The new cybersecurity act comes into force today, making Sweden the 19th Member State to implement the NIS2 Directive
Today, the 15 January 2026, the new cybersecurity act will be enacted in Sweden, thereby incorporating the NIS2 Directive into Swedish legislation. The act imposes stricter requirements on cybersecurity, risk management, and incident reporting for businesses in eighteen sectors, including energy, transport, banking, digital infrastructure, and public administration. Additionally, management participation in the organisation’s cybersecurity work will be increased.
The cybersecurity act requires entities to register. According to the Swedish Civil Defence and Resilience Agency (MCF), the registration portal will not open until the end of January or beginning of February 2026 at the earliest.
Sweden will be the 19th Member State to implement the Directive, but eight Member States still remain. Implementation of the NIS2 Directive has varied significantly between EU Member States, which may cause difficulties for operators with activities in several Member States.
For queries, please contact Anders Bergsten, Victoria Nordenberg or Jockum Hildén.
