VakteyeVakteye
VAKTEYE
SolutionsPlansAboutContactInsightsCareers
Sign In
Vakteye audit

NIS2 & Cybersäkerhetslagen: evidence, not a checklist

Cybersäkerhetslagen (SFS 2025:1506) entered into force on January 15, 2026. Covered operators need to demonstrate the technical security measures required under NIS2 Article 21(2) — not just state that a policy exists. Vakteye runs the scans that produce that evidence: exposed services, missing security headers, known vulnerabilities, and misconfigurations, each mapped to the specific sub-article of 21(2) it demonstrates.

Who it's for

  • Operators newly in scope of Cybersäkerhetslagen registering with MCF
  • CISOs and IT leads who need artifact-level evidence for an audit file, not a self-attestation
  • Organizations preparing for Article 23 incident-reporting readiness reviews

What Vakteye tests

  • Cyber hygiene basics: security headers, TLS configuration, exposed panels and default credentials
  • Known-vulnerability exposure via passive CVE and misconfiguration checks
  • Supply-chain visibility: third-party scripts and services a security assessment would need to inventory
  • Whether security findings are documented in a form that maps directly to NIS2 Article 21(2) sub-clauses

Legal basis

NIS2 Article 21(2)

The core list of technical and organizational security measures — risk analysis, cyber hygiene, vulnerability handling — that covered entities must implement and be able to evidence.

NIS2 Article 23

The incident-reporting obligation — early warning, incident notification, and final report — that depends on already knowing your technical exposure.

Cybersäkerhetslagen (SFS 2025:1506)

Sweden's national implementation of NIS2, in force since January 15, 2026, with MCF (Myndigheten för civilt försvar, Sweden's Civil Contingencies Agency) as the designated competent authority and national point of contact.

Example finding

Missing baseline security headers on a public-facing service

What we observed

A scan of a public-facing web application finds that Strict-Transport-Security and Content-Security-Policy headers are absent, leaving the service more exposed to common web attack classes.

Why it matters

NIS2 Article 21(2)(e) requires security in the acquisition, development and maintenance of network and information systems, including vulnerability handling — which covers secure configuration of web-application surfaces. Missing headers are a concrete, evidenceable gap in that requirement — not a matter of interpretation.

FAQ

No. The scan is independent of MCF registration — it produces evidence you can use as part of, or ahead of, that process. MCF registration itself is a separate administrative step.

No. It produces technical evidence for the security-measures dimension of Article 21(2). A complete NIS2 program also covers governance, supply-chain risk management, and organizational measures beyond what a website scan can observe.

It follows NIS2's essential and important entity categories — energy, transport, banking, health, digital infrastructure, and more. Confirm your specific scope with MCF's published guidance or your legal counsel.

Ready to see what your website actually does?

Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.

Book a full audit
VakteyeVakteye
VAKTEYE

Website compliance checks for consent, policy, tracking and security. Vakteye shows what happened, what needs fixing and the evidence behind it.

Book demo
VakteyeVakteye
Privacy MonitoredContinuously monitored by Vakteye

PRODUCT

  • Plans
  • Trust center
  • Scanner identity
  • Security policy

COMPANY

  • About us
  • Contact
  • Insights
  • FAQ

LEGAL

  • Privacy Policy
  • Terms of Service
  • Cookies Policy
  • Sub-processors
  • Data Rights (GDPR)
  • For visitors

Contact

  • info@vakteye.com
  • LinkedIn

© 2026 Vakteye. All rights reserved.