A New Cybersecurity Act: Sweden’s Implementation of NIS2

Background

The NIS2 Directive (Directive (EU) 2022/2555) aims to achieve a high common level of cybersecurity across the EU, with broader scope and stricter obligations than its predecessor. The Directive establishes harmonized rules for cybersecurity risk management, incident reporting, supervision and enforcement across essential and important entities in 18 critical sectors.

Sweden has implemented NIS2 primarily through a new, standalone Cybersecurity Act, replacing the existing Information Security Act (2018:1174). This legislative approach reflects the Government's view that NIS2 represents a fundamental shift in cybersecurity regulation, warranting a comprehensive new legal framework rather than incremental amendments.

Scope: The Whole-Entity Approach

Who is covered?

The new Cybersecurity Act applies to public and private entities ("operators") operating across the NIS2 Annex I and II sectors that meet size or special-criteria thresholds, specified public bodies, providers of electronic communications, digital infrastructure (such as DNS and TLD registries), certain online platforms, and trust services.

The size test follows the EU SME definition: entities with 50 or more employees or annual turnover or balance sheet total exceeding EUR 10 million are subject to baseline inclusion, with partner and affiliate rules aligned to the Commission recommendation and NIS2's Article 3.4 carve-out.

Entities are classified as either "essential" or "important". Essential entities include public authorities, large operators in Annex I sectors, qualifying electronic communications providers, TLD and DNS service providers, and qualified trust service providers. All others in scope are classified as important entities.

The Whole-Entity Principle: A Distinctive Swedish Choice

The most distinctive feature of the Swedish implementation is the adoption of a whole-entity approach to the scope.

As a rule, once an entity falls within scope based on sectoral and size criteria, the entire organization is subject to the Act's requirements, not only the specific service line or activity that triggered coverage. The rationale for this approach is that incidents in non-regulated parts of an organization can propagate to critical functions, and that partial scoping creates difficult boundary problems.

This interpretation means that if, for example, a manufacturing company meets the size threshold and produces medical devices (a covered activity), the cybersecurity requirements apply to the company's entire IT environment and operations, including administrative systems, HR platforms, and other business functions, not just the medical device production line.

Practical implications and considerations

The whole-entity principle has significant practical implications:

• Broader compliance obligations: Organizations cannot limit their cybersecurity programmes to specific "critical" activities but must take a holistic view of their IT environment and risk landscape.
• Organizational complexity: Entities with diverse business lines, some of which fall within NIS2 sectors and others which do not, must nonetheless apply the Act's requirements across all operations.
• Proportionality remains key: Whilst the scope is broad, the requirement that measures be "appropriate and proportionate" means that entities can and should tailor their security investments to the actual risks posed by different parts of their operations.

Security Measures and Risk-Based Prioritization

The Core Obligation: Appropriate and Proportionate Measures

Operators must implement appropriate and proportionate technical, operational, and organizational security measures to protect the network and information systems used for their operations or services, and their physical environment, against incidents. These measures must be based on an all-hazards approach, ensure an appropriate security level relative to risk, and take account of recognised standards and implementation costs. The dual requirement of proportionality and suitability means that measures must be both proportionate and suitable to the risk.

This framework establishes a risk-based rather than prescriptive approach: there is no single "correct" set of security controls that all entities must implement. Instead, organisations must assess their specific risk profile and deploy measures that are appropriate to the identified risks.

The Act specifies ten minimum security areas that operators must address: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; security in network and information systems acquisition, development and maintenance; policies and procedures to assess the effectiveness of cybersecurity risk management measures; basic cyber hygiene practices and cybersecurity training; policies and procedures regarding the use of cryptography and, where necessary, encryption; human resources security, access control policies and asset management; and where necessary, the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems.

Practical implications and considerations

Risk-based implementation of security measures in practice:

• Risk assessment as the foundation: Organizations must conduct comprehensive risk assessments as the basis for determining which security measures are appropriate and proportionate to their specific circumstances. 
• Documentation and demonstrability: The requirement to demonstrate compliance means organizations must maintain evidence showing how their chosen measures address identified risks and why they are proportionate. 
• Continuous adaptation: As risks evolve, organizations must review security measures and adjust accordingly, requiring ongoing assessment rather than one-time compliance.

Conclusion and next steps

Sweden's implementation of NIS2 through the Cybersecurity Act introduces two defining features: a whole-entity approach to scope that extends obligations across entire organizations, and a comprehensive yet flexible framework of minimum security measures grounded in risk-based prioritization.

The whole-entity principle reflects a policy choice to prioritize comprehensive protection over narrow sectoral coverage, recognizing that cyber risks do not respect organizational boundaries. Whilst this may create broader obligations for Swedish entities than in some other Member States, the emphasis on proportionality ensures that compliance efforts can and should be tailored to actual risk.

The ten minimum security areas provide clear structure whilst preserving flexibility for risk-based implementation. Organizations are not required to implement identical controls but must address each area in a manner appropriate and proportionate to their specific risk profile, size and societal impact.

With entry into force on 15 January 2026, affected entities have limited time remaining to complete preparation, with immediate focus on risk assessment, gap analysis, and building the governance structures necessary to demonstrate that their cybersecurity programmes are both comprehensive in scope and proportionate in execution.

How Deloitte can assist

Navigating the new Cybersecurity Act requires both legal expertise and technical cybersecurity knowledge. Deloitte's multidisciplinary team can support your organization through:

• Applicability assessment: Determining whether and how the Act applies to your organization, including interpretation of the whole-entity principle and classification as essential or important entity.
• Gap analysis and road mapping: Evaluating current practices against the Acts requirements and developing prioritized implementation plans.
• Risk management framework design: Establishing a proportionate, risk-based cybersecurity programme aligned with the ten minimum areas.
• Incident notification procedures: Developing legally compliant incident detection, assessment and reporting processes that meet the Act's strict notification timelines and content requirements.
• Supply chain security: Assessing third-party risks and implementing contractual and operational controls.
• Governance and training: Advising boards and management on their responsibilities and delivering targeted cybersecurity training.
• Ongoing compliance support: Providing continuous monitoring, effectiveness testing and regulatory coordination.

Our integrated approach combines legal, risk and technology expertise to help you not only achieve compliance but strengthen your overall cyber resilience.

Author: Julia Bergman

Contact us

Lisa Bastholm
Senior Manager | Legal
lbastholm@deloitte.se
+46 70 080 20 66

Julia Bergman
Consultant | Legal
julbergman@deloitte.se
+46 70 080 22 43