Sweden
(a) What is the NIS2 implementation status?
On 12 June 2025, the Swedish Government referred a proposal for implementation of NIS2 to the Swedish Council on Legislation for consultation. The Government has yet to prepare a bill to be presented for, and potentially adopted by, the Swedish Parliament (Swe: Riksdagen).
The proposal that is currently subject to consultation was preceded by a partial report on the implementation of NIS2 and CER (Directive (EU) 2022/2557), published in the Swedish Government Official Reports series on 5 March 2024, SOU 2024:18 (the “Report”), as well as an additional report on the implementation of CER, published on 18 September 2024, SOU 2024:64. In the two reports, it is proposed that the Swedish implementation of NIS2 and CER shall largely correspond to the Directives, however, a few exceptions where obligations shall go beyond those are set out in NIS2 are proposed.
(b) What is the envisaged NIS2 implementation timeline?
After the consultation procedure, the Swedish Government will prepare a government bill to be presented for, and potentially adopted by, the Swedish Parliament (Swe: Riksdagen).
According to the implementation timeline published by the Swedish Civil Contingencies Agency, the government bill is expected to be presented during the autumn of 2025, and the proposed new act implementing NIS2 is envisaged to take effect in Sweden on 15 January 2026.
(c) What does the NIS2 mean for other national cybersecurity legislation?
As no government bill has been issued yet, it is not certain how, and to what extent, national cybersecurity legislation will be affected. However, the Report recommends that the Information Security Act (2018:1174), which is the current implementation of the NIS Directive in Sweden, is wholly replaced by a new Cybersecurity Act in order to accommodate for the vast number of changes that NIS2 will introduce.
Currently, the Information Security Act does not apply in situations where the Swedish Protective Security Act (2018:585) applies to an organisation, or to a part thereof. The Report recommends changing this legislative relationship primarily in two ways. Firstly, in cases where only a part of the business is subject to the Swedish Protective Security Act, the relevant entity should only be exempted from the obligations relating to cybersecurity risk-management measures, cybersecurity training for management and incident reporting (i.e., the main obligations in NIS2). Secondly, such exemptions should only apply to the part of the business that is subject to the Swedish Protective Security Act. Thus, NIS2 would still apply in full for the other parts of the business, provided that no other exemption applies (e.g., financial institutions that are already covered by equivalent cybersecurity obligations in the Digital Operational Resilience Act (Regulation (EU) 2022/2554)).
It remains to be seen, however, to what extent the upcoming government bill will encompass the conclusions of the Report.
(d) Who will be the supervisory authority and how are they preparing the market?
Sweden’s current implementation of the NIS Directive introduced the following six supervisory authorities based on the sectors covered by the Directive:
- The Swedish Energy Agency (energy);
- Swedish Financial Supervisory Authority (banking and finance market infrastructures);
- The Health and Social Care Inspectorate (health sector);
- The Swedish Food Agency (drinking water supply and distribution);
- The Swedish Post and Telecom Authority (digital infrastructure and digital services); and
- The Swedish Transport Agency (transport).
As NIS2 will increase the number of sectors and entities that will be covered, the Report recommends introducing additional supervisory authorities and expanding the sectors that existing supervisory authorities will be responsible for (e.g., the Swedish Post and Telecom Authority should also cover the space sector). The Report recommends introducing the Swedish Medical Products Agency and several county administrative boards as new supervisory authorities, covering areas such as pharmaceutical products and public administration.
Furthermore, the Report recommends that the Swedish Civil Contingencies Agency continues in its previous role as Sweden’s single point of contact responsible for ensuring cross-border cooperation between the supervisory authorities and as Sweden’s computer security incident response team (CSIRT).
(e) What should you be doing/on the lookout for?
Clients are advised to as soon as possible identify whether they may be categorised as either an important or an essential entity under NIS2 as it will determine their scope of obligations once the Directive is implemented into national law. In this regard, it should be noted that NIS2 significantly expands the scope of relevant sectors and introduces a size threshold (with a few exceptions) that defines which entities will be subject to NIS2.
Clients who anticipate that they will be subject to NIS2, in particular essential entities, should actively prepare for upcoming enforcement by reviewing existing information and cybersecurity practices and policies to determine possible deviations from the minimum requirements set forth in NIS2. Clients should also be on the lookout for possible stricter requirements pursuant to national implementation. The Report suggests that the Swedish government should largely maintain the framework of the NIS2 Directive and thus not introduce stricter requirements, however, with a few exceptions. To which extent this recommendation is followed will only be evident once the government bill is in place.
Contact
Sara Malmgren E: saramalmgren@eversheds-sutherland.se
Matilda Frykman Krans E: matildafrykmankrans@eversheds-sutherland.se
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page