Cybersecurity as legal risk: Sweden's NIS 2 playbook

After some delay, Sweden now implements the NIS 2 Directive (Network and Information Systems Directive 2, 2022/2555) through the new Cybersecurity Act (SFS 2025:1506), entering into force on 15 January 2026. The NIS Directive aims to harmonise cybersecurity requirements across the EU and significantly broadens the scope of regulated entities and sectors. For a general overview of the Directive and its objectives, see Navigating the NIS 2 Directive – key changes and compliance strategies. Sweden’s approach can also be contrasted with recent Nordic developments, such as Norway’s Digital Security Act, discussed in Norway’s Digital Security Act now in effect.

While the Swedish Act largely follows the structure of the Directive, the national implementation contains choices that go beyond the Directive’s minimum requirements and will be of practical importance for affected companies.

One key takeaway from the Swedish implementation is that covered entities must comply with the Act across the entire organisation, not only in relation to the specific activities or systems considered “essential” under the Directive. This approach exceeds what is strictly required by NIS 2 and was one of the most debated aspects during the legislative process. Several industry stakeholders argued that this constituted over-implementation and risked disproportionate effects, particularly for larger and more complex organisations.

The legislator nevertheless concluded that effective information security requires an integrated, organisation-wide approach, as network and information systems are typically interconnected across business functions. In practice, this means that, for example, a producer of drinking water must ensure that HR, finance and internal IT systems comply with the Act, in addition to the operational systems directly linked to water production.

At the same time, the legislator emphasises proportionality. Entities must adopt appropriate and proportionate technical, operational and organisational measures, based on an all-hazards risk assessment. The law sets out ten minimum areas that the measures must address, including risk analysis strategies, incident handling, business continuity and crisis management, supply chain security, secure system development and maintenance, effectiveness testing, cyber hygiene and training, use of cryptography, personnel security and access control, and, where relevant, secure authentication and communications.

For companies new to the NIS framework, this list provides a concrete starting point for compliance work, while still allowing flexibility to tailor measures to the entity’s size, risk exposure and role in society.

Finally, Sweden has opted for an enforcement model based on administrative measures rather than criminal sanctions. While NIS II leaves it to Member States to decide whether sanctions should be criminal or administrative, the Swedish legislator chose administrative fines combined with supervisory measures such as injunctions, reprimands and, in serious cases, prohibitions on holding management positions.

The possibility to impose prohibitions is described as a central element of the Directive’s enforcement system, but also as a highly intrusive measure that should be reserved for serious breaches. For affected companies, this underlines the importance of early compliance efforts and active involvement from senior management.