Skip to main content
ImplementedNIS2

NIS2 in Sweden

Sweden transposed NIS2 via the Cybersäkerhetslagen (2024:1247) effective January 2025. NCSC Sweden coordinates, with MSBFS issuing sector-specific binding regulations.

Transposition law
Cybersäkerhetslag (2024:1247) och Cybersäkerhetsförordning (2024:1248)
In force
1 January 2025
Competent authority
NCSC Sweden: National Cyber Security Centre
Max fine (Essential)
SEK 100 million (~€9 million) or 2% of global annual turnover
Max fine (Important)
SEK 70 million (~€6.3 million) or 1.4% of global annual turnover
Full enforcement
January 2025

Key Deadlines

Cybersäkerhetslag in force
1 January 2025
Registration deadline
1 April 2025
Full enforcement
1 January 2025

Competent Authority

NCSC Sweden: National Cyber Security Centre
Coordination; MSBFS and sector regulators are competent authorities
https://www.ncsc.se

Sweden distributes supervision across sector authorities. MSB (Swedish Civil Contingencies Agency) handles broad coordination; MSBFS issues binding regulations per sector. Entities must self-register with their relevant sector authority.

Registration Process

Register via the competent authority for your sector. Most entities use the MSB registration portal at msb.se/nis2. You will need your Swedish organisation number (organisationsnummer) and sector classification.

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

Key Requirements

  • 1Self-registration with the relevant sector competent authority
  • 2Incident reporting within 24 hours (early warning) and 72 hours (full notification) to NCSC-SE
  • 3Implementation of MSBFS 2024:x security measures (based on NIST CSF and ISO 27001)
  • 4Annual internal audit of cybersecurity measures
  • 5Management accountability: board must receive annual cybersecurity training
  • 6Supply chain risk management programme
  • 7Encryption and key management requirements

National Additions

Sweden explicitly requires that management bodies complete annual cybersecurity training, this goes beyond NIS2 Article 20's general awareness requirement
Swedish water utilities (VA-organisationer) are included regardless of size if they serve over 10,000 consumers
NCSC Sweden publishes a public threat landscape report (Nationell lägesbild) that entities must consider in their risk assessments

FAQ: NIS2 in Sweden

Which Swedish authority is responsible for my sector?
MSB handles most sectors. PTS (Post and Telecom Authority) covers telecom and digital infrastructure. Finansinspektionen covers banking and finance. IVO covers healthcare. Contact MSB (msb.se) if you are uncertain.
Are Swedish fines capped in SEK or EUR?
Swedish fines are defined in SEK: up to SEK 100 million (approximately €9 million) for Essential Entities. The NIS2 Directive's EUR-based caps apply where the SEK amount would exceed them.

Ready to assess your NIS2 compliance?

Use our free tools to check your NIS2 scope and run a gap assessment.

🎯 Scope Checker📊 Gap Assessment