Reporting Requirements¶
After a cyber incident, you may have legal obligations to report to authorities, regulators, and affected individuals. This guide covers Swedish and EU requirements.
Quick Reference: Who to Notify¶
| What Happened | Notify | Timeframe |
|---|---|---|
| Personal data breach | IMY | 72 hours |
| Significant cyber incident | CERT-SE | ASAP |
| Criminal activity | Police | ASAP |
| NIS2 significant incident | MSB + Sector authority | 24h early warning, 72h report |
| Insurance claim | Your insurer | Per policy terms |
Personal Data Breaches (GDPR)¶
When Notification Is Required¶
Under GDPR Article 33, you must notify the supervisory authority of a personal data breach unless it's unlikely to result in a risk to individuals' rights and freedoms.
Always notify if: - Sensitive data (health, political, religious, sexual orientation) - Financial data (bank accounts, credit cards) - Identity documents (personnummer, passport) - Credentials that could enable identity theft - Large number of individuals affected
IMY (Swedish Data Protection Authority)¶
Website: imy.se
Report online: imy.se/verksamhet/dataskydd/anmala-personuppgiftsincident
Phone: +46 8 657 61 00
Email: imy@imy.se
What to Report¶
- Nature of the personal data breach
- Categories and approximate number of data subjects
- Categories and approximate number of records
- Name and contact details of DPO or contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach
72-Hour Rule¶
You must notify within 72 hours of becoming "aware" of the breach. If you can't provide all information within 72 hours, you may provide it in phases.
"Awareness" means: When you have reasonable certainty that a security incident has occurred that has led to personal data being compromised.
When to Notify Affected Individuals¶
If the breach is likely to result in high risk to individuals' rights and freedoms, you must also notify the affected individuals directly (GDPR Article 34).
Exceptions: - You've implemented encryption/measures making data unintelligible - You've taken subsequent measures eliminating high risk - It would involve disproportionate effort (use public communication instead)
CERT-SE (Swedish National CERT)¶
When to Report¶
Report significant cyber incidents, especially: - Attacks affecting critical infrastructure - Incidents with national security implications - Widespread attacks affecting multiple organizations - Sophisticated attacks (APT, nation-state) - Novel attack techniques
Contact Information¶
Website: cert.se
24/7 Hotline: +46 10 240 40 40
Email: cert@cert.se
PGP Key: Available on their website
What CERT-SE Does¶
- Coordination with other affected organizations
- Threat intelligence sharing
- Technical guidance
- Liaison with international CERTs
- They do NOT provide hands-on incident response for SMEs
Police Reporting¶
When to Report¶
Report to police when: - You've suffered financial loss - Criminal activity is evident - You may pursue prosecution - Required for insurance claims - Ransomware/extortion involved
How to Report¶
Online: polisen.se/anmal
Phone: 114 14
Emergency: 112
What to Prepare¶
- Timeline of events
- Evidence collected
- Financial impact
- Suspected attack method
- Any communications with attackers
NIS2 Directive Requirements¶
The NIS2 Directive (effective 2024) has stricter requirements for essential and important entities.
Who Is Covered¶
- Energy, transport, banking, financial market infrastructure
- Health, drinking water, wastewater
- Digital infrastructure, public administration
- Space, postal services, waste management
- Manufacturing, food, chemicals
- Digital providers (online marketplaces, search engines, social networks)
Reporting Timelines¶
| Type | Timeframe | Content |
|---|---|---|
| Early warning | 24 hours | Initial notification that incident occurred |
| Incident notification | 72 hours | Assessment of severity, impact, IOCs |
| Intermediate report | On request | Status updates |
| Final report | 1 month | Root cause, mitigation, cross-border impact |
Report To¶
MSB: msb.se - General coordination
Sector-specific authority: Depends on your sector
Insurance Notification¶
When to Notify¶
Check your cyber insurance policy for: - Notification timeframe (often 24-72 hours) - Who to contact - What information is required - Pre-approval requirements for response firms
What Insurers Typically Need¶
- Date and time incident discovered
- Nature of the incident
- Systems and data affected
- Containment actions taken
- Estimated impact
- Police report number
Sector-Specific Requirements¶
Financial Services¶
- Finansinspektionen: Significant operational incidents
- DORA regulation (from 2025): ICT-related incidents
Healthcare¶
- IVO: Patient safety incidents
- IMY: Personal data breaches
Critical Infrastructure¶
- MSB: Sector-specific requirements
- Shorter notification timelines
Documentation Requirements¶
Keep records of: - What happened and when - When you became aware - Actions taken to contain and investigate - What you reported and to whom - Decisions made and rationale - Timeline of all notifications
Notification Template¶
INCIDENT NOTIFICATION
Organization: ________________
Contact Person: ________________
Phone: ________________
Email: ________________
Incident Type: ________________
Date/Time Discovered: ________________
Date/Time Occurred (if known): ________________
Description:
[Brief description of what happened]
Systems Affected:
[List affected systems]
Data Affected:
[Types and approximate quantity]
Actions Taken:
[Containment and response measures]
Estimated Impact:
[Business and individual impact]
External Support Engaged:
[Forensics, legal, etc.]
Common Mistakes¶
- ❌ Missing 72-hour deadline
- ❌ Not documenting when you became "aware"
- ❌ Incomplete initial notification
- ❌ Forgetting to notify individuals when required
- ❌ Not preserving evidence before reporting
- ❌ Inconsistent information across reports
Guides & Resources¶
IMY Breach Notification Guidance¶
- Website: imy.se
EDPB Breach Notification Guidelines¶
- PDF: edpb.europa.eu
MSB NIS2 Information¶
- Website: msb.se
When in doubt, report. Authorities prefer early notification even with incomplete information over late or no notification.
Last updated: 2026-01