Navigating NIS 2 in Sweden: what companies need to know

Background

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity (“NISD2”), which came into force in January 2023, is changing the cybersecurity landscape across the EU. In Sweden, on 11 December 2025, the government adopted a new Cybersecurity Act (2025:1506) (Swedish: Cybersäkerhetslagen) (“Act”) implementing the NISD2. The Act substantially broadens the scope of covered entities, raises the bar for security and incident reporting, and equips Swedish authorities with stronger supervisory and enforcement tools.

Swedish implementation 

The Act

The Act is a new piece of legislation and will repeal the current Act (2018:1174) on information security for essential and digital services which transposed the first NIS directive. The Act introduces the requirements of the NIS2 Directive in Sweden, formalising, among other things, which entity types are covered and what their obligations are.

Cybersecurity Regulation

The Act is supplemented by the Swedish Cybersecurity Regulation which, among other things, designates the supervisory authorities as well as which authorities are mandated to issue regulations setting out details supplementing the Act.

Regulations issued by authorities 

In addition to the Act and the Cybersecurity Regulation, designated authorities shall issue their regulations (“Regulations”) clarifying the requirements, establishing certain criteria or making other clarifications, as prescribed by the Act. Such regulations include Regulations on notification and identification, Regulations on security measures and training, Regulations on incident reporting and information obligations etc. 

The Regulations are to be issued primarily by the Swedish Civil Contingencies Agency (Swedish: Myndigheten för sammhällsskydd och beredskap) (“MSB”) and the Swedish Post and Telecom Agency (Swedish: Post – och Telestyrelsen) (“PTS”). 

Who is in scope? 

The Act applies to activities within the following 18 designated sectors:

Highly critical sectors: Energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, business-to-business ICT service management, public administration and space.

Other critical sectors: Postal and courier services; waste management; manufacturing, production and distribution of chemicals; production, processing and distribution of food; digital suppliers; research; and manufacturing. 

An operator that carries out operations within any of the designated sectors is covered by the Act if its size corresponds to or exceeds a medium-sized enterprise, i.e. at least 50 employees or a balance sheet total and annual turnover exceeding EUR 10,000,000. Operations within the above-mentioned sectors may be covered by the Act even if they do not meet the size requirement, for example if the operator is the only provider of a service in Sweden that is essential for maintaining critical societal or economic activities. In addition, under certain circumstances, state authorities, regions and municipalities are covered by the Act.

The Act covers the entity in its entire operations (in other words, not just the branch of activity covered by one of the sectors designated above).

Certain types of entities are covered by the Act’s provisions regardless of their size, e.g. providers of public electronic communications networks or services offered in Sweden, TLD registries, DNS service providers, domain registration services and trust service providers.

What does it mean for entities subject to the Act?

Given that the Act enters into force in less than one month - on 15 January 2026 - entities subject to the Act should be preparing by taking the following measures, among others.

• Prepare to notify the MSB that your business is subject to the Act. Registration must be made with the MSB immediately upon the Act entering into force.
• Implement technical, operational and organizational measures to protect network and information systems that they use for their operations or to provide their services and the physical environment of the systems against incidents. Such security measures include strategies for risk analysis, the security of network and information systems and security in the supply chain. This requires inter alia a gap analysis of what is currently in place and what needs to be done to achieve the necessary level of security measures. Drawing up and/or updating internal governance documentation and supplier agreements may be necessary following the gap analysis.
• The Act requires that individuals involved in the management undergo training in security measures. The training shall ensure that management has sufficient competence to be able to identify risks and assess which security measures should be taken.
• The Act sets out requirements for significant incident reporting, meaning that an entity shall have routines around incident handling, training of employees in incident handling and reporting readiness. The MSB has been designated as the authority for the intake of significant incident reports. An obliged entity shall inform the MSB of an incident as soon as possible, but no later than 24 hours after becoming aware of it. An incident report must be filed to the authority no later than 72 hours from becoming aware of it, with exception for trust service providers who must report no later than 24 hours. A final report shall be submitted to the authority no later than one month after the incident, unless the incident is still ongoing. In the latter case, a status report shall be submitted instead while a final report shall be submitted within one month after the incident has been finally handled. The Act contains information obligations towards the recipient of services: in the case of a significant incident, service recipients must be informed how the incident impact service provision, whilst in case of significant cyber threats, recipients must be informed about appropriate protective counter-measures to undertake.
• The Act sets out penalty provisions that are quite substantial. The authorities’ toolbox includes issuing remarks, orders (e.g. obligation to publish information), administrative fines. The penalty fees will depend on the classification of the operations. For entities classified as significant, the penalty fee may be determined as the higher of 2 percent of the total global annual turnover of the immediately preceding financial year or an amount in SEK corresponding to EUR 10,000,000. For entities classified as important, the sanction fee may be determined to the higher of 1.4 percent of the total global annual turnover of the immediately preceding financial year or an amount in SEK corresponding to EUR 7,000,000. 

What happens next?

The Act and Cybersecurity Regulation shall apply from 15 January 2026. The MSB’s Regulations on notification and identification are expected to enter into force on 15 January 2026 or shortly thereafter. The remaining Regulations are expected to come into force gradually starting from 15 January 2026.