New Cybersecurity Act - implementation of the NIS2 directive in Swedish law

The NIS2 Directive was adopted by the European Parliament in December 2022. The Swedish Government submitted the bill 'Strong Protection for Network and Information Systems – a New Cybersecurity Act' (Prop. 2025/26:28) on 9 October 2025. The Cybersecurity Act, which replaces the current NIS Act, is proposed to enter into force on 15 January 2026 and entails several important changes in the field of information security and cybersecurity.

The NIS2 Directive tightens the requirements for operators and contains provisions on more extensive cooperation within the EU compared to its predecessor NIS1. The overall purpose of the new rules is to achieve higher cybersecurity for an expanded number of sectors.

There are primarily two changes that organisations need to address immediately:

1. Broader application and expansion of sectors: The Cybersecurity Act is proposed to cover more actors. The number of sectors is expanded from 7 to 18. Examples of new sectors now covered include: wastewater, management of ICT services (business-to-business), public administration (which means that almost the entire public sector including municipalities and regions is covered), space, postal and courier services, waste management, manufacturing, production and distribution of chemicals and food, manufacturing, digital providers and research.

2. The entire business is covered: The proposal means that the requirements will apply to the entire business, not just the parts considered to be of vital importance to society or offering digital services. A size requirement is also introduced for private operators, where a business must employ at least 50 people or have an annual turnover exceeding 10 million euros to be covered by the requirements of the Act. However, even smaller but particularly critical businesses can be designated by supervisory authorities, which must then also comply with the requirements of the Act.

In addition to the above two new features, we would like to briefly highlight some further elements of the new proposal.

New classification: Both public and private operators are covered by the new Cybersecurity Act. However, the businesses covered are to be classified as either essential or important entities based on significance and size. The rules are essentially the same regardless of category, but supervision and sanctions differ depending on the classification.

Accountability of senior management for the operator's violations: The NIS2 Directive, and thus the Cybersecurity Act, places increased demands on management participation in the organisation's cybersecurity work. The Act authorises supervisory authorities to apply to a court for a person with management responsibility at an essential entity to be prohibited from exercising management functions. This applies, for example, to board members and chief executive officers. Other sanctions are directed at the operator as a legal entity. This sanction is instead directed at natural persons and should be seen as a last resort to achieve certain action.

Clear requirements for security measures: Operators must take appropriate risk management measures and carry out risk analyses to protect their networks and information systems against incidents. The measures must be evaluated and based on a risk analysis and must be proportionate to the risk. To ensure uniform application and monitoring of these requirements, there are supervisory authorities for each sector, where certain authorities are given expanded areas of responsibility and new supervisory authorities are established to handle the expanded requirements. The requirements in their entirety are clarified primarily in detailed regulations issued by these supervisory authorities, similar to when the NIS1 Directive was implemented in Swedish law.

Furthermore, there is a requirement that the operator must conduct systematic and risk-based information security work and the organisation's management must undergo training and employees must be offered necessary training.

Requirements for supply chain security: The businesses' requirements to take measures also include the supply chain. The bill clarifies that work on supply chain security cannot be limited to only covering the direct supplier, but a broader approach is expected. The Government points out that the operator should consider vulnerabilities at sub-suppliers, and in certain cases also be prepared to act on deficiencies relating to further links in the chain. This means in practice that organisations need to assess and manage risks that may arise even at the next and subsequent links – particularly if these risks are known, highlighted or otherwise relevant to the business's security level. This may result in operators needing to review their supplier agreements, including to ensure that there are requirements for information sharing and that the supplier takes responsibility for its sub-suppliers. The Act does not specify a detailed model for how supply chains are to be controlled or how agreements are to be designed, but the requirements must be assessed in each individual case and it is the operator who bears the responsibility.

Extended requirements for incident reporting: Incident reporting becomes mandatory and this also includes the supply chain. The operator is thus obliged to report significant incidents within certain specified time limits. An early warning must be submitted within 24 hours from when the operator became aware of the significant incident. Thereafter, an incident notification must be made within 72 hours and a final report within one month.

Introduction of sanctions: The NIS2 Directive contains detailed rules regarding supervisory authorities' interventions and their ability to impose administrative fines.

The minimum level of administrative fines is SEK 5,000 (as previously). Regarding the maximum level of administrative fines, the NIS2 Directive establishes two different calculation bases and amounts, based on whether the operator is essential or important.

For essential entities, the maximum amount of the administrative fine shall be the higher of 10,000,000 euros, or 2 per cent of the total global annual turnover in the preceding financial year. For important entities, the corresponding amount shall be the higher of 7,000,000 euros, or 1.4 per cent of the total global annual turnover in the preceding financial year.

The CER Directive

In parallel with the work to implement the NIS2 Directive, the implementation of the CER Directive is also being prepared, which concerns strengthening the resilience of critical entities. The CER Directive covers partly similar requirements to the NIS2 Directive, but covers not only cybersecurity but also other threats such as natural disasters, terrorism, etc.

According to the CER Directive, Member States must identify actors that provide essential services within selected sectors (energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, public administration, space and production, processing and distribution of food). Furthermore, the directive prescribes an obligation for such actors to, among other things, take measures to strengthen their resilience and report incidents. The directive also contains provisions on supervision and sanctions. The CER Directive thus contains similar requirements to the NIS2 Directive, but the application is coordinated and in case of overlap, the NIS2 Directive shall apply as long as the CER Directive does not impose more far-reaching requirements.

The inquiry appointed by the Government regarding the CER Directive submitted its final report in September 2024 – Resilience in Essential Services (SOU 2024:26), which has been circulated for consultation and is being further processed within the Government Offices as of November 2025.

Finally, it can also be mentioned that many organisations will be covered by both the Cybersecurity Act and the Protective Security Act (2018:585). The starting point is then that for those parts of the business covered by the Protective Security Act, only a limited number of provisions in the Cybersecurity Act apply (regarding notification and information obligations).

With only weeks left until the new Cybersecurity Act enters into force on 15 January 2026, it is high time for organisations to move from planning to implementation. The work on NIS2 compliance is extensive and requires not only technical measures but also governance, documentation and a review of the entire supply chain.

Organisations that are still uncertain whether they are covered need to immediately carry out a qualified applicability analysis – including how the business is affected by the Protective Security Act. For those who have already started this work, the next step is to carry out an updated risk analysis, map critical services and identify which agreements, processes and systems must be adapted before entry into force.

The general recommendation from MSB is also to start preparing your notification based on available information to facilitate the process when the notification obligation becomes mandatory in January 2026. It is therefore crucial that organisations do not wait for regulations or further guidance before taking action. A prepared notification basis and an initial risk assessment will ensure that you are ready when the rules enter into force.

We recommend that organisations immediately begin the following three steps:

1. Determine whether the business falls within the scope of the Act.

2. Prepare the information to be submitted in the notification to the supervisory authority.

3. Identify which internal processes, technical safeguards and agreements need to be updated before 15 January 2026.

Finally, it should be mentioned that the above is only a general summary of certain issues concerning the NIS2 Directive and the new Cybersecurity Act. This article therefore does not constitute legal advice in an individual case.