Cybersäkerhetslagen (Swedish Cybersecurity Act - NIS2)

Key Governance and Risk Management Requirements for Organizations

From 15 January 2026, Sweden’s Cybersäkerhetslagen enters into force, implementing the NIS2 Directive into Swedish law. This marks a significant shift in how cybersecurity and operational resilience are expected to be governed across Swedish organisations.

Cybersäkerhetslagen is not a technical regulation aimed solely at IT or security teams. It is a governance framework that places responsibility firmly at executive and board level. The focus is on how organisations manage risk, make decisions, document accountability, and ensure resilience over time.

For many organisations, this requires a fundamental change in how cybersecurity and digital risk are approached.

Scope and Applicability in Sweden

The Swedish Cybersecurity Act applies to organisations operating in sectors considered critical or important for society. These include, among others, energy and utilities, transport and logistics, digital infrastructure and cloud services, telecommunications, financial services, healthcare and life sciences, water and waste management, and certain public services.

Private-sector organisations are generally in scope when they operate in a covered sector and meet the criteria for medium-sized or larger enterprises under EU definitions. In certain cases, organisations may fall within scope regardless of size due to the nature or criticality of the services they provide.

Organisations covered by the Act are classified as either Essential or Important entities. This classification affects supervisory approach and the level of potential administrative sanctions.

Governance and Risk Management Expectations

At the heart of Cybersäkerhetslagen is the requirement to implement appropriate and proportionate cybersecurity measures based on risk. This requires organisations to work systematically with risk management, rather than relying on static controls or informal practices.

Risk management is expected to cover information systems and networks, business processes, data and digital assets, supplier and third-party dependencies, and business continuity considerations. Risk assessments should be conducted on a defined cadence and revisited whenever material changes occur, such as new systems, cloud migrations, AI-enabled tools, changes in suppliers, or significant incidents.

What matters is not the volume of documentation, but the ability to demonstrate how risks are identified, assessed, mitigated, and reviewed over time. Everything should be properly documented, structurally stored, and traceable over time. Excel sheets and email-based assessments are no longer sustainable at this level of accountability. Organisations should use structured governance processes supported by systems that provide controlled documentation, clear ownership, and audit trails

Incident Reporting and Oversight

Cybersäkerhetslagen introduces strict expectations around incident readiness and reporting. Organisations must be able to identify and assess significant cybersecurity incidents and report them within defined timeframes.

Under the Swedish framework, incidents are reported to the national CSIRT function, designated as Myndigheten för civilt försvar, while supervision is carried out by the relevant sector authority.

Reporting timelines follow the NIS2 model (as set out in the Directive and reflected in ENISA guidance). ENISA: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. Meeting these deadlines requires predefined procedures, clear internal escalation paths, and well-rehearsed incident response processes.

Executive and Board Accountability

A defining feature of Cybersäkerhetslagen is the explicit responsibility placed on senior management and boards. Cybersecurity is no longer something that can be fully delegated to technical functions.

Management bodies are expected to approve cybersecurity strategies, define risk tolerance, allocate resources, and oversee implementation and effectiveness. They must also ensure that decision-making and incident handling are properly documented.

This represents a clear move toward governance-driven cybersecurity, where leadership involvement and oversight are essential.

Registration and Ongoing Compliance

Organisations in scope must register with their competent supervisory authority once the Act enters into force. Registration includes information about the entity, its sector, covered services, and designated contact points for incident reporting. This information must be kept up to date as organisational circumstances change.

Compliance under Cybersäkerhetslagen is continuous. Organisations are expected to maintain monitoring, logging, vulnerability management, regular testing, supplier oversight, and periodic reviews of controls and governance structures. Alignment with recognised frameworks such as ISO/IEC 27001 or NIST CSF is widely regarded as good practice.

Sanctions and Financial Exposure

The Act provides for significant administrative sanctions where obligations are not met. For essential entities, maximum sanctions may reach the higher of 2% of global annual turnover or €10 million (SEK equivalent). For important entities, the ceiling is the higher of 1.4% of global annual turnover or €7 million. Separate limits apply to public entities. Link to administrative sanctions under NIS2.

These sanction levels reinforce that failures in governance and risk management are treated seriously under the Swedish framework.

ART25 Consulting Perspective

From a governance professional’s perspective, the most important shift introduced by Cybersäkerhetslagen is practical rather than theoretical. Organisations must be able to explain, in a clear and structured way, how they work with risks and controls, how risk assessment cycles are run, and how decisions are documented and reviewed. Governance today is about being able to show how things work in practice, not just that policies exist.

This becomes even more critical when viewed alongside the EU AI Act, which applies in stages during 2025 and becomes fully applicable from August 2026. Together, these frameworks make it clear that cybersecurity, AI risk, resilience, and accountability cannot be managed one by one. Organisations need enhanced governance structures that support documented decision-making, traceable accountability, and ongoing training and awareness across the business. Those that invest early in structured, system-supported governance will be better prepared not only to comply, but to operate confidently as regulatory expectations continue to evolve.

Final Thoughts

Cybersäkerhetslagen establishes a new baseline for cybersecurity governance in Sweden. It moves expectations beyond technical controls toward accountability, structure, and resilience at organisational level.

Organisations that take a proactive, governance-driven approach will be best positioned to meet regulatory requirements and to navigate an increasingly complex digital risk landscape.