Skip to content

NIS2 becomes the Cybersecurity Act in Sweden – this is what you need to know 


A new interim report from the Swedish ministry of defense suggests that the NIS2 directive, will be implemented into a new Swedish law, the Cybersecurity Act. One of the main issues is the time aspect of the implementation: Will organizations have enough time to fulfil the necessary requirements of the new law? 

On March 5th, Sweden’s minister for civil defense, Carl-Oskar Bohlin, received an interim report called “New Rules on Cybersecurity” (SOU 2024:18). The report contains proposals with the necessary adjustments to Swedish law to implement the NIS2 directive from the EU. It suggests the introduction of a new law, the Cybersecurity Act. 

“In the serious security policy situation, strengthening information and cybersecurity is a priority area for the government. With NIS2, more sectors are covered by the legislation compared to the current NIS, which will ultimately strengthen Sweden’s resilience,” says Carl-Oskar Bohlin in a comment. 

Several differences compared to NIS1 

One of the differences from the old NIS1 directive is that the Cybersecurity Act, based on the new NIS2 directive, will apply to a larger number of sectors than today, 18 compared to today’s 7. This includes both private and public organisations. 

The Cybersecurity Act will also set out stricter requirements for the organisations, with the goal of achieving a higher level of cybersecurity. Some of the new requirements for organisations in the affected sectors include the following:  

  • Incident reporting 
  • Notification obligations  
  • Risk management measures  

Another part of the new proposed law is the increased possibilities for a supervisory authority to decide on sanctions and increased sanction fees if an organisation violates the regulation. There are three different levels of fines: for essential organisations, important organisations, and public sector organisations – up to a total of 10 million euros or 2 percent of the total annual turnover for organizations and up to 10 million SEK for public sector. 

Will organisations have enough time to comply? 

The NIS2 directive is set to take effect on the 18th of October 2024. However, the Cybersecurity Act has been suggested to come into force on the 1st of January 2025. This poses two questions: Does this give enough time for organisations to implement the new requirements in the law? And: Which legislation will be the prevailing during the months between the two? 

Complying with the Cybersecurity Act to the fullest extent will demand a lot of organisations and is therefore a time-consuming process. An organisation that is affected by an incident is obliged to provide an early warning within 24 hours of becoming aware of the incident and follow up with a detailed report within 72 hours. Quick actions are crucial for mitigating impact of cyber incidents and creating a process for detecting and responding to incidents in real time is an urgent action for all organisations.  

Leveraging a Managed Detection and Response service (MDR) for incident handling aligns with NIS2’s mandates for swift detection, reporting, and response to incidents. MDR’s continuous monitoring and threat detection capabilities enable organizations to fulfil the directive’s incident management requirements efficiently. Read more about NTT Security’s MDR service here

It remains to be seen what the final version of the Swedish Cybersecurity Act will contain and if the recommendations from the interim report will be included in the legislative proposal which is set to become public later this year. One thing is however indisputably clear: To fulfil the NIS2 directive and stay ahead of the legislative process with the Cybersecurity Act, organisations need to act today. 

Reach out to our experts at NTT Security to discuss your compliance needs and discover how our services can support your journey to NIS2 compliance. 

Read more about the NIS2 directive and its implications for your organization here.