Cybersecurity regulation in Sweden (2026)

The Swedish Government published a five-year strategy titled 'A New Era of Cybersecurity' with 72 action points and 13 measurable indicators across three pillars: systematic cybersecurity work, competence development, and incident-management capability. FRA/NCSC is tasked with developing a national measurement model to track progress.

Sweden's Cybersäkerhetslagen came into effect, fully implementing the NIS2 Directive roughly 15 months after the EU deadline. The law applies a 'whole-entity' approach across 18 critical sectors, mandates 24-hour initial incident reporting, introduces personal executive liability, and requires entity registration with the competent authority (MCF) by 16 February 2026.

The Swedish Parliament passed the Cybersecurity Act, replacing the 2018 Information Security Act. The law expands covered sectors from 7 to 18, sets minimum security measures on a risk-based footing including supply-chain security and backup obligations, and equips supervisory authorities with strengthened enforcement tools including administrative fines.

The Commission escalated infringement proceedings against Sweden to the 'reasoned opinion' stage — the final step before referral to the EU Court of Justice — after Sweden remained one of the last EU member states without NIS2 implementing legislation, which had been due by 17 October 2024.

Shortly after the 17 October 2024 NIS2 transposition deadline passed, the Commission opened infringement proceedings by issuing letters of formal notice to 23 member states including Sweden, placing Sweden under formal legal obligation to enact implementing legislation or face court referral.

Sweden's formal NATO membership brought binding Alliance cyber-defence obligations and accelerated a government review that found the existing multi-agency NCSC model underperforming, directly triggering the decision to transfer NCSC ownership to the signals intelligence agency FRA — aligning Sweden with the UK (GCHQ), Norway (NSM), and Denmark (FE) models.

An interim government inquiry ('Nya regler om cybersäkerhet', SOU 2024:18) laid out the legislative architecture for NIS2 transposition. Separately, a government review found the NCSC failing to achieve expected results under its multi-agency structure and formally initiated the transfer of NCSC to FRA (Försvarets radioanstalt), Sweden's signals intelligence agency.

The revised EU Network and Information Security Directive entered into force, giving member states until 17 October 2024 to enact national implementing law. NIS2 extended covered sectors from 7 to 18, mandated personal management liability, harmonised incident-reporting timelines (24 h/72 h/one month), and significantly increased maximum supervisory fines.

A supply-chain ransomware attack by REvil against US IT provider Kaseya cascaded through Swedish payment-systems supplier Visma Esscom, disabling checkout tills at roughly 800 Coop stores across Sweden. The incident — at the time the largest ransomware attack ever recorded — exposed Sweden's third-party software supply-chain vulnerability and influenced both the NCSC build-up and subsequent NIS2 implementation debates.

Sweden established the NCSC as a multi-agency collaboration platform between FRA, the Swedish Armed Forces, SÄPO (security police), and MSB, with SEK 440 m allocated for 2021–2025. The centre was tasked with coordinating threat intelligence, incident response, and public–private information-sharing — Sweden's first dedicated national cyber coordination body.

The Government submitted its first dedicated cybersecurity strategy to the Riksdag, covering critical infrastructure protection, cybercrime response, citizen awareness, and international cooperation. MSB was designated the national coordinating authority, establishing the multi-agency governance model and the strategic foundation for all subsequent cybersecurity legislation in Sweden.