Hoppa till huvudinnehållet
Perspektiv:
Perspektiv
09 feb. 2026

NIS2 Now in Force: Sweden's Registration Portal Opens and the Compliance Clock Starts

A new phase of cybersecurity regulation has begun in Sweden. The Cybersecurity Act (Swe: “Cybersäkerhetslagen”), which implements the NIS2 directive, entered into force on 15 January. The act comes with substantive obligations on security measures and incident reporting. On 2 February 2026, the obligation to register organizations in scope of the act took effect following the opening of the Swedish registration portal. Importantly, the substantive obligations under the Act, including the duty to report significant incidents, have applied since 15 January 2026. This means organizations must comply with incident reporting requirements immediately, even before completing registration.

This article explains who is covered and must register, guides organizations through the registration process, explores what makes Sweden's implementation distinctive, and identifies immediate compliance priorities.

Who Is Covered: Understanding Scope and Classification

The coverage criteria

The Act applies to operators established in Sweden that fall within the sectors listed in Annexes 1 or 2 to the NIS2 Directive and are medium-sized enterprises or larger. These sectors include energy, transport, banking, health, drinking water, wastewater, digital infrastructure, and public administration (Annex 1), as well as postal services, waste management, chemicals, food production, manufacturing, digital providers, and research (Annex 2). The Act also applies to state authorities with decision-making powers affecting cross-border movement of persons, goods, services or capital, and to regions, municipalities and municipal associations. Providers of public electronic communications networks or publicly available electronic communications services are covered, as are qualified providers of trusted services. Qualified providers of trusted services are entities providing electronic trust services such as electronic signatures, seals, time stamps, and website authentication that meet the requirements set out in the EU eIDAS Regulation.

There is also a size criteria. Entities with 50 or more employees and either an annual turnover or balance sheet total exceeding EUR 10 million are within the scope of the Act. Calculations for linked enterprises and partner enterprises can affect whether an organization meets these thresholds.

Essential vs. important entities

Covered entities are classified as either essential or important. Essential entities include state authorities, municipalities and regions larger than medium-sized enterprises, operators larger than medium-sized falling within Annex 1 to the NIS2 Directive, public electronic communications providers of medium size or larger, certain digital service providers, and qualified providers of trusted services. Entities that are not essential are classified as important.

The classification as essential or important determines both the maximum administrative fines and certain reporting deadlines. Essential entities face administrative fines up to EUR 10 million or 2% of global annual turnover, whichever is higher, whilst important entities face fines up to EUR 7 million or 1.4% of turnover. Public entities face fines up to SEK 10 million.

The self-assessment

 All covered operators must register regardless of sector, including municipalities and regions, and operators must themselves determine whether they are covered and register accordingly.

Organizations operating across multiple NIS2 sectors, near size thresholds, or with complex group structures face genuine analytical challenges. For example, a manufacturing company producing both medical devices (healthcare sector, Annex 1) and transport components (transport sector, Annex 1) must determine which sector to register under and whether they qualify as essential or important. Organizations near size thresholds must consider calculations for linked and partner enterprises.

An incorrect conclusion that an entity is out of scope will not provide protection from supervisory action if authorities later reach a different view. Notably, Sweden has adopted a whole-entity approach: once an entity falls within scope, the entire organization is subject to the Act's requirements, not only the specific activity that triggered coverage. The requirement that measures be "appropriate and proportionate" allows tailoring security investments to actual risks, but risk assessment must be holistic.

How to Register: The Practical Process

When and where to register

Operators must register as soon as possible with the authority designated by the government. From 2 February, operators should register, and if registration is not received within 14 days, supervisory authorities may take action. Changes to circumstances disclosed in a registration must be notified as soon as possible, and no later than 14 days after the change occurred.

Registration is submitted via Swedish Civil Defence Agency (Myndigheten för civilt försvar) e-service portal, and login requires BankID, Freja+ or foreign eID. A simplified version of the registration service was launched on 2 February 2026 when the regulations took effect, however entities that register via the simplified version will not need to register again later. An enhanced portal with additional services including integrated incident reporting will be launched later.

What the registration requires

One registration must be submitted per legal entity, and it is appropriate for each legal entity to designate a responsible person who makes a complete registration for all operations within that entity that are covered. For corporate groups with multiple legal entities, this means coordinated but separate registrations for each legal entity in the group.

