The Swedish Civil Defence and Resilience Agency (MCF, formerly MSB) has recently published an updated draft regulation on training and security measures under Sweden’s NIS2 framework. Although the regulation has not yet been finalised, it gives a clearer indication of the security and training measures that in-scope entities are expected to implement. The draft regulation is currently subject to a consultation process.
Brief background
NIS2 has been implemented in Sweden primarily through the Cybersecurity Law (2025:1506) and the Cybersecurity Ordinance (2025:1507). Those instruments establish the main legal framework. They determine which entities are in scope, set the core security and governance obligations, and provide the statutory basis for reporting obligations.
In Sweden, more detailed compliance requirements are delegated to regulations issued by the competent supervisory authorities. Which authority is relevant depends on the NIS2 sector in which the entity operates. MCF nevertheless plays a central role in this structure. In addition to the draft regulation on training and security measures, MCF has also published draft regulations on security audits and security scanning, and on incident reporting and information obligations. A regulation on notification obligations for essential and important entities is already in force as of 2 February 2026.
The 2026 draft regulation on training and security measures is an updated version of an earlier draft published back in 2025.
Key changes in the 2026 draft regulation on training and security measures
The main change is that the 2026 draft is less prescriptive than the 2025 draft in several areas.
Management training is one example. The 2025 draft stated which subjects management training had to cover. The 2026 draft instead states that management must have the knowledge and competence needed to direct the cybersecurity work, assess which measures are required, and supervise implementation. The obligation remains, but the regulation no longer prescribes in detail the training content in the same way.
The same pattern can be seen in staff training, internal rules, incident handling, continuity planning, and several technical and organisational measures. The 2025 draft more often stated what internal rules and procedures had to contain. The 2026 draft more often states what the entity must ensure in practice.
Additional examples:
- Staff training and awareness. The 2025 draft stated that training and awareness measures had to be followed up and evaluated at least once a year. The 2026 draft no longer states that.
- Internal rules and documentation. The 2025 draft imposed fixed five-year retention periods for internal rules, documentation showing how those rules had been applied, and certain management materials. The 2026 draft no longer imposes a fixed retention period (this needs to instead be assessed on a case-by-case basis).
- Risk management and action plans. The 2025 draft stated that implementation of action plans had to be followed up at least every third month. The 2026 draft removes that requirement.
- Incident handling. The 2025 draft included a detailed list of matters that incident handling rules had to cover. That list included supplier coordination, contact with the national CSIRT, stakeholder communication, vulnerability reporting, and root cause analysis. The 2026 draft does not include the same level of detail.
- Segmentation. The 2025 draft imposed a broader default segmentation model. The 2026 draft narrows the list of systems that must always be placed in separate segments.
- Access control. The 2025 draft expressly required annual access review. The 2026 draft does not.
- Logging. The 2025 draft imposed a broader mandatory logging list. The 2026 draft narrows that list.
For in-scope entities, this is in our view a material change. The 2026 draft gives organisations more room to decide how compliance should be organised. At the same time, it places greater weight on the organisation’s own judgement and on its ability to show that the measures adopted are appropriate, proportionate and effective.
Supply chain security is the clearest area of tighter focus
The clearest exception to the general increase in flexibility concerns supply chain security.
The 2025 draft was stricter in relation to detailed contract content. It specified several matters that outsourcing agreements had to regulate. The 2026 draft takes a different approach and places greater emphasis on:
- assessment of suppliers before procurement or outsourcing;
- ensuring that the relevant regulatory requirements are met by the supplier, unless the entity itself fulfils them; and
- assessing whether the supplier can comply throughout the full contractual term.
The focus has moved away from prescribing contract wording and towards assessing whether supplier governance is adequate in substance. For many entities, that may prove to be the more demanding requirement.
Existing agreements will need to be reviewed
One of the most concrete additions in the 2026 draft is the requirement to identify and address the need to supplement agreements entered into before 1 October 2026 with cybersecurity requirements. This is significant because it makes clear that the regulation is not limited to future supplier arrangements or procurements.
The supplementary impact assessment provides context for that date. It indicates that 1 October 2026 was the planned entry-into-force date of the MCF regulation itself. The reference therefore appears to function as a transitional cut-off for pre-existing agreements, rather than as a reference to the entry into force of the Swedish Cybersecurity Law (15 January 2026).
In practical terms, entities should expect the review of legacy supplier contracts to form part of the NIS2 compliance exercise in Sweden.
Takeaways
Although the 2026 draft introduces more flexibility, it does not reduce the underlying compliance burden. In-scope entities will still need governance structures, training, risk management, incident handling, continuity arrangements, and technical safeguards of sufficient quality.
The main change from the 2025 version is that the current draft regulation more often states the result that must be achieved, rather than prescribing in detail how the entity must achieve it. That means two things. First, entities will have greater discretion in how they organise compliance. Second, entities will need to rely more heavily on internal judgement, documented reasoning, and defensible decision-making.
The clearest area in which the draft becomes more pointed is supplier governance. That is where the most significant practical changes are likely to arise. The review of legacy agreements should also be treated as a concrete obligation.
Click here for the draft regulation (in Swedish only).
