Sweden's Cybersecurity Act (2025:1506): NIS2 Is Now Law
By Dritan Saliovski
The Cybersecurity Act (Cybersäkerhetslag, SFS 2025:1506) entered into force on 15 January 2026, transposing the EU NIS2 Directive into Swedish law and superseding the previous Information Security Act framework (SFS 2018:1174). The law establishes entity-wide obligations across 18 designated sectors, with explicit management accountability requirements and fines reaching €10 million.
Key Takeaways
- Sweden's Cybersecurity Act (SFS 2025:1506) entered into force on 15 January 2026, shifting from branch-level to entity-wide scope across 18 designated sectors
- In-scope threshold: 50+ employees, or annual turnover and balance sheet total exceeding €10 million; trusted service providers and sole providers of essential services are covered regardless of size
- Essential operators face fines up to €10M or 2% of global annual turnover; important operators face up to €7M or 1.4%
- Explicit management accountability requirements: board members and CEOs must approve, supervise, and undergo specific cybersecurity training, with potential management sanctions under supervisory authority processes
- ISO 27001:2022 certification covers a significant portion of the Act's control requirements, with key gaps in incident reporting, governance, and scope
What's New vs the Previous NIS Regime
For deal teams, compliance officers, and boards assessing exposure under the Cybersecurity Act, the relevant question is not what NIS2 says in Brussels, but what changed operationally in Sweden on 15 January 2026.
- Branch-level scope replaced by entity-wide scope. The previous NIS Act applied only to the specific operational branch that triggered the regulation. The Cybersecurity Act applies to the entire legal entity. If any part of your operations falls within a designated sector, all network and information systems across the organization are in scope, including HR, finance, and internal IT.
- OES/DSP categories replaced by essential and important entities. The previous classification of operators of essential services (OES) and digital service providers (DSP) is replaced by a two-tier classification. Essential operators face proactive supervision and higher penalty ceilings. Important operators face reactive supervision triggered by evidence of non-compliance.
- Limited supervision replaced by active enforcement powers. Supervisory authorities now have explicit powers to conduct security audits, on-site inspections, and compliance checks without requiring a triggering incident. Essential entities can expect scheduled and unannounced reviews.
- Implicit management oversight replaced by explicit accountability requirements. The previous framework contained no direct obligations for board-level involvement. The Cybersecurity Act creates explicit accountability: board members and CEOs must approve cybersecurity risk management measures, oversee implementation, and complete specific cybersecurity training. Failure creates a direct line to individual management sanctions.
- Vague incident reporting replaced by structured timelines. The previous NIS regime required incident reporting without a defined multi-stage structure. The Cybersecurity Act mandates a 24-hour early warning, a 72-hour full notification, and a one-month final report, with specific content requirements at each stage.
From Branch-Level to Entity-Wide Scope
The previous NIS Act covered 7 sectors and applied only to the specific operational branch within an organization that triggered the regulation. The Cybersecurity Act inverts that logic entirely. If any part of your operations falls within a designated sector, the entire entity must comply, including HR systems, finance platforms, and internal IT infrastructure alongside the operational systems directly linked to the regulated service.
Entity-wide scope is the single biggest structural change. A drinking water producer must now ensure its payroll, finance, and internal IT systems meet the same security standards as its operational water production systems. Network and information systems are interconnected across business functions, and the law reflects that reality.
Sweden chose a decentralized supervisory model. Oversight is expected to be distributed across sector-specific regulators (PTS for digital infrastructure and electronic communications, Finansinspektionen for banking and financial market infrastructure, Transportstyrelsen for transport, Energimyndigheten for energy, IVO and Socialstyrelsen for healthcare), coordinated nationally by MCF (formerly MSB). Your supervisory relationship depends on what your organization does.
18 Sectors: Who Is In Scope
The Act designates sectors across two annexes. Size threshold for most entities: 50+ employees or annual turnover and balance sheet total exceeding €10 million. Trusted service providers and sole providers of essential services are in scope regardless of size.
| Annex I: Highly Critical Sectors | Annex II: Other Critical Sectors |
|---|---|
| Energy | Postal and courier services |
| Transport | Waste management |
| Banking | Chemicals |
| Financial markets | Food production and distribution |
| Healthcare | Manufacturing |
| Drinking water | Digital providers |
| Wastewater | Research |
| Digital infrastructure | |
| ICT service management (B2B) | |
| Public administration | |
| Space |
State authorities, regions, and municipalities are in scope. Organizations are classified as either essential or important operators, a classification that determines supervision intensity and penalty ceiling.
| Essential Entities | Important Entities | |
|---|---|---|
| Sectors | Annex I (highly critical) | Annex II (other critical) |
| Supervision type | Proactive: scheduled and unannounced audits at any time | Reactive: triggered by evidence of non-compliance |
| Fine ceiling | €10M or 2% of global annual turnover | €7M or 1.4% of global annual turnover |
| Incident reporting | 24h / 72h / 1-month structured timeline | 24h / 72h / 1-month structured timeline |
Ten Minimum Obligations and Incident Reporting
The Act mandates proportionate measures across ten minimum security areas, based on an all-hazards risk assessment:
| # | Obligation Area | Scope |
|---|---|---|
| 1 | Risk analysis strategies | Documented threat and vulnerability assessments |
| 2 | Incident handling | Detection, classification, containment, and response |
| 3 | Business continuity | Backup, disaster recovery, and crisis management |
| 4 | Supply chain security | Supplier contracts and third-party risk assessments |
| 5 | Secure development and maintenance | Security in procurement, development, and change management |
| 6 | Effectiveness testing | Penetration testing, audits, and control validation |
| 7 | Cyber hygiene and training | Employee awareness programmes and patch management |
| 8 | Cryptography and encryption | Data-at-rest and data-in-transit encryption policies |
| 9 | Personnel security and access control | Vetting, access rights management, and need-to-know |
| 10 | Authentication and communication | MFA and secure communication channel requirements |
Incident reporting follows a mandatory multi-stage timeline. Trust service providers face a shortened 24-hour deadline for the full notification stage.
