Cybersecurity · Sweden
Cybersecurity - Sweden
Sweden enacted the Cybersäkerhetslagen (SFS 2025:1506) on 10 December 2025, with effect from 15 January 2026, transposing EU NIS2 and replacing the 2018 Information Security Act. The law extends mandatory risk-management and incident-reporting obligations across 18 sectors to both essential and important entities, with 24-hour initial breach notification duties. A National Cybersecurity Strategy 2025-2029, published February 2026, underpins a whole-of-society 'total defense' approach.
Sweden missed the EU's 17 October 2024 deadline; the European Commission issued infringement proceedings and a reasoned opinion on 7 May 2025. The Riksdag adopted Cybersäkerhetslagen (SFS 2025:1506) on 10 December 2025 and it entered into force on 15 January 2026, formally completing transposition.
The Act covers entities in 18 sectors (up from 7 under the prior law), including energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Thresholds: at least 50 employees or EUR 10 million annual turnover/balance sheet; nearly all public-sector bodies are captured regardless of size.
Covered entities must submit an initial notification to MCF within 24 hours of becoming aware of a significant incident, a full incident report within 72 hours, and a final report within one month. MCF launched a dedicated notification portal on 2 February 2026; entities had until 16 February 2026 to register operations.
MCF (formerly MSB) is the national coordinator and EU single point of contact. Sector-specific authorities—including PTS for telecoms and digital services—exercise supervision in their domains. The NCSC, being reorganised under the signals-intelligence agency FRA, coordinates national cyber threat intelligence; CERT-SE is proposed to transfer to NCSC in 2026.
Administrative fines range from SEK 5,000 to SEK 10,000,000 as a domestic ceiling, with NIS2-aligned maxima of up to EUR 10 million or 2% of global annual turnover for essential entities and EUR 7 million or 1.4% for important entities. Supervisory authorities may also issue injunctions, reprimands, and management-position bans for persistent non-compliance.
Published February 2026 by the Ministry of Civil Defense, the strategy rests on three pillars: systematic cybersecurity work, knowledge and skills development, and incident prevention and management capacity. Public investment of approximately SEK 300-400 million over 2026-2028 supports NCSC, CERT-SE, municipalities and regions under Sweden's 'total defense' concept.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →