The Swedish Government submits draft Cyber Security Act (implementation of NIS2) to the Council on Legislation

On 12 June 2025, the Swedish Government decided on a legislative council referral with proposals for a new Cyber Security Act (the “Act“) and other legislative amendments. The package implements Directive (EU) 2022/2555 (NIS 2).

The referral shows a number of amendments in the proposal for the new Cyber Security Act compared to the proposal in the government inquiry, see SOU 2024:18. The proposals will now be reviewed by the Swedish Council on Legislation (Sw. Lagrådet).

Narrowed scope for public authorities

A notable amendment in the new proposal concerns the scope of application of the Act in relation to public authorities (Sw. statliga myndigheter). In the SOU-proposal, the Act applied broadly to effectively all public authorities. However, under the new proposal in the legislative referral this has been narrowed. Now, the Act applies only to public authorities that are authorised to make decisions that: (i) affect the rights of natural or legal persons, and (ii) concerns cross-border movement of persons, goods, services or capital. The new proposal also allows other public authorities to become subject to the Act if they are designated by the Swedish Government. Lastly, it should be noted that all Swedish municipalities and regions remain in-scope in accordance with the original SOU-proposal.

Operators required to assess both appropriateness and proportionality

Another important amendment concerns the security obligations imposed on operators. Under the new proposal, operators are required to implement security measures for network and information systems that are both appropriate and proportionate to the risks involved. Previously, only proportionate risk management measures were required. According to the referral, this means that both an appropriateness and proportionality assessment of the security measures must be carried out.

It is important to note that the legislative text remains subject to change, but the Swedish Government proposes that the Act apply from 15 January 2026.

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure