Sweden Late to Implement
EU Member States were required to transpose NIS2 into national law by autumn 2024. Sweden is one of several countries that have been delayed and has received a so-called reasoned opinion from the European Commission, creating uncertainty in the market.
As a result, many organisations have waited for the final legal text and regulations, despite the overall direction of the Directive having been known for a long time. This has postponed important preparations, while the threat landscape has continued to escalate.
However, Sweden is not alone. Several EU countries have been late, while others — such as Finland and Denmark already have the legislation in place and have progressed further in practical supervision and compliance.
What Does the Act Mean in Practice?
The new Cybersecurity Act makes cybersecurity a clearly regulated management issue. The requirements include, among other things:
- systematic and risk-based information and cybersecurity management
- technical and organisational protective measures
- incident reporting within strict timeframes
- business continuity and recovery capabilities
- management of risks in the supply chain
The Act applies, among others, to regions, municipalities and municipal federations within the public administration sector, as well as a large number of organisations across 18 designated sectors — including energy, transport, banking and finance, healthcare, digital infrastructure, food production, waste management, and parts of the manufacturing industry.
As a general rule, medium-sized and large organisations within these sectors are covered, but smaller entities may also fall within scope if they provide particularly critical services. In addition, many more organisations are affected indirectly through increased security and follow-up requirements from customers and contracting parties.
Increased Responsibility for CEOs and Boards
One of the most significant changes is that responsibility for cybersecurity is clearly elevated to the highest management level. CEOs and boards are not only expected to approve security measures, but also to ensure they are followed up and effective in practice.
In the event of serious deficiencies, administrative fines may amount to up to EUR 10 million or 2% of global annual turnover, depending on the type of organisation. In certain cases, personal liability may also be considered.
Despite this, awareness of the strengthened management responsibility remains low in many organisations, particularly outside the most heavily regulated sectors.
Incident Reporting – One of the Biggest Shifts
The Act introduces requirements for rapid incident reporting in multiple stages. But reporting presupposes actual capability: the ability to detect incidents, assess what is reportable, and act in a structured manner when something occurs.
The purpose extends beyond the individual organisation. Incident reporting enables a shared situational awareness, faster information sharing, and better coordination in the event of major cyber incidents.
Supply Chain Security in Focus
Another key element of the Act is the strengthened requirements for supplier management. Organisations must now take responsibility for cybersecurity risks beyond their own IT environments.
This means, among other things, that:
- critical suppliers must be identified and risk-classified
- security requirements must be clearly defined in contracts
- follow-up and control become ongoing responsibilities
- incidents affecting suppliers must be manageable
For many organisations, this is a more extensive effort than expected — and an area where maturity is often low.
The Risk of Getting Stuck in Compliance
Now that the Act has entered into force, there is a risk of adopting an overly narrow compliance-driven perspective.
The fundamental idea behind NIS2 and the Swedish Cybersecurity Act is not for organisations to simply tick boxes on a checklist, but to increase actual resilience. The requirements themselves are not controversial, the real challenge lies in implementing them in practice.
Organisations also differ significantly in their maturity levels. The Act does not demand perfection from day one, but it does require direction, momentum, and a systematic approach to continuous improvement.
What Should Organisations Do Now?
With the Act now in force, there are several clear priorities:
- Identify whether your organisation is affected — directly or indirectly
- Conduct a gap analysis against the requirements of the Act
- Clarify responsibilities and decision-making structures, particularly at executive and board level
- Ensure the capability for incident handling and reporting
- Map critical suppliers and dependencies
- Treat the work as long-term and continuous – not a one-off project
The new Cybersecurity Act is not a goal in itself, but a tool for strengthening collective resilience in an increasingly digital and interconnected society.
If the Act is used as a framework for taking steps in the right direction – and if collaboration between organisations, sectors and regions increases – NIS2 can become the starting point for a stronger and more robust cybersecurity posture in Sweden.
Expert Insight: Why NIS2 Is About More Than Legal Compliance
Our Head of Cybersecurity, Pernilla Rönn, is interviewed about the new Cybersecurity Act and what NIS2 means in practice in Techtidningen. In the interview, she shares her perspective on why Sweden has been late, the challenges organisations are facing, and why the focus should be on real capability rather than formal compliance.
Read the full article here
Need Help Getting NIS2 Right?
Do you need support interpreting the requirements, conducting a gap analysis, or translating the legislation into practical cybersecurity work?
Get in touch with us – we’re happy to help.
