Netnod: Cybersecurity regulation must reflect Internet's distributed architecture

Netnod welcomes the ambition to strengthen Sweden's cybersecurity and the robustness of critical digital infrastructure. However, regulation and supervision must be designed in accordance with the fundamental principles of digitization and the Internet architecture, which include decentralization, technology neutrality, layer separation, and shared responsibility among independent actors.

The proposal's intent for the law to apply to the entire operation risks blurring essential boundaries between technical layers, different operational parts, and responsibilities, which is inconsistent with the distributed nature of the Internet infrastructure. Netnod suggests that the law should instead be connected to the parts of the operation that are actually relevant for the networks, information systems, and services covered by the legislation.

Furthermore, Netnod finds the requirement for operators to ensure that a supplier meets the requirements to be unrealistic. In a digital context, no single actor typically has full control over the entire supply chain, especially when the customer is significantly smaller than the supplier. Netnod proposes amending the phrasing so that the operator should strive towards relevant requirements being met within the parts the operator can actually influence, linking the obligation to the possibility of influence while maintaining clear responsibility for risk management.

Finally, Netnod advocates for regulations to be technically neutral and function-oriented, focusing on verifiable function and actual robustness, rather than dictating how operators organize internal processes or mandating specific technical solutions like the rule on segmentation. Robustness in Internet infrastructure is often achieved through diversity and decentralization, and requirements should only be imposed if they are scientifically proven to always lead to the intended outcome of increased capability.