NIS2 Sweden: New Cybersecurity Act, Authorities & Key Requirements
Understand how Sweden is implementing the NIS2 Directive (EU) 2022/2555 through the new Cybersecurity Act (Cybersäkerhetslagen), which entities are in scope, how supervision and incident handling will work, and what steps you should take now to get ready before the law applies.
Introduction: NIS2 Directive & the Swedish context
NIS2 strengthens cybersecurity requirements across the EU and significantly widens the range of entities in scope. In Sweden, NIS2 will be implemented through a new Cybersecurity Act (Cybersäkerhetslagen), replacing the current NIS Act on information security for essential and digital services (2018:1174). The new law is planned to apply from 15 January 2026 and will cover both public and private operators across 18 sectors.
If you operate in Sweden (or provide services targeting Swedish users), you should assess whether you qualify as a väsentlig (essential) or viktig (important) entity under NIS2, and map which Swedish supervisory authority will oversee you.
NIS2 Directive implementation in Sweden
Sweden is implementing NIS2 through a new framework law commonly referred to as the Cybersecurity Act (Cybersäkerhetslagen). The legislative package is based on the inquiry SOU 2024:18 – Nya regler om cybersäkerhet and the government bill “Ett stärkt skydd för nätverks- och informationssystem – en ny cybersäkerhetslag”. The new act will replace the existing NIS Act (2018:1174).
Status
NIS2 transposition is in its final phase. The Cybersecurity Act is planned to enter into force on 15 January 2026, with the current NIS Act being repealed at the same time.
Core legislation
Cybersecurity Act implementing NIS2 and aligning with the EU CER Directive. It sets horizontal rules, with detailed obligations and supervision distributed to sectoral authorities.
Registration
Under NIS2, each in-scope operator must self-identify and notify its activity. MSB will provide an online registration/notification portal when the Cybersecurity Act applies. Until then, organisations can use MSB’s self-assessment tools to understand if they are in scope.
| Area | Swedish note |
|---|---|
| Existing NIS rules | The current NIS Act (2018:1174) on information security for essential and digital services remains in force until the Cybersecurity Act starts to apply. NIS2 already influences how current obligations are interpreted. |
| Public sector | The new framework will cover most state authorities and a wide range of regions and municipalities, as “public administration” is its own sector under NIS2. Certain high-level bodies (e.g. parliament, government, courts) are expected to be excluded or covered by other security regulations. |
| Link with CER | Sweden is coordinating NIS2 with the CER Directive to ensure coherent requirements for critical entities (e.g. energy, transport, banking, health). Some operators may be in scope of both regimes. |
NIS2 Sweden: what you need to know about compliance & certification
Sweden will use the NIS2 model with two main categories: väsentliga (essential) and viktiga (important) entities, largely based on sector and size, with some entities designated regardless of size.
Scope criteria
- Operate in one of the sectors listed in Annex I or II of NIS2 (energy, transport, health, water, digital infrastructure, public administration, etc.).
- Meet NIS2 size thresholds (typically: medium-sized and above – 50+ employees or ≥ EUR 10 million turnover/balance sheet). Larger groups (250+ employees or higher revenues) will often be treated as essential entities.
- Established in Sweden or providing NIS2-relevant services on Swedish territory. Smaller operators can still be included if they are particularly critical or part of key supply chains.
Obligations
- Documented risk management and security policies for networks and information systems (IT and OT).
- Formal incident management and reporting processes, including strict timeframes for serious incidents.
- Business continuity and crisis management (BCP/DR plans, exercises).
- Supply-chain security and contractual requirements for key ICT and cloud providers.
- Secure development, change management and vulnerability handling for systems and software.
- Governance: board and executive management will have explicit responsibilities for cybersecurity oversight and must ensure adequate training.
Standards & certification
The Cybersecurity Act does not mandate a single standard but encourages alignment with frameworks such as ISO/IEC 27001, NIST CSF 2.0 and sector-specific standards (e.g. IEC 62443 for industrial control systems). Many Swedish authorities reference ISO 27001 as a practical way to structure compliance.
National NIS2 timeline & key dates (Sweden)
Sector-specific requirements (Sweden)
- Energy: electricity, district heating/cooling, oil, gas and hydrogen suppliers will be in scope, with Energimyndigheten as the main supervisory authority. Additional sector-specific guidance and checklists are being published for energy operators.
- Public administration: many state agencies, regions and municipalities will be covered as a dedicated NIS2 sector. For public entities, obligations under the Cybersecurity Act will apply alongside other security and continuity regulations.
- Digital infrastructure & ICT service providers: cloud, data centre services, content delivery, managed security and managed IT services are explicitly targeted by NIS2 and will be important focus areas for Swedish supervisors.
- Health, food, water and transport: hospitals, laboratories, drinking water suppliers, food producers, and transport operators may be designated as essential or important entities depending on size and criticality.
- Supply chain: suppliers that are not directly in scope may still need to meet heightened security expectations via contracts if they serve NIS2-covered operators.
Penalties for non-compliance
The Cybersecurity Act introduces administrative fines for serious breaches of NIS2 obligations. For private companies, fines can reach up to approximately EUR 10 million or a percentage of global annual turnover (in line with NIS2 ceilings). For public organisations, the law will set caps in Swedish kronor, with discussions around maximum levels in the range of several million SEK.
Supervisory authorities will also be able to issue binding instructions, require corrective measures, and in some cases impose recurring penalty payments (vite) if serious deficiencies are not addressed.
How to prepare for NIS2 in Sweden
- Clarify if you are in scope: check your sector, size, and role in critical services. Use Swedish authorities’ self-assessment tools (e.g. MSB and Energimyndigheten) to identify if you are an essential or important entity.
- Map your supervisory authority: determine whether MSB, PTS, Energimyndigheten or another sectoral regulator will oversee you under the Cybersecurity Act.
- Perform a gap analysis: compare current controls against NIS2 requirements (governance, risk management, incident handling, business continuity, supply-chain security, training, etc.).
- Strengthen governance: ensure the board and executive management understand their NIS2 responsibilities, receive training, and have regular reporting on cyber risks and compliance status.
- Update policies and technical measures: align your ISMS (e.g. ISO 27001) with NIS2, covering both IT and OT environments and the full lifecycle of systems.
- Prepare for registration: collect the information you will need when MSB’s NIS2 registration portal goes live (legal entity data, sectors, services, contact points, cross-border dependencies).
- Build incident readiness: define clear criteria and workflows for reporting serious incidents, including 24/7 escalation paths and coordination with CERT-SE and your sector authority.
- Document and evidence: keep records of risk assessments, security measures, exercises, supplier reviews, and training – this documentation will be crucial in supervisory audits.