The NIS2 Directive and Sweden's Cybersecurity Act - What Applies to Your Business in 2026?

Sweden's Cybersecurity Act is now in force, and more Swedish businesses are affected than many expect. For organisations in the right sector and size bracket, NIS2 is not just about policy documents but about registration, risk management, and real incident reporting.

Sweden implemented NIS2 late. The original EU deadline was October 2024, but the Swedish Cybersecurity Act did not enter into force until 15 January 2026 after the European Commission opened infringement proceedings against Sweden. The law is now in force - and affected organisations need to act.

What is NIS2 and why does it matter to Swedish businesses?

NIS2 is the EU's updated cybersecurity directive and replaces the older NIS framework from 2018. Its purpose is to raise resilience in essential and digitally dependent organisations through clearer requirements for risk management, incident reporting, and leadership accountability.

This is not the same as GDPR. GDPR focuses on personal data, while NIS2 focuses on operational security, networks, information systems, and the ability to withstand cyber incidents. That means many Swedish businesses need to work against both frameworks in parallel.

Which businesses are covered by the Cybersecurity Act?

The law covers organisations in 18 designated sectors. The main rule is that a company is in scope if it operates in the right sector and has at least 50 employees or at least EUR 10 million in turnover or balance sheet total. Some actors are covered regardless of size, such as trusted service providers and parts of digital infrastructure.

The Swedish law also applies a clear whole-entity approach. That means the organisation's full IT footprint can be in scope, not just the systems you personally classify as critical. For Swedish businesses, this is a stricter application than many initially expected.

• Energy
• Transport
• Banking
• Financial market infrastructures
• Health
• Drinking water
• Waste water
• Digital infrastructure
• ICT service management (B2B)
• Public administration
• Space
• Postal and courier services
• Waste management
• Chemicals
• Food
• Manufacturing
• Digital providers
• Research

What is required if you are in scope?

The first step is registration with the relevant supervisory authority as soon as possible. After that, you need to show that you work with risk-management measures that are technical, operational, and organisational - not just policies on paper but controls that work in practice.

You also need incident-reporting routines with early detection, rapid escalation, and clear decision paths. Finally, NIS2 increases leadership accountability. Management can be held personally responsible and must receive security training, which makes cybersecurity a board and leadership issue rather than just an IT topic.

What happens if you do not comply?

The sanction model is primarily administrative rather than criminal. Supervisory authorities can issue injunctions, formal remarks, and other corrective requirements when they find gaps in registration, risk management, or incident handling.

For serious or long-running failures, the administrative fines can be substantial. In some situations, restrictions for people in management roles can also become relevant. The message is clear: the law expects active governance and cannot be deferred indefinitely.

How Microsoft 365 and Zero Trust help you meet NIS2 requirements

For many Swedish SMEs, a large part of the technical foundation already exists inside Microsoft 365. MFA and Entra ID strengthen identity protection, Intune gives you device control, and Microsoft Defender adds detection, protection, and monitoring. When these elements are set up inside a Zero Trust model, you move much closer to the risk-based approach NIS2 expects.

That does not mean licences alone create compliance. Configuration, ownership, follow-up, and training are what make the difference. But with the right Microsoft architecture, it becomes possible to combine security, traceability, and practical operations in a way that is realistic even for smaller organisations.

Conclusion

NIS2 is now Swedish law, and the requirements are more operational than many businesses first assumed. For organisations in scope, the next step is to confirm coverage, register, and build a security model that holds up both technically and organisationally.