Enacted

On 11 December, the Swedish government adopted a new Cybersecurity Act (Sw. cybersäkerhetslag) implementing NIS2, replacing the prior NIS Act, and decided on a new cybersecurity regulation (Sw. cybersäkerhetsförordning). All legislative amendments came into force on 15 January 2026. Sweden's implementation of the NIS2 Directive through a new Cybersecurity Act consolidates the core requirements of the directive, including the scope, risk-based security measures, incident reporting, supervision, and sanctions.

• Sweden’s Cybersecurity Act is substantively aligned with the NIS2 Directive, with really no material deviations. The Swedish choices in the Cybersecurity Act mainly introduce clarifications rather than departures. Examples include: 
  • Terminology refinement: The Swedish Cybersecurity Act generally mirrors NIS2 Article 6 definitions but replaces “entity” with the established Swedish term operator (Sw. verksamhetsutövare), which is explained and justified by the fact that it is a more established concept in Sweden.
  • Scope clarification (entire operator once in scope): In the NIS2 Directive, this assessment is left open to interpretation. In Sweden, once the criteria are met, the Swedish Cybersecurity Act applies to the operator’s organization as a whole to avoid perimeter gaps. The Swedish government reads the NIS2 Directive as supporting this interpretation.
  • Administrative sanctions rather than criminal penalties: Leveraging NIS2’s flexibility, Sweden opts for administrative enforcement rather than criminal penalties, citing effectiveness against legal persons and alignment with enforcement aims. 

• The Swedish Cybersecurity Act and related legislative amendments entered into force on 15 January 2026.
• The repealed Swedish NIS‑law framework continues to apply only for infringements that occurred before that date.