The Swedish Government has published the bill to implement the NIS 2 directive (2022/2555) into Swedish law. The proposal includes amongst other things the introduction of a new law, the Swedish Cybersecurity Act – which will replace the current Swedish Act (2018:1174) that implemented the previous NIS directive.
The Cybersecurity Act largely aligns with the NIS 2 directive and the Council of Legislation’s (Sw. Lagrådets) version of the Swedish proposal. Certain definitions and other clarifications have however been made in the proposed bill.
The following is of particular note:
- Size threshold. The Cybersecurity Act applies to entities that are at least medium-sized. “Medium-sized enterprise” is defined by reference to Article 2 of the Annex to Commission Recommendation 2003/361/EC. Exemptions apply to for example certain digital service providers.
- Linked and partner enterprises. The circumstances for “linked enterprises” and “partner enterprises” have been clarified to some extent. Exemptions from obligations may be decided by the Government or a designated authority in individual cases where a partner or linked enterprise does not itself meet the size threshold and, on an overall assessment, need not be covered.
- Group companies. Individual assessments on the scope of the Cybersecurity Act shall apply in relation to each group company.
- Incidents. Entities must inform recipients of their services about significant incidents when appropriate and as soon as possible. No specific deadline is set.
- Supervisory authorities. The specific Swedish supervisory authorities that will cover the sectors in scope of the Cybersecurity Act have not yet been determined.
- Management bans. A prohibition on exercising managerial functions can be imposed only in relation to essential entities and only on individuals in management positions (i.e., not companies).
The Cybersecurity Act is expected to enter into force on 15 January 2026.
Click here to read the full report (in Swedish only).
