Find out how our expertise can be of benefit to your organisation in navigating the complexities of AI law and regulation

1. Which laws are applicable regarding advertising of medicines and medical devices? 1.1. Medicines Provisions concerning advertising of medicines are stipulated in the Medicinal Products Act (2015:315)...

The so-called NIS Directive[1] has been updated through the NIS2 Directive[2], which is set to be applied no later than October 18, 2024. The update aims to enhance the overall cybersecurity level of the EU and entails tightened requirements for actors in both the private and public sectors.  Further developments of the implementation of the NIS2 Directive in SwedenOn 14 December, 2022, the European Parliament and the Council adopted the NIS2 Directive, which constitutes an EU-wide legislation on cybersecurity. As a result of the adoption of the NIS2 Directive, the Swedish government appointed a special investigator with the task to suggest necessary implementation measures in Swedish law. On 5 March, 2023, the special investigator published an interim report[3] containing suggestions on implementation measures. In accordance with the interim report, such measures would mainly be incorporated through a new Swedish Cyber Security Act (the “Act”). The Act is proposed to enter into force on 1 January, 2025.[4] Which actors will be subject to the new Swedish Cyber Security Act?There are two essential differences between the current legislation in Sweden implementing the NIS1 Directive[5], and the proposed new Swedish Cyber Security Act implementing the NIS2 Directive. Firstly, the Act would apply to a larger number of operators. Operators within sectors covered by the Act would be expanded from 7 to 18 (sectors such as energy, transport, health, financial market infrastructure and digital infrastructure would be included among these new sectors). Secondly, the requirements in the Act would apply to the entire operations of such actors, not only to their essential and digital ser­vices.[6] All private operators of a certain size or specifically identified ones and public operators carrying out activities in any of the envisaged 18 sectors would be required to comply with the new provisions under the Act. With regard to private operators, the Act’s provisions would only apply to such operators which employs at least 50 people or have a minimum global annual turnover of EUR 10 million. As a result, the Act  many small businesses would be excluded. However, certain specifically identified individual operators would be subject to the provisions in the Act regardless of size (e.g. operators providing public electronic communications networks).[7] What requirements will be stipulated in the new Swedish Cyber Security Act?The proposed Act contains several obligations which operators covered by the Act would be subject to[8]:An operator would have to register with its supervisory authority and provide information such as its identity, contact details and activities. The information would be used by the authority to classify the operators as essential or important, and register them. A separate register for cross-border operators would also be implemented. The operator would have to undertake risk management measures to protect network and information systems and its physical environments against incidents. Such measures should be based on a risk analysis, be proportional to the risk and be subject to evaluation. The operator would be required to carry out systematic, risk-based information security work, require its management to undergo training and offer training to employees. Operators would be obliged to report significant incidents to the Swedish Civil Contingencies Agency in its capacity as Computer Security Incident Response Team (CSIRT) within a specified timeframe. This means that an operator would have to report a warning to the CSIRT within 24 hours of having become aware of a significant incident. Moreover, an incident report would have to be submitted within 72 hours, and a final report within one month. What sanctions may be imposed in case of infringements of the Act?Depending on which provision has been violated, the supervisory authority’s enforcement measures consist of measures such as issuing of orders (which may be combined with a financial penalty) or administrative fines. The administrative fines may be set at no less than SEK 5 000 and no more than SEK 10 000 000.[9] Furthermore, sanctions may also be imposed on natural persons as the possibility of imposing prohibitions on persons with management responsibilities to perform management functions, is introduced in the interim report. What are the next steps?The interim report will now be circulated for formal consultation. Thereafter, the Swedish government will proceed with the preparation the new Act which is, as mentioned above, expected to enter into force on 1 January, 2025. However, until then, it will be uncertain exactly how the Act will be designed. In the meantime, organisations will benefit from reviewing the proposed scope of the Act and analyse whether their operations would be subject to its provisions and what this potentially means. In any case, the NIS2 Directive can be expected to entail major changes for both actors already covered by the NIS1 Directive and for previously unaffected actors, and not least - also for the representatives of all actors concerned. CMS Wistrand will follow the upcoming development. Please do not hesitate to contact us if you have any questions about how your business may be affected.  [1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU). 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive).[3] Nya regler om cybersäkerhet, SOU 2024:18.[4] Nya regler om cybersäkerhet, SOU 2024:18, p. 23 and 31.[5] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.[6] Nya regler om cybersäkerhet, SOU 2024:18, p. 24.[7] Nya regler om cybersäkerhet, SOU 2024:18, p. 25.[8] Nya regler om cybersäkerhet, SOU 2024:18, p. 26.[9] Nya regler om cybersäkerhet, SOU 2024:18, p. 28.

Beslutet att bli en del av CMS, en av världens största advokatbyråer, togs för att framtidssäkra positionen som en av Sveriges ledande advokatbyråer och för att växa internationellt. CMS unika struktur säkerställer att CMS Wistrand kan fortsätta vara en självständig, starkt lokalt förankrad byrå för de svenska kunderna och samtidigt dra nytta av CMS:s globala expertis och nät­verk. ''Ef­fek­ti­va och väl­struk­tu­re­ra­de team över gränserna är av största vikt i dagens juridiska landskap. Det skapar värde för klienterna genom att minska friktionen i leveranser och påskynda processerna att köpa juridiska tjänster'', säger Maria Kosteska Fägerquist, sty­rel­se­ord­fö­ran­de i Gö­te­borg“Be­ty­dan­de tids- och kost­nads­be­spa­ring­ar uppnås för våra klienter genom att de kan dra nytta av unik juridisk kompetens över gränser, sektorer och praktikområden, som arbetar i strukturerade team med gemensamma värderingar och fokus."Inom CMS har vi möjligheten att ytterligare driva den innovation som är nödvändig för att forma framtidens juridiska tjänster.“Att vara framåtblickande innebär att proaktivt förutse utmaningar och driva innovation. Nu positionerar vi oss för att leverera lösningar som formar branschen och hjälper våra klienter att självsäkert navigera i det föränderliga landskapet”, säger Fredrik Råsberg, sty­rel­se­ord­fö­ran­de i Stock­holm. “Men vårt engagemang slutar inte med innovation. Att framgångsrikt styra ESG-agendan med fokus på kli­mat­för­änd­ring­ar och socialt ansvar är av stor betydelse för företag nu och framöver och som advokatbyrå har vi ett ansvar att hjälpa våra klienter att navigera rätt.''Nyheten om att Wistrand skulle bli en del av CMS publicerades för första gången i november 2023. För CMS var insteget i Sverige viktigt. "Att utveckla en stark nordisk plattform är viktigt eftersom våra klienter förväntar sig att vi ska stödja dem i stora affärsnav runt om i världen", säger Pi­er­re-Sé­basti­en Thill, CMS-ordförande. ”Vi har redan CMS Kluge-kontor i Bergen, Oslo och Stavanger. Nu med CMS Wistrand kan vi erbjuda våra kunder bred lokal expertis i Sverige, kombinerat med vår globala räckvidd.”