NIS2 and the Swedish Regulation Jungle

Sweden’s NIS2 framework is fragmented. The main obligations are set out in legislation, but the detailed requirements are spread across several layers: the Swedish Cybersecurity Act, the Swedish Cybersecurity Ordinance, public authority regulations, directly applicable EU rules and sector-specific guidance. The relevant supervisory authority also depends on the sector in which the entity operates.

Legal framework

Sweden has implemented NIS2 through the Cybersecurity Act (2025:1506) and the Cybersecurity Ordinance (2025:1507). These instruments set the main legal framework. They determine which entities are in scope, establish the core cybersecurity obligations and allocate supervisory responsibility between authorities.

The detailed rules are split however across different instruments. An entity must therefore identify:

  • whether it falls within the Swedish Cybersecurity Act;
  • which NIS2 sector it belongs to;
  • which authority supervises that sector;
  • which binding regulations apply; and
  • whether sector-specific guidance has been issued by the relevant supervisory authority.

Regulation jungle

The regulations, which set out the more detailed rules, are where things become more difficult to navigate. The Swedish Civil Defence and Resilience Agency (MCF) has issued binding regulations on notification and identification of essential and important entities, MCFFS 2026:1. These rules entered into force on 2 February 2026. MCF has also issued regulations on incident reporting and information obligations, MCFFS 2026:8, which enter into force on 1 July 2026. MCF is also currently consulting on two draft regulations concerning security measures and management training, and security audits and security scanning.

However, at the same time, the Swedish government has now amended the Cybersecurity Ordinance (SFS 2026:623), which will result in several central NIS2 functions and regulation-making mandates being transferred as of 1 July 2026 from MCF to the Swedish National Defence Radio Establishment (FRA). Under the amended Cybersecurity Ordinance, FRA becomes the single point of contact, CSIRT and cyber crisis management authority. FRA will also receive several regulation-making powers central to NIS2 in Sweden.

On top of this, the Swedish Post and Telecom Authority (PTS) has a mandate to issue regulations for the five sectors that it supervises. These sectors include:

  • digital infrastructure;
  • ICT service management, business-to-business;
  • postal and courier services;
  • space; and
  • digital providers.

For entities that fall only within PTS’s five sectors, MCF’s regulations on security measures and incident reporting do not apply in full. PTS states that certain parts still apply. This includes the rules on management training on security measures in Chapter 2 of MCF’s security measures and training regulations, and the rules on how reporting must be made and which information must be reported in Chapter 2 of MCF’s incident reporting regulations.

For many entities in digital infrastructure, ICT service management and digital providers, the position is further affected by Commission Implementing Regulation (EU) 2024/2690. That regulation sets detailed EU-level rules on cybersecurity risk management measures and incident reporting thresholds. PTS states that, for entities covered by that regulation, it does not intend to issue additional Swedish-specific rules on areas already covered by the regulation.

Other relevant Swedish supervisory authorities may supervise specific sectors without having their own NIS2 regulation-making mandate. This includes, for example, the Swedish Transport Agency, which supervises the transport sector. Those authorities may, however, issue sector-specific guidance, such as guidance on notification and identification for the transport sector. Such guidance may be important in practice, but it is not the same as binding regulations. A final layer of complexity is of course future case law.

The applicable requirements may therefore come from:

  • the Cybersecurity Act (2025:1506);
  • the Cybersecurity Ordinance (2025:1507);
  • regulations issued by the Swedish Civil Defence and Resilience Agency (MCF);
  • regulations issued by the Swedish National Defence Radio Establishment (FRA) from 1 July 2026;
  • regulations or sector-specific positions from the Swedish Post and Telecom Authority (PTS);
  • directly applicable EU rules, including Commission Implementing Regulation (EU) 2024/2690;
  • non-binding guidance from the relevant supervisory authority, such as the Swedish Transport Agency for the transport sector; and
  • future case law.

For in-scope entities, the compliance exercise should be sequential. First identify the entity and its activities. Then identify the relevant NIS2 sector(s) and supervisory authority. Only after that can the entity determine whether the detailed requirements come from MCF, FRA, PTS, EU regulation, sector-specific guidance or a combination of these.

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure