Update from the Nordic countries on the NIS2 Directive implementation

What is the Nordic approach on the NIS2 implementation?

This status update informs about how the Nordic countries Sweden, Finland, and Denmark are implementing the NIS2 Directive. All countries have chosen a minimalistic approach, closely following the directive’s baseline requirements without adding significant national-specific obligations. Some details can however be specified through secondary legislation at ordinance and agency regulation level.

Registration and timeline – act promptly!

Denmark and Finland have existing legislation which companies in scope need to comply with. Sweden is expected to have similar legislation in January 2026.

The registration deadlines have passed in Denmark and Finland. In Sweden, the registration needs to be done as soon as possible once the Swedish Act has been passed.

Supervisory framework – who regulates what?

In Finland, there are seven sector-specific authorities which supervise the entities and may issue technical orders on certain aspects of the risk management measures and the reporting of incidents and cyber threats within their area of competence.

Denmark implemented a hybrid approach regarding supervision: Apart from the centralised authority, SAMSIK, there are a number of sector specific regulators depending on the specific scope/industry.

Denmark has implemented a sector specific approach to regulators, and as there is one centralised authority, SAMSIK, there are also a number of sector specific regulators depending on the specific scope/industry, which the entity falls under NIS2 with reference to.

When the Swedish Act enters into force, the Government will issue a regulation specifying, amongst other things, which authorities will act as supervisory authorities, and which will be mandated to issue secondary legislation where the Swedish Act provides for such a possibility. The Government has already issued in September decisions assigning regulatory tasks to the Swedish Civil Contingency Agency and Swedish Post and Telecom Authority. The former must be able to issue regulations applicable to all sectors covering:

• Registration obligations
• Criteria for when an entity shall be covered by the regulations with reference to its particular importance to society and when such entities shall be classified as essential
• What constitutes a principal place of establishment
• Exemptions for partner companies and affiliated companies
• Training
• Reporting obligations
• Security audits and security scans

Similarly, the Government has instructed PTS (the Swedish Post and Telecom Authority) to be able to issue secondary legislation for the telco sector covering security measures and guidance on what constitutes a significant incident as well as further information on the information obligations regarding significant incidents and significant cyber threats.

Both authorities are working on the new regulations, with consultations expected in late 2025 or early 2026. Following entry into force of the Swedish Act and ordinance, the issued secondary legislation will replace the existing NIS regulations.

What obligations should entities expect?

Entities must implement appropriate and proportionate technical, operational and organisational measures to protect their networks, systems and physical environment. These measures must follow an all-risk approach and cover at minimum the measures required by the NIS2.

In Finland, entities had to have the risk management approach in place by 8 July 2025. For those entities that were not in scope of the Finnish Act when it entered into force, the risk management approach must be in place within 3 months after the entity becomes subject to the Finnish Act. No such grace period is provided in Denmark or Sweden. This might mean that in Sweden, entities must be compliant with all obligations once the Swedish Act enters into force on 15 January 2026. For Denmark, entities already must have been compliant since 1 July 2025.

In all three Nordic countries, the deadlines for incident notifications are broadly speaking in line with the deadlines in the directive. One exception is Sweden, where providers of trusted services must submit the follow-up notification earlier than required by the NIS2, already within 24 hours from awareness of an incident.

Supervisory authorities can order remediation, impose administrative fines, or issue remarks; maximum fines mirror NIS2. In Finland, administrative fines cannot be imposed on entities of public administration. In Sweden, it is possible to impose administrative fines on both private and public entities; management body members of essential entities may in certain situations be subject to a prohibition limited in time on holding management functions. In Denmark it is not possible to impose administrative fines, but any sanctions must follow the regular processes under the public prosecution authority. In Denmark, the management body personal liability has not been included as part of the transposition.

What does this mean for covered entities?

In Finland, the entities should ensure that they have registered with the relevant supervisory authority and have the risk management approach in place, as well as have the reporting workflows set up to be able to meet the tight reporting deadlines.

Denmark is at a similar stage as Finland as a fully implemented member state. Full compliance of all measures must be implemented already now.

In Sweden, entities that may fall within the scope of the Swedish Act should:

• Monitor specialised authorities’ horizontal draft regulations, particularly the management training and incident handling regulations that are expected shortly
• Watch for specific drafts on security measures and incident thresholds
• Prepare to register promptly "as soon as possible" from 15 January 2026
• Begin aligning risk management measures to the NIS2 minimum set
• Set up incident reporting workflows to meet the 24-hour initial notification and one-month final reporting timelines

For more information on the Cybersecurity visit:

Our Cybersecurity Hub here: Cybersecurity - Bird & Bird 

& NIS2 Tracker here: NISD 2 Tracker - Bird & Bird.