Sweden

(a) What is the NIS2 implementation status?

Sweden has fully implemented the NIS2 Directive through the adoption of the Cybersecurity Act (Cybersäkerhetslagen, SFS 2025:1506).The Swedish Parliament adopted the Cybersecurity Act in December 2025. The Act entered into force on 15 January 2026, replacing the previous NIS1 based framework. The scope corresponds to NIS2 sectors (Chapter 1, Section 4), with providers of public electronic communications networks or publicly available electronic communications services recognised as trusted services. The Swedish Civil Contingencies Agency (MSB) is designated as CSIRT and coordinates oversight across sectoral and regional authorities.

Substantive obligations under the Act include:risk‑management and security measures, multi‑stage incident reporting, and enhanced management accountability. Importantly, the incident‑reporting obligations apply from 15 January 2026, regardless of whether an entity has already completed its formal registration.

(b) What is the envisaged NIS2 implementation timeline?

Sweden has introduced an active self‑identification and registration regime for entities falling within the scope of NIS2. The national registration portal opened on 2 February 2026.

From that date, entities subject to NIS2 are required to register with the relevant competent authority. There is no single fixed calendar deadline for registration; instead, in‑scope entities are expected to register without undue delay once the registration obligation becomes applicable to them.

Registration is separate from substantive compliance obligations. Even entities that have not yet completed their registration are nevertheless required to comply with the applicable incident‑reporting and cybersecurity risk‑management obligations, which have applied since 15 January 2026.

(c) What does the NIS2 Directive mean for other national cybersecurity legislation?

The Cyber Security Act has replaced the Information Security Act (2018:1174), which implemented the NIS Directive in Sweden. The new Cyber Security Act has a much wider scope that will encompass operators within a larger set of sectors than the current legislation, mirroring the difference between NIS and NIS 2.

In the Cyber Security Act, entities that are completely exempted include (i) governmental authorities that primarily carry out activities under the PSA or law enforcement activities, (ii) entities that solely provide services to such government authorities, and (iii) entities that solely carries out activities under the PSA. In cases where only a part of the business or operations consists of activities as described in (i)-(iii), that part is exempted only from some of the main obligations under NIS2 and the Cyber Security Act (e.g., relating to cyber security measures, cyber security training for management, and incident reporting) while remaining subject to the notification requirement and, where relevant, the obligation to appoint a representative. For other parts of the business or operations, the Cyber Security Act will apply in full, provided that no other exemption applies (e.g., financial institutions that are already covered by equivalent cybersecurity obligations in the Digital Operational Resilience Act (Regulation (EU) 2022/2554)).

It should also be noted that the CER Directive (Directive 2022/2557 on the resilience of critical entities) will be implemented in Sweden through upcoming legislation.

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authorities for each sector are appointed in the Cyber Security Ordinance;

Sector
Supervisory Authority
Energy
Swedish Energy Agency (Swe: Energimyndigheten)
Transport
Swedish Transport Agency (Swe: Transportstyrelsen)
Banking
Swedish Financial Supervisory Authority (Swe: Finansinspektionen)
Financial market infrastructure
Swedish Financial Supervisory Authority (Swe: Finansinspektionen)
Health (caregivers)
The Health and Social Care Inspectorate (Swe: Inspektionen för vård och omsorg)
Health (others)
Swedish Medical Products Agency (Swe: Läkemedelsverket)
Drinking water
Swedish Food Agency (Swe: Livsmedelsverket)
Waste water
Swedish Food Agency (Swe: Livsmedelsverket)
Digital infrastructure
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
ICT services (B2B)
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Public administration (excluding counties)
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Space
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Postal and courier services
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Waste management
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Manufacture, production and distribution of chemicals
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Production, processing and distribution of food
Swedish Food Agency (Swe: Livsmedelsverket)
Manufacturing
  • Swedish Transport Agency (Swe: Transportstyrelsen)
  • Swedish Medical Products Agency (Swe: Läkemedelsverket)
  • County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Digital Providers
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Research
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Counties
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Operator that offers domain name registration services
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Private education providers with a license to award degrees according to the Act concerning authority to award certain qualifications (1993:792)
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Certain authorities set out in Ordinance (2022:524) on the Emergency Preparedness of Government Agencies
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)

It is expected that sector-specific regulations and guidelines will be issued by these supervisory authorities.

MSB will continue in its current role as Sweden’s single point of contact responsible for ensuring cross-border cooperation between the supervisory authorities and as Sweden’s computer security incident response team (CSIRT).

(e) What should you be doing/on the lookout for?

Clients are advised to identify as soon as possible whether they are within scope of the Cyber Security Act. In this regard, it should be noted that the scope of relevant sectors is expanded compared to the soon to be obsolete Information Security Act.

Clients are further recommended to document the assessment, and if the legislation is applicable, ensure that notification is made without delay, and no later than 16 February 2026.

Clients who are subject to the Cyber Security Act shall ensure to comply with the information- and cybersecurity requirements which follow from the applicable regulations, and ensure due documentation thereof to accommodate possible audits by relevant supervisory authorities. In addition, we recommend that clients take part of existing and forthcoming information which will be published on www.mcf.se and the respective supervisory authorities for each sector.

Contact

Sara Malmgren E: saramalmgren@eversheds-sutherland.se

Matilda Frykman Krans E: matildafrykmankrans@eversheds-sutherland.se

Compare NIS2 implementation across other EU member states

Compare now

Other Resources

Eversheds Sutherland NIS2 Directive hub

Visit webpage

Whitepaper: Everything you need to know about the NIS2 Directive

Read the whitepaper

Webinar: One year to go until the EU NIS2 Directive

Watch the webinar

Article: Focus on the NIS2 directive

Read the summary briefing

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page