2014. The strategy was produced by the Swedish Civil Contingencies Agency
(MSB). <www.msb.se>
4. Is there legislation/policy that
requires the establishment of a
written information security plan?
4
The Swedish Civil Contingencies Agency’s Regulations on Government Agencies’
Information Security 2009, pursuant to Regulation 2006:942 <riksdagen.se/sv/
Dokument-Lagar/Lagar/Svenskforfattningssamling/Forordning-2006942-om-krisb_
sfs-2006-942> compels each government agency to establish an information security
policy sufficient for ensuring that agency’s information security.
5. Is there legislation/policy that
requires an inventory of “systems”
and the classification of data?
4
The Armed Forces Regulation on Security 2203:77 outlines a four-tiered classification
system. Under the system, data deemed to be in need of classification are assigned
a classification level according the level of risk involved in disclosing the information.
6. Is there legislation/policy that
requires security practices/
requirements to be mapped
to risk levels?
4
The Public Access to Information and Secrecy Act 2009 sets out security practices for
information mapped to the classification level assigned to it. The classification levels
are set out in the Armed Forces Regulation on Security 2203:77 and are assigned
according to the level of risk involved in disclosing the information.
7. Is there legislation/policy that
requires (at least) an annual
cybersecurity audit?
6
The Swedish Civil Contingencies Agency’s Regulations on Government Agencies’
Information Security 2009, pursuant to Regulation 2006:942 <riksdagen.se/sv/
Dokument-Lagar/Lagar/Svenskforfattningssamling/Forordning-2006942-omkrisb_sfs-2006-942> support “regular” review and monitoring of incident response
measures. This process is not required to be conducted according to a specific
timeframe.
8. Is there legislation/policy that
requires a public report on
cybersecurity capacity for the
government?
6
There is no legislation or policy in place in Sweden that requires a public report on
cybersecurity capacity for the government.
9. Is there legislation/policy that
requires each agency to have a
chief information officer (CIO) or
chief security officer (CSO)?
4
The Swedish Civil Contingencies Agency’s Regulations on Government Agencies’
Information Security 2009, pursuant to Regulation 2006:942 <riksdagen.se/sv/
Dokument-Lagar/Lagar/Svenskforfattningssamling/Forordning-2006942-om-krisb_
sfs-2006-942> require each government agency to appoint one or more persons to
direct and coordinate measures related to information security.
10. Is there legislation/policy that
requires mandatory reporting of
cybersecurity incidents?
6
The Swedish Civil Contingencies Agency (MSB) <www.msb.se> advises government
agencies to report cybersecurity incidents, however, such reporting is not mandatory.
11. Does legislation/policy include an
appropriate definition for “critical
infrastructure protection” (CIP)?
4
The Swedish Civil Contingencies Agency (MSB) <www.msb.se> provides an
appropriate definition for “critical infrastructure protection”.
EU Cybersecurity Dashboard
There is a government committee investigating Sweden’s information security
legislation and national defence framework that is expected to report in November
2014. <www.regeringen.se/sb/d/108/a/233522>
www.bsa.org/EUcybersecurity
|
1