Sweden

(a) What is the NIS2 implementation status?

The Swedish Cyber Security Act (Swe: Cybersäkerhetslagen) was adopted on 11 December 2025, and the Cyber Security Ordinance (Swe: Cybersäkerhetsförordningen) was issued on the same date.

(b) What is the envisaged NIS2 implementation timeline?

The Cyber Security Act and the Cyber Security Ordinance will enter into force on 15 January 2026. Additional regulations will be issued by supervisory authorities, likely on or after that date. The Swedish Civil Contingencies Agency (Swe: Myndigheten för samhällsskydd och beredskap, “MSB”), will be renamed as of 1 January 2026 to the Swedish Civil Defence and Resilience Agency (Swe: Myndigheten för civilt försvar). MSB will act as CSIRT for Sweden. Entities subject to the Cyber Security Act shall give notification thereof to MSB from the date of the legislation taking effect, i.e. 15 January 2026. However, MSB has stated that a website for notification will be published in connection with the entering into force of the Act and that notification shall be made as soon as possible when the website is in place (tentatively in January or February of 2026). The envisaged regulations are expected to clarify certain aspects of the Cyber Security Act (e.g., notification requirements, cyber security measures, and the classification of incidents).

(c) What does the NIS2 mean for other national cybersecurity legislation?

The Cyber Security Act will replace the Information Security Act (2018:1174), which is the current implementation of the NIS Directive in Sweden. The new Cyber Security Act has a much wider scope that will encompass operators within a larger set of sectors than the current legislation, mirroring the difference between NIS and NIS 2. According to the still applicable Information Security Act, businesses and operations, or parts thereof, that are subject to the Swedish Protective Security Act (2018:585) (“PSA”) are completely exempted from the application of the Information Security Act. In the new upcoming legislation, entities that are completely exempted include (i) governmental authorities that primarily carry out activities under the PSA or law enforcement activities, (ii) entities that solely provide services to such government authorities, and (iii) entities that solely carries out activities under the PSA. In cases where only a part of the business or operations consists of activities as described in (i)-(iii), that part is exempted only from some of the main obligations under NIS2 and the Cyber Security Act (e.g., relating to cyber security measures, cyber security training for management, and incident reporting) while remaining subject to the notification requirement and, where relevant, the obligation to appoint a representative. For other parts of the business or operations, the Cyber Security Act will apply in full, provided that no other exemption applies (e.g., financial institutions that are already covered by equivalent cybersecurity obligations in the Digital Operational Resilience Act (Regulation (EU) 2022/2554)). It should also be noted that the CER Directive (Directive 2022/2557 on the resilience of critical entities) will be implemented in Sweden through upcoming legislation.

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authorities for each sector are appointed in the Cyber Security Ordinance;

It is expected that sector-specific regulations and guidelines will be issued by these supervisory authorities. MSB will continue in its current role as Sweden’s single point of contact responsible for ensuring cross-border cooperation between the supervisory authorities and as Sweden’s computer security incident response team (CSIRT).

Sector
Supervisory Authority
Energy
Swedish Energy Agency (Swe: Energimyndigheten)
Transport
Swedish Transport Agency (Swe: Transportstyrelsen)
Banking
Swedish Financial Supervisory Authority (Swe: Finansinspektionen)
Financial market infrastructure
Swedish Financial Supervisory Authority (Swe: Finansinspektionen)
Health (caregivers)
The Health and Social Care Inspectorate (Swe: Inspektionen för vård och omsorg)
Health (others)
Swedish Medical Products Agency (Swe: Läkemedelsverket)
Drinking water
Swedish Food Agency (Swe: Livsmedelsverket)
Waste water
Swedish Food Agency (Swe: Livsmedelsverket)
Digital infrastructure
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
ICT services (B2B)
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Public administration (excluding counties)
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Space
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Postal and courier services
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Waste management
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Manufacture, production and distribution of chemicals
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Production, processing and distribution of food
Swedish Food Agency (Swe: Livsmedelsverket)
Manufacturing
  • Swedish Transport Agency (Swe: Transportstyrelsen)
  • Swedish Medical Products Agency (Swe: Läkemedelsverket)
  • County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Digital Providers
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Research
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Counties
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Operator that offers domain name registration services
Swedish Post and Telecom Authority (Swe: Post- och telestyrelsen)
Private education providers with a license to award degrees according to the Act concerning authority to award certain qualifications (1993:792)
County Administrative Boards of six counties (Norrbotten, Skåne, Stockholm, Västra Götaland, Örebro and Östergötland’s counties)
Certain authorities set out in Ordinance (2022:524) on the Emergency Preparedness of Government Agencies

(e) What should you be doing/on the lookout for?

Clients are advised to identify as soon as possible whether they are within scope of the Cyber Security Act. In this regard, it should be noted that the scope of relevant sectors is expanded compared to the soon to be obsolete Information Security Act. Clients are further recommended to document the assessment, and if the legislation is applicable, prepare for notification on 15 January 2026 (or as soon as technically possible thereafter, subject to the notification website which is under way). Clients who are subject to the Cyber Security Act should actively prepare for upcoming enforcement by reviewing their existing information- and cybersecurity practices and policies to determine requirements set forth in the Cyber Security Act. In addition, we recommend clients are updated on new information on the website of their respective supervisory authority/authorities.

Contact

Sara Malmgren E: saramalmgren@eversheds-sutherland.se

Matilda Frykman Krans E: matildafrykmankrans@eversheds-sutherland.se

Compare NIS2 implementation across other EU member states

Compare now

Other Resources

Eversheds Sutherland NIS2 Directive hub

Visit webpage

Whitepaper: Everything you need to know about the NIS2 Directive

Read the whitepaper

Webinar: One year to go until the EU NIS2 Directive

Watch the webinar

Article: Focus on the NIS2 directive

Read the summary briefing

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page