In May 2018, the NIS Directive will begin to be applicable. The Directive means, inter alia, that six government public authorities will supervise information security at providers of digital services and services that are of important significance for the society.* The Swedish Civil Contingencies Agency (MSB), has the responsibility for the coordination of the work.
On behalf of the Government, Statskontoret, the Swedish Agency for Public Management, has investigated the financial consequences for the MSB and the public authorities which will receive the responsibility for the oversight. Included in the assignment to Statskontoret is the investigation of whether the oversight of activities should be financed by fees related to the supervision. Irrespective of our assessment concerning this issue, we have also been commissioned to investigate how such a fee might be designed for each sector in the Directive.
The financial consequences for the public authorities vary among them
Statskontoret has investigated out the initial costs for the supervisory regulatory authorities, and their ongoing costs, for in order to assess the financial consequences for them. Our calculations of the costs are based on the public authorities’ own estimates.
Some examples of factors affecting the initial costs include if the public authorities need to recruit new expertise, whether they need to implement information efforts, or if they incur one-off costs in connection with that commence the supervisory authority’s oversight activities. Examples of factors affecting the ongoing costs include the number of agencies/units subject to oversight, frequency of the oversight, supervision and the practical aspects related to the implementation.
The designated public authorities are of the opinion that it is difficult to assess the financial consequences of the new supervision. The Government has not yet given the public authorities any formal supervisory duties and the number of suppliers that are to be /inspected is not yet clear. For most of the public authorities, the oversight information security is also a new supervisory area.
The public authorities estimate that the initial costs will amount to a total of SEK 17.2 million, however the variation between the various public authorities is significant. Their total estimate of the ongoing costs approaches SEK 60 million annually. The Health and Social Care Inspectorate’s estimate, some SEK 20 million, is the highest, while the estimate at the Finansinspektionen of SEK 3 million is the lowest.
Even though the estimates of the public authorities are preliminary, the calculations are based on a reasonably stable basis. In their calculations, the public authorities have taken into account approximately 75 percent of the total of 29 factors that in Statskontoret’s assessment can have a significant impact on costs.
It is Statskontoret’s opinion that it will take some years before it is possible to calculate the exact costs of the respective supervisory authorities. Therefore, we believe that the Government should impose requirements on the supervisory authorities to report the costs and scope of the supervisory activities, for the next few years at least.
The supervision should be financed with appropriations or grants
Statskontoret does not consider that the oversight pursuant to the NIS Directive should be financed by fees. Our analysis shows that for five of the six public authorities concerned the disadvantages of such a form of financing far outweigh the benefits. There are four reasons in particular that speak against why entities subject to oversight by supervisory authorities paying a fee for the oversight pursuant to the NIS Directive. These are
- the risk of competitive distortions, i.e. anticompetitive effects
- comparatively high administrative costs
- difficulties in designing oversight of the sectors in a uniform manner
- the difficulty of showing clear counterperformance for the fee.
Statskontoret therefore proposes that the supervision pursuant to the NIS Directive should be financed with appropriations/grants.
Even a fee-financed supervision should have a common design
Although our assessment is that the supervision should be financed by appropriations, it was also included in our assignment that we suggest how a financing by fees might be designed for each sector in the NIS Directive.
Statskontoret takes the position that if the oversight becomes financed by fees, it should be formulated in an identical manner within each sector. This would facilitate the public authorities being able to continuously exchange their experiences. Those entities that would be required to pay for the oversight will also experience that in a similar manner. However, we nevertheless still consider that the charges within each sector should be adjusted according to the respective supervisory authority’s costs, according to the principle of full cost coverage. At the same time, there is reason for the proposed supervisory authorities to strive to be similar with each other, even with regard to the level of the fees.
It is also Statskontoret’s view that a possible fee system should consist of a fixed annual fee that is the same for all entities subject to oversight within each respective sector. It is also our view that it should not be up to the supervisory authorities to decide on the amount of the fees, nor should they be able to freely use the revenue. It is our assessment that such a model best promotes a supervision that is a uniform, efficient and simple from an administrative perspective.
MSB needs to devote significant resources for the work
MSB’s tasks include being a national contact point, leading a cooperation forum for the supervisory authorities, and representing Sweden in the EU. MSB is to develop a system for receiving and analysing incident reports. The tasks also include preparing regulations for the supervision work, supporting public authorities with oversight methodology and supervisory procedures, and informing the relevant parties about the rules and requirements.
According to MSB, the Authority will need to allocate 10-11 full time equivalents for its work on the NIS Directive. MSB estimates its total costs of implementation will amount to SEK 14 million per year (inclusive of overhead costs). Statskontoret does not question the MSB’s estimation, however we do note that the financial consequences largely depends upon how the MSB chooses to implement the new tasks and responsibilities.
* The report from the special governmental committee of inquiry which forms the basis for the implementation of the NIS Directive (SOU 2017:36) proposes that the following public authorities be given oversight responsibilities: The Swedish Energy Agency (Statens Energimyndighet), Swedish Transport Agency (Transportstyrelsen), Swedish Financial Supervisory Authority (Finansinspektionen), the Health and Social Care Inspectorate (Inspektionen för vård och omsorg), the National Food Agency (Livsmedelsverket) and the Swedish Post and Telecom Agency (Post- och telestyrelsen).