Sweden is introducing the Swedish Cybersecurity Act (Cybersäkerhetslagen), the national law that implements the EU NIS2 Directive. It significantly raises cybersecurity requirements for far more organisations than before, and management now carries personal accountability. This article explains what the law means, whether you are in scope, and how to get started.
What is NIS2?
NIS2 (Directive 2022/2555) is the EU directive that raises the common level of cybersecurity. In Sweden it is implemented through the Cybersecurity Act (Cybersäkerhetslagen), with supervision and administrative fines. It expands both who is covered and what is required compared with the earlier NIS rules.
Are you in scope?
The law divides organisations into essential and important entities across many sectors – including energy, transport, banking and finance, health, water, digital infrastructure, ICT service management, public administration, manufacturing, food and waste. As a rule of thumb, medium and larger organisations are covered (from around 50 employees or EUR 10 million turnover), with exceptions both ways. If unsure, make a formal assessment – the organisation is responsible for knowing.
What does the law require?
- Risk-management measures: policies, incident handling, continuity and backup, supply-chain security, encryption, access control and multi-factor authentication, and staff training.
- Incident reporting: early warning within 24 hours, notification within 72 hours, and a final report within one month.
- Management accountability: leadership must approve and oversee the security work, can be held liable, and fines are significant (up to EUR 10 million or 2 percent of global turnover for essential entities).
How to get started
- Determine whether you are in scope and as which type of entity.
- Run a gap analysis against the requirements.
- Build or align an information security management system (ISMS). ISO 27001 is an excellent basis covering much of the requirements.
- Secure the supply chain and establish incident-handling and reporting routines.
- Train your people – the human is the most common entry point. We offer security awareness training via Nimblr.
NIS2 support in Skåne
We help organisations in Skåne determine scope under the Cybersecurity Act (NIS2), run the gap analysis and build a structured security programme – as part of our information security & governance service. Book a free meeting and we will review your situation.
This is an overview, not legal advice. Contact us for an assessment of your specific organisation.

