Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Sweden
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
English Svenska
Legal Update

NIS2 to be implemented into Swedish law by the new Cybersecurity Act

02 Dec 2025 Sweden 7 min read

In 2022, the EU adopted the NIS2 Directive, aimed at raising the overall level of cybersecurity across the Union and on 10 December 2025, the Swedish Parliament decided to adopt the Cybersecurity Act (Sw: Cybersäkerhetslag), incorporating NIS2 into Swedish law.

The Cybersecurity Act will enter into force on 15 January 2026 and will replace the Act (2018:1174) on Information Security for Essential and Digital Services, commonly referred to as the NIS Act. The Swedish Parliament has also decided on amendments to other laws relating to electronic communications, top‑level domains and confidentiality, as further described in the Swedish government’s Bill 2025/26:28, A Strong Protection for Network and Information Systems – A New Cybersecurity Act.

Overview of the Cybersecurity Act

The Cybersecurity Act consolidates key requirements on security measures, incident reporting and supervision for both public and private operators within designated sectors.

Differences between the NIS Act and the Cybersecurity Act

In the Cybersecurity Act, the scope of application is expanded beyond the sectors covered by the NIS Act to include a total of 18 sectors.

The entities in these 18 sectors shall be classified as either essential or important entities. This new classification influences, among other things, the scope of supervisory requirements and sanctions fees. The classification is based on criteria linked to sector, activities and size. Further designations of which operators are deemed “essential” will be set out in subsidiary regulations issued by the Swedish Civil Contingencies Agency (Sw. Myndigheten för samhällsskydd och beredskap), acting in its capacity as the competent supervisory authority.

In addition, the Cybersecurity Act clarifies and enhances the obligations of operators by introducing requirements for more detailed risk-management measures, multi-stage incident reporting, an explicit duty to provide information in the event of significant cyber threats, and a training requirement for senior management.

Another novelty in the Cybersecurity Act is that the entire entity is in scope of the requirements in the act. By contrast, under the NIS Act, only the parts of the operation dedicated to e.g. cybersecurity are subject to applicable obligations.

Which entities are covered?

The 18 sectors stated in Annex I and II to NIS2 are included in the Cybersecurity Act, comprising energy, transport, banking, financial market infrastructure, health, water treatment, digital infrastructure, ICT service management (business-to-business), public administration, space (all sectors of high criticality), postal and courier services, waste management, manufacture, production and distribution of chemicals and food and manufacturing (all other critical sectors).

Private operators should be aware of NIS2’s size thresholds, limiting the scope to mainly mid-sized or larger entities. The act only applies to entities within the listed sectors with at least 50 employees or an annual turnover and/or balance sheet total of at least EUR 10 million. However, certain operators in the sectors are covered regardless of size, e.g. providers of trusted services and designated critical actors within digital infrastructure.

Key obligations under the new Cybersecurity Act

  • Registration with the supervisory authority: Operators must register with the supervisory authority and provide information such as identity, contact details and activities. The authority will use this information to classify operators as essential or important.
  • Risk management and security measures: Operators must implement risk management measures to protect network and information systems and their physical environments against incidents. These measures should be based on a risk analysis, be proportionate to the risk, and be subject to recurring evaluations.
  • Systematic information security work and training: Operators must carry out systematic, risk‑based information security work, implement management training, and offer training to some employees.
  • Incident reporting: Operators are obliged to report significant incidents to the Swedish Civil Contingencies Agency in its capacity as the Computer Security Incident Response Team (CSIRT) within specified timeframes. Providers of trust services must submit an early warning to the CSIRT, within 24 hours of becoming aware of a significant incident. Other operators must do so within 72 hours. In addition, a final report must be submitted within one month from the early warning.
  • Information to service recipients: Beyond reporting to authorities, operators must, in certain cases, inform service recipients (i.e. customers), without undue delay, of any significant incidents likely to affect the provision of services. Recipients affected must also be informed of possible measures to take to limit their exposure.

Sanctions and other enforcement measures

The Cybersecurity Act contains enforcement measures in the form of reprimands, injunctions, decisions on administrative fines and prohibitions on holding management positions.

If the relevant supervisory authority deems a reprimand insufficient to correct an operator, it may issue any injunction to ensure compliance. Such an injunction could, among other things, require an operator to implement security measures, carry out management training and provide information relating to significant incidents and cyber threats. Injunctions may be combined with conditional fines. An operator could also be ordered to publish information regarding its non-compliance.

For breaches of core obligations, the operators will be subject to an administrative fine, set at a minimum of SEK 5,000 and a maximum of, for essential operators: the highest of 2 per cent of the operator’s total global annual turnover or EUR 10,000,000, for important operators: the highest of 1.4 per cent of the operator’s total global annual turnover or EUR 7,000,000 or for public operators: SEK 10,000,000.

In cases of serious infringements committed intentionally or through gross negligence, a supervisory authority may also apply for a temporary prohibition on specific persons within the management from holding management functions within the concerned operator. Such a prohibition can only be issued by general administrative courts and shall apply for a period of at least one and at most three years. A prohibition may be also revoked earlier if no longer relevant.

What should organizations do now?

Firstly, operators should use the Cybersecurity Act as a starting point to assess whether they will be in scope, based on sector, size, and any categories that apply regardless of size.

Secondly, if in scope, it is high time to:

  • establish or update security measures in line with the minimum requirements,
  • plan and institute management training and governance,
  • review incident processes to meet reporting and information obligations,
  • prepare for registration and the provision of information to the competent authority (once the implementing regulation and detailed rules are in place), and
  • review and strengthen the requirements for both direct suppliers and subcontractors, for example by mapping the supply chain, conducting risk assessments, and introducing clear and enforceable contractual obligations (as a starting point, this should cover only direct suppliers).

Lastly, all concerned operators are encouraged to follow the updates from the supervisory authorities regarding forthcoming new regulations.

CMS Wistrand will continue to follow the development of the Cybersecurity Act closely. Please do not hesitate to contact us if you have any questions about how your business may be affected.

More insights
TMC - Technology, Media & Communications

Explore more

Publication Sweden

CMS Global Radar 2026

12 Feb 2026 2 min read
Event Sweden

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

AI laws and regulation in Sweden

8 min read
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.