| Stage | Deadline | Required content |
|---|---|---|
| Early warning | 24 hours | Notify MCF or sector supervisor; indicate if suspected unlawful or malicious |
| Full notification | 72 hours | Initial severity and impact assessment; preliminary root cause if known |
| Trust service providers | 24 hours | Shortened deadline applies to the full notification stage |
| Final report | 1 month | Root cause analysis, mitigation measures, and cross-border impact assessment |
What Existing Frameworks Cover and What They Miss
Organizations already certified against ISO 27001:2022 are not starting from zero. ISO 27001:2022 covers a significant portion of the Act's control requirements, with targeted gaps in incident reporting, governance, and scope. DORA-compliant financial entities have additional coverage across overlapping requirements, though neither certification eliminates the need for a structured gap assessment.
| Requirement | ISO 27001:2022 | DORA | No framework |
|---|---|---|---|
| Risk analysis and incident handling | Covered | Covered | Full build required |
| Business continuity and DR | Covered | Covered | Full build required |
| Supply chain security | Partial | Covered | Full build required |
| 24h / 72h / 1-month incident reporting | Not covered | Partial | Full build required |
| Board-level cybersecurity training | Not covered | Not covered | Full build required |
| Entity-wide ISMS scope (incl. HR, finance) | Partial | Covered | Full build required |
| MFA and encryption policy documentation | Partial | Not covered (NIS2 gap) | Full build required |
| MCF registration | Not covered | Not covered | Full build required |
For DORA-regulated financial entities, the relationship is explicit in the Act: DORA prevails in areas of direct overlap. NIS2 adds obligations where DORA is silent, specifically personnel security measures (Article 21 I) and MFA and encryption policy documentation (Article 21 J). Financial entities must also register separately with MCF and their sector-specific Swedish authority under NIS2, independent of their DORA obligations.
What This Means in Practice
Four immediate actions apply to all in-scope entities: confirm applicability against sector and size thresholds, self-identify and register with MCF, classify the entity as essential or important, and conduct a gap assessment against the ten minimum requirement areas.
If ISO 27001 is in place, the remediation priorities are incident reporting workflow (24h/72h/1-month with assigned roles), board training documentation, and scope extension to HR, finance, and administrative systems beyond the existing ISMS boundary. If DORA compliance is in place, the gaps are narrower but specific: HR security, MFA and encryption policies, entity-wide scope, and MCF registration.
For organizations deploying AI agents within NIS2-regulated environments, agent-specific security considerations extend the Act's ten minimum measures. Our AI agent deployment framework maps agent controls to ISO 27001, NIS2, and DORA obligations. For the broader AI threat landscape that boards should be briefed on, see AI-powered cyber attacks in 2026. For how NIS2 interacts with DORA, the Cyber Resilience Act, and the revised Cybersecurity Act at the vendor governance level, see four frameworks, one vendor.
The full Intelligence Brief covers the complete framework coverage matrix, supervisory authority mapping by sector, and maturity-level action plans for organisations at each stage of readiness.
Download the Sweden Cybersecurity Act Intelligence Brief
Reach out and we'll send the Sweden Cybersecurity Act Intelligence Brief directly to your inbox.
Request Sweden Cybersecurity Act Intelligence BriefFrequently Asked Questions
What is Sweden's Cybersecurity Act (SFS 2025:1506) and when did it take effect?
Sweden's Cybersecurity Act (Cybersäkerhetslag, SFS 2025:1506) entered into force on 15 January 2026, transposing the EU NIS2 Directive into Swedish law. It replaces the previous Information Security Act (SFS 2018:1174) and establishes entity-wide cybersecurity obligations across 18 designated sectors, with explicit management accountability requirements and fines reaching €10 million.
Which organizations are in scope under Sweden's Cybersecurity Act?
Organizations with 50 or more employees, or annual turnover and balance sheet total exceeding €10 million, operating in any of the 18 designated sectors are in scope. Trusted service providers and sole providers of essential services are covered regardless of size. The Act applies to the entire legal entity - not just the operational branch triggering the sector classification.
What are the incident reporting deadlines under the Cybersecurity Act?
The Act mandates a three-stage reporting timeline: an early warning to MCF or the sector supervisor within 24 hours; a full notification with severity assessment and preliminary root cause within 72 hours; and a final report with root cause analysis, mitigation measures, and cross-border impact assessment within one month. Trust service providers face a shortened 24-hour deadline for the full notification stage.
Does ISO 27001 certification satisfy the Cybersecurity Act requirements?
ISO 27001:2022 covers a significant portion of the Act's control requirements but leaves specific gaps. The main areas not addressed by ISO 27001 include the structured 24h/72h/1-month incident reporting timeline, board-level cybersecurity training requirements, and entity-wide ISMS scope extension to HR, finance, and administrative systems. A structured gap assessment is still required even for certified organizations.
Related Insights
Sources
- Riksdag - Cybersäkerhetslag SFS 2025:1506
- European Commission - NIS2 Directive
- ISO - ISO/IEC 27001:2022 Information Security Management
- European Commission. Digital Operational Resilience Act (DORA). ec.europa.eu. 2025.
- MSB - Swedish Civil Contingencies Agency Cybersecurity Guidance