The registration form requests organization name, establishment in Sweden or representative in Sweden, organization number and contact details, sector activity and subsector (one or more can be selected), whether sector activity extends within the EU/EEA, how the organization identified itself as a NIS2 operator, classification as essential or important entity, internet identifiers such as IP addresses and domain names, and contact details for the person registering.

Several data points require advance preparation and cross-functional coordination. Sector and subsector classification demands careful analysis for organizations operating across multiple NIS2 sectors. Internet identifiers represent technical details typically held by IT functions rather than legal or compliance teams. The information collected is used to create a consolidated register identifying which operators belong to which sectors, and the register is shared with supervisory authorities. Accurate sectoral classification ensures organizations engage with the correct supervisor from the outset.

Phased regulatory rollout

Sweden is implementing the regulatory framework in stages. The Act entered into force on 15 January 2026, at which point the core substantive obligations on security measures and incident reporting became binding. Registration regulations took effect on 2 February 2026. Regulations on security measures, training and incident reporting take effect in April 2026, when a new incident reporting service will also open. Security audit regulations are scheduled for June 2026.

Compliance Priorities

Complete registration immediately

For covered organizations that have not yet registered, this represents the immediate priority. The portal is operational, and the legal obligation is running. Organizations should designate responsibility for registration, coordinate across functions to gather required information (legal and compliance for scope and classification, IT for internet identifiers, business units for sectoral activities), confirm portal access credentials, and submit.

Implement security measures

Beyond registration, organizations must ensure cybersecurity programs address the Act's ten minimum security areas on a risk-based, proportionate basis: risk analysis and security strategies, incident handling, continuity and crisis management, supply chain security, security in acquisition/development/maintenance of systems, effectiveness assessment procedures, basic cyber hygiene and training, cryptography strategies, personnel security and access control, and multi-factor authentication and secure communications where appropriate. These obligations have been binding since 15 January.

Establish incident reporting capability without delay

The obligation to report significant incidents has applied since the Act entered into force on 15 January 2026, regardless of whether an organization has completed registration. An interim reporting solution is currently available through the Swedish Civil Defence Agency's reporting tool IRON, and a new incident reporting service will open in April 2026. A significant incident is one that has caused or may cause serious operational disruption or financial damage to the operator, or that has affected or may affect other persons by causing significant material or immaterial damage. Organizations must establish procedures capable of detecting, assessing, and reporting significant incidents within required timeframes: an initial notification within 24 hours of becoming aware of the incident, followed by a detailed incident report within 24 hours for qualified trust service providers or 72 hours for all other covered operators. 

A final report must be submitted within one month of the initial notification. For ongoing incidents, organizations may contact CERT-SE (Sweden's national CSIRT).

Track the regulatory timeline

Detailed regulations specifying procedural requirements for security measures, training and incident reporting take effect in April 2026, adding further specifications to the substantive obligations that have applied since the Act entered into force on 15 January 2026. Security audit regulations follow in June 2026. Note that the obligation to report significant incidents applies now, regardless of when the detailed regulations take effect. Organizations should track forthcoming requirements to ensure readiness.

Conclusion

Sweden's implementation of NIS2 through the Cybersecurity Act is now fully operational. The Act entered into force on 15 January, establishing binding obligations on security measures and incident reporting. The registration portal opened on 2 February. For covered entities, the immediate focus is registration combined with ensuring cybersecurity programs meet the Act's requirements on a risk-based, proportionate basis. The self-assessment model means organizations bear responsibility for scope determination and timely registration. Sweden's whole-entity approach and phased regulatory rollout reflect distinctive implementation choices within the NIS2 framework, and effective compliance requires understanding both the underlying directive and the specific Swedish architecture that translates it into binding national law.

Contact us

Lisa Bastholm
Senior Manager
lbastholm@deloitte.se
+46 70 080 20 66

Jacqueline Poucette
Associate
jpoucette@deloitte.se
+46 70 080 24 93

Did you find this useful?

Yes
No

Thanks for your feedback

Din feedback är viktig för oss

För att berätta vad du tycker, vänligen uppdatera dina inställningar för att acceptera analys- och prestandacookies.

Behöver du hjälp med att uppdatera cookies?