NIS2 in Sweden

1. Quick SME Applicability Snapshot in Sweden

Does NIS2 apply to SMEs in Sweden?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Sweden and, in certain cases, foreign digital providers serving the Swedish market.

SMEs should assess qualification under Sweden's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Sweden

Sweden has completed its NIS2 transposition through the Cybersäkerhetslagen (Cybersecurity Act, SFS 2025:1506), adopted by the Riksdag on 10 December 2025 and in force since 15 January 2026. The new statute replaces the prior Information Security Act (2018:1174), and the Cybersäkerhetsförordningen was issued concurrently.

Sweden missed the 17 October 2024 transposition deadline and received an EC reasoned opinion on 7 May 2025, which was resolved following adoption. The Act applies a "whole-entity" approach and a decentralised supervisory model, with MSB (renamed MCF — Myndigheten för civilt försvar, Swedish Civil Defence and Resilience Agency — as of 1 January 2026) acting as national coordinator, EU single point of contact, and national CSIRT, and PTS co-regulating digital sectors alongside sector-specific authorities.

Mandatory management training is a sanctionable obligation, trust service providers must notify within 24 hours (not 72), and entities were required to register by 16 February 2026 (deadline passed); the MSB/MCF notification portal launched on 2 February 2026. All NIS2 obligations have applied from 15 January 2026 with no general grace period.

3. Scope of Application in Sweden

Sweden's scope reflects Directive minimum sector categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Sweden

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Swedish authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Sweden

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Sweden follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Sweden

Sweden's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Sweden risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Swedish cybersecurity guidance is encouraged.

7. Management Liability and Governance in Sweden

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Sweden's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence. Under the Cybersäkerhetslagen, management training on security measures is a sanctionable obligation — individuals involved in management are required to undergo training in cybersecurity risk-management measures.
• Administrative sanctions may address governance failures.
• Members of management bodies of essential entities may, in certain situations, be subject to a time-limited prohibition on holding management functions as an enforcement measure.

NIS2 management liability Sweden expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Sweden

9. Supervisory Authorities and Enforcement Model in Sweden

MSB (Myndigheten för samhällsskydd och beredskap) acts as national coordinator, EU single point of contact, and national CSIRT; renamed MCF (Myndigheten för civilt försvar — Swedish Civil Defence and Resilience Agency) as of 1 January 2026. MSB/MCF is the designated authority for significant incident report intake for most sectors.

Sweden operates a decentralised supervisory model; sector-specific authorities supervise entities in their sectors. PTS (Post- och telestyrelsen — Swedish Post and Telecom Agency) issues regulations and supervises digital infrastructure, digital providers, ICT service management (B2B), space, and postal and courier services. MSB/MCF covers most other sectors; specific sectors may have additional designated supervisory authorities.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Sweden

Sweden applies Directive-aligned administrative penalties.

NIS2 fines Sweden enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Time-limited prohibition on holding management functions (for management body members of essential entities, in certain situations)

Up to €7 million or 1.4% of total global annual turnover (whichever is higher)

11. NIS2 Supply Chain and Vendor Security in Sweden

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Sweden's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Sweden

Entities within scope must:

• Register with the relevant sector-specific supervisory authority — MSB/MCF for most sectors, or PTS for digital infrastructure, digital providers, ICT service management (B2B), space, and postal and courier services. Registration should occur as soon as possible from 15 January 2026; the initial registration deadline for in-scope entities was 16 February 2026 (now passed). The MSB/MCF notification portal launched on 2 February 2026.
• Provide corporate identification details
• Disclose sector classification — the supervisory authority uses registration information to classify entities as essential or important
• Maintain updated reporting contacts

The Cybersäkerhetslagen applies a whole-entity approach: if an entity is in scope, compliance applies to its entire IT footprint. Supplementary regulations from MSB/MCF and PTS (covering notification, security measures, training, and incident reporting) have been issued from 15 January 2026, with further regulations expected through Q1 2026.

Self-identification is mandatory. Entities that missed the 16 February 2026 registration deadline should act immediately, as registration is a sanctionable obligation.

13. Interaction With GDPR and Other Laws in Sweden

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination

14. Cross-Border Applicability

Entities with their main establishment in Sweden are supervised by Swedish authorities for cross-border services.

Foreign digital providers offering services in Sweden may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Swedish market.

15. Implementation Timeline in Sweden

• Directive adoption: 2022
• National legislative amendments: Cybersäkerhetslagen (SFS 2025:1506) adopted by the Riksdag on 10 December 2025; Cybersäkerhetsförordningen issued concurrently; replaces Act 2018:1174
• Entry into force: 15 January 2026, with supplementary regulations effective from the same date
• Commission notification: EC reasoned opinion issued 7 May 2025; resolved following adoption and entry into force
• Compliance milestone: Registration deadline 16 February 2026 (passed); all obligations apply immediately from 15 January 2026 with no general grace period; MSB/MCF notification portal launched 2 February 2026

Sweden completed its NIS2 transposition on 15 January 2026 after missing the EU deadline. All obligations apply immediately with no grace period. The 16 February 2026 registration deadline has passed — entities not yet registered should act immediately.

16. Key Takeaways for SMEs in Sweden

• Medium-sized entities in covered sectors are automatically within scope. The Cybersäkerhetslagen has been in force since 15 January 2026 and applies a whole-entity approach.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory. Management training on security measures is a sanctionable obligation, and essential-entity management body members may face a time-limited prohibition on management functions.
• Incident reporting follows 24h / 72h / 1 month deadlines, with reports submitted to MSB/MCF (or the sector-specific supervisory authority). Trust service providers must submit both the early warning and the incident notification within 24 hours.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• The 16 February 2026 registration deadline has passed — register immediately with the relevant supervisory authority (MSB/MCF for most sectors; PTS for digital sectors). All obligations apply from 15 January 2026 with no grace period, and supplementary regulations continue to be issued and must be monitored.

FAQ: NIS2 Sweden SME Guide