Sweden’s updated NIS2 draft regulation on training and security measures: broader flexibility, targeted tightening on supply chain security
The Swedish Civil Defence and Resilience Agency (MCF, formerly MSB) has recently published an updated draft regulation on training and security measures under Sweden’s NIS2 framework. Although the regulation has not yet been finalised, it gives a clearer indication of the security and training measures that in-scope entities are expected to implement. The draft regulation is currently subject […]
EU launches ICT Supply Chain Security Toolbox to address cybersecurity risks
On 30 January 2026, the NIS Cooperation Group, comprising representatives of EU Member States, the European Commission and the EU Agency for Cybersecurity (ENISA), adopted the EU ICT Supply Chain Security Toolbox, establishing a common EU approach to identifying, assessing and mitigating cybersecurity risks across ICT supply chains. The toolbox provides a structured, non-binding framework […]
EDPB–EDPS Joint Opinion on the Digital Omnibus proposal
On 19 November 2025, the European Commission issued a Digital Omnibus proposal with the aim to simplify compliance with the digital rulebook, hereby amending several EU digital legislation, such as GDPR, Data Act and ePrivacy Directive. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the proposed […]
NIS2 Entities Registration in Sweden – Guidance
The EU’s NIS2 Directive, implemented in Sweden via the Cybersecurity Act (Sv. Cybersäkerhetslag (2025:1506), introduces a mandatory obligation for covered organisations to register with the supervisory authority. In this context, the Swedish Civil Defence and Resilience Agency (Sv. Myndigheten för civilt försvar) has issued guidance and launched a registration platform to facilitate compliance. From 2 […]
Cyber Resilience Act: Technical Descriptions for Important and Critical Products Are Published
The European Commission has adopted Implementing Regulation (EU) 2025/2392, providing the technical descriptions for the categories of important and critical products with digital elements under the Cyber Resilience Act (Regulation (EU) 2024/2847). The CRA establishes a tiered regulatory framework, whereby the required level of assurance depends on a product’s core functionality and the associated cybersecurity […]
ESAs Publish First List of Critical ICT Third-Party Providers Under DORA
The European Supervisory Authorities (the ESAs) have published the first list of critical ICT third-party providers (CTPPs) designated under the Digital Operational Resilience Act (DORA). This marks a key step in rolling out the DORA oversight framework, following a multi-stage assessment based on financial-entity registers, cross-sector criticality analysis and providers’ right to be heard. The […]
The Digital Omnibus: Targeted Amendments to the EU Digital Rulebook
The European Commission has unveiled a new digital package designed to cut administrative burdens for companies across the EU and streamline the Union’s fragmented digital rulebook. The package centres on, amongst other things, amending existing requirements relating to GDPR, AI Act, Data Act, e-privacy directive and other data legislation such as the Data Governance Act. […]
Swedish Government Submits Bill on New Cybersecurity Act to Implement NIS 2
The Swedish Government has published the bill to implement the NIS 2 directive (2022/2555) into Swedish law. The proposal includes amongst other things the introduction of a new law, the Swedish Cybersecurity Act – which will replace the current Swedish Act (2018:1174) that implemented the previous NIS directive. The Cybersecurity Act largely aligns with the […]
Digital Omnibus: Simplifying the EU’s Digital Rulebook
The European Commission is taking steps to simplify the EU’s complex digital regulations, with the aim to ease reporting requirements for businesses and to create a more consistent digital regulatory framework. The Digital Omnibus, part of the wider Digital Package on Simplification, targets overlapping and outdated rules across several digital areas. The goal of the […]
Two Regulatory Technical Standards (RTS) for the DORA have been published
The Commission has recently adopted two additional Regulatory Technical Standards (RTS) in the form of Delegated Regulations, thus completing the process of adopting all eight RTS. Technical standards will supplement and specify the rules of DORA (Regulation (EU) 2022/2554). From a regulatory perspective, these technical standards are complementary, providing more detailed specifications of specific requirements […]