NIS2 & Cybersäkerhetslagen: evidence, not a checklist
Cybersäkerhetslagen (SFS 2025:1506) entered into force on January 15, 2026. Covered operators need to demonstrate the technical security measures required under NIS2 Article 21(2) — not just state that a policy exists. Vakteye runs the scans that produce that evidence: exposed services, missing security headers, known vulnerabilities, and misconfigurations, each mapped to the specific sub-article of 21(2) it demonstrates.
Who it's for
- Operators newly in scope of Cybersäkerhetslagen registering with MCF
- CISOs and IT leads who need artifact-level evidence for an audit file, not a self-attestation
- Organizations preparing for Article 23 incident-reporting readiness reviews
What Vakteye tests
- Cyber hygiene basics: security headers, TLS configuration, exposed panels and default credentials
- Known-vulnerability exposure via passive CVE and misconfiguration checks
- Supply-chain visibility: third-party scripts and services a security assessment would need to inventory
- Whether security findings are documented in a form that maps directly to NIS2 Article 21(2) sub-clauses
Legal basis
NIS2 Article 21(2)
The core list of technical and organizational security measures — risk analysis, cyber hygiene, vulnerability handling — that covered entities must implement and be able to evidence.
NIS2 Article 23
The incident-reporting obligation — early warning, incident notification, and final report — that depends on already knowing your technical exposure.
Cybersäkerhetslagen (SFS 2025:1506)
Sweden's national implementation of NIS2, in force since January 15, 2026, with MCF (Myndigheten för civilt försvar, Sweden's Civil Contingencies Agency) as the designated competent authority and national point of contact.
Example finding
Missing baseline security headers on a public-facing service
What we observed
A scan of a public-facing web application finds that Strict-Transport-Security and Content-Security-Policy headers are absent, leaving the service more exposed to common web attack classes.
Why it matters
NIS2 Article 21(2)(e) requires security in the acquisition, development and maintenance of network and information systems, including vulnerability handling — which covers secure configuration of web-application surfaces. