The Swedish NIS2 Implementation – Cybersäkerhetslagen
Cybersäkerhetslagen is Sweden’s implementation of the EU NIS2 Directive and sets new requirements for cybersecurity governance, risk management, and incident handling. This article explains who is in scope, how essential and important entities are classified, and what organisations need to do next under the Swedish NIS2 framework.
The Scope of Cybersäkerhetslagen
NIS2 and its Swedish implementation, Cybersäkerhetslagen, aims to strengthen cybersecurity across the EU. The law applies to both private and public entities operating in designated sectors and covers key areas such as risk management, incident handling, continuity planning, and third-party risk management.
The law is risk-based and proportionate, meaning that requirements are applied based on the nature of the business and the potential impact of an incident. It also follows an all-hazards approach, which means organisations are expected to consider a broad range of risks — not only cyberattacks, but also system failures, supplier disruptions, and other events that could affect the availability or integrity of services.
Cybersäkerhetslagen places strong emphasis on incident management and operational continuity. Organisations are expected to be able to detect, manage, and recover from incidents, as well as to maintain continuity of critical services when disruptions occur. Another important part of the law is third-party and supply chain risk, recognising that cybersecurity risks often arise through suppliers and external service providers.
Unlike earlier regulatory frameworks, Cybersäkerhetslagen focuses on governance and accountability rather than individual technical solutions. The law places clear responsibility at management level, making cybersecurity a matter of decision-making and oversight, not just an IT function. It is based on the understanding that cyber incidents are no longer isolated IT issues, but events that can have wide-ranging effects on society, the economy, and public trust. The law is therefore designed to create structure, visibility, and coordination, both nationally and across the EU.
Essential or important entity – or not in scope at all?
To determine whether an organisation falls within the scope of Cybersäkerhetslagen, and whether it should be classified as an essential or important entity, the assessment must be made in a specific order. If this assessment is done incorrectly, it is easy to draw the wrong conclusions.
Step 1 – Does the organisation operate within a designated sector under NIS2?
Always start by looking at what the organisation actually does. If the organisation does not operate within any of the sectors listed in the annexes to the NIS2 Directive, it is, as a general rule, not subject to Cybersäkerhetslagen. If the organisation does operate in a designated sector, you move on to the next step. In other words, the size of the organisation is irrelevant if the sector is not in scope.
Step 2 – Does the organisation meet the size threshold?
Cybersäkerhetslagen relies on the EU definition of company size. The assessment is made using two alternative routes: number of employees, or a combination of financial thresholds.
A company is considered large if it meets either of the following criteria:
- the company has 250 or more employees,
- or both an annual turnover exceeding EUR 50 million, and an annual turnover exceeding EUR 50 million, and a balance sheet total exceeding EUR 43 million.
It is sufficient for one of these alternatives to be met for the company to be classified as large.
A company is considered medium-sized if it meets either of the following criteria:
- the company has 50 or more employees,
- or the company has an annual turnover exceeding EUR 10 million.
Here too, the logic is “either–or” between workforce size and financial criteria, while the financial thresholds must always be assessed together.
In reality, this means that Cybersäkerhetslagen mainly applies to organisations with at least 50 employees. Organisations below this threshold are, as a general rule, not covered, even if they operate within a designated sector.
It is important to understand how the size requirement is used in the law. The number of employees and the financial thresholds are not a measure of actual cyber risk or societal impact, but an administrative filter intended to make the regulation proportionate and workable.
Step 3: Is the entity essential or important?
Once sector and size have been established, the classification depends on which annex the sector belongs to.
Sectors listed in Annex I belong to areas where incidents can typically have broad and systemic impacts.
- Large companies in these sectors are, as a starting point, classified as essential entities.
- Medium-sized companies are normally classified as important entities.
Sectors listed in Annex II belong to sectors where the consequences of incidents are often more limited, but still serious.
- Medium-sized and large companies in these sectors are normally classified as important entities.
Step 4: Are there exceptions where size does not matter?
Finally, it is necessary to check whether the organisation falls into a category where size is not decisive. Further guidance on when size thresholds do not apply is provided in the regulations issued under Cybersäkerhetslagen, in particular in Myndigheten för civilt försvars föreskrifter om anmälan och identifiering av väsentliga och viktiga verksamhetsutövare.
These regulations clarify additional criteria and categories of entities that may fall within the scope of the law, regardless of organisational size. This applies in particular to:
This applies in particular to:
- parts of digital infrastructure (for example certain cloud or data centre services),
- public administration, and
- organisations that are considered to be of particular importance to the functioning of society, as specified in the applicable regulations.
In these cases, Cybersäkerhetslagen may apply even to organisations that would otherwise fall outside the scope due to their size.
Notification obligations under Cybersäkerhetslagen
Cybersäkerhetslagen has now entered into force, and entities that fall within its scope are therefore subject to a notification obligation. Organisations must notify their activities to the authority designated by the government, which in Sweden is the Swedish Civil Contingencies Agency (Myndigheten för civilt försvar). This registration (notification is a formal legal requirement and a core element of how the NIS2 framework is implemented in practice.
The notification is submitted via the Swedish Civil Contingencies Agency’s digital notification service. The authority has announced that a simplified version of the service will be launched in connection with the entry into force of the regulations on notification and identification. Organisations are expected to submit their notification once this service is available, February 2 2026.
When submitting the notification, organisations register their activities in accordance with the NIS2 Directive. This registration includes basic organisational information such as name, registration number, and contact details, as well as information on establishment in Sweden or the appointment of a representative within the EU/EEA. Organisations must also specify which sector or sectors, and any relevant subsectors, they operate in, whether activities are carried out within the EU/EEA, and how they have classified themselves under NIS2, including whether they consider themselves an essential or important entity.
It is important to understand the purpose of this notification obligation. Cybersäkerhetslagen is designed to give the state a coherent and accurate overview of the national cyber-exposed landscape. The notification requirement should therefore not be seen as an additional operational security measure, but as a means of identifying which organisations operate within the regulated sectors and how they are positioned within the NIS2 framework.
How DORA-Regulated Financial Institutions Are Affected
For organisations that are subject to DORA, Cybersäkerhetslagen is not entirely excluded. If the organisation meets the size threshold under NIS2 and operates within a designated sector, there is still an obligation to notify under Cybersäkerhetslagen.
In this context, DORA and Cybersäkerhetslagen serve different purposes. DORA regulates how the financial sector must work with cybersecurity in practice, for example through requirements on risk management and incident reporting. The notification obligation under Cybersäkerhetslagen, on the other hand, is intended to allow the state to identify which organisations operate within the relevant sectors and to maintain an overall view of the national cyber landscape.
Notifying under Cybersäkerhetslagen therefore does not mean that new security requirements are introduced for the parts of the business already covered by DORA. Instead, this registration allows the authorities to identify the organisation and maintain an overview of entities operating within the relevant sectors.
Next Steps
With Cybersäkerhetslagen now in force, many organisations will benefit from focusing their next steps on implementation and on the key areas of the law, rather than treating it as a single compliance exercise.
A common starting point is risk management, by confirming that existing risk assessments reflect an all-hazards perspective and that ownership and escalation paths are clear. Incident handling is another priority, where organisations should be confident that significant incidents can be identified, escalated, and managed within expected timeframes.
Organisations will also benefit from reviewing business continuity and resilience, ensuring that critical services can be maintained and recovered during disruptions. Third-party and supplier dependencies often require particular attention, especially where external services are essential to operations and resilience, or where new supplier agreements are being negotiated or renewed.
Finally, anchoring these topics at management level helps ensure that priorities, risk acceptance, and next steps are aligned and proportionate.
Taken together, these actions help organisations move from understanding Cybersäkerhetslagen to working with it in a focused and practical way.
Webinar February 10
In our upcoming webinar, you will receive concrete and practical guidance on what the Cybersecurity Act requires today, which areas should be prioritised, and how to act if an incident occurs. The session focuses on two of the most business-critical requirements: incident management and third-party risk management.The webinar also includes insights, experiences, and key lessons learned from previously completed DORA projects.
Date: February 10, 2026
Time: 10:00-10:45
Language: Swedish
Managing NIS2 from the Top
Advisense helps you avoid common pitfalls and mistakes. Now that the law has entered into force, we guide you through the practical actions required from day one, and if time or resources are limited, we provide comprehensive support throughout the entire process – from analysis and planning to implementation and follow‑up.
We can also offer targeted support in specific areas where interpretation or guidance is needed, such as understanding how DORA and NIS2 overlap, and affect your organisation, how to conduct a risk assessment that meets the regulatory requirements, or how to strengthen your continuity management.
With our experience, you gain control over the extensive and complex management of third‑party risks through proven methodologies, industry best practices, and practical tools for robust supplier governance.
For more information please contact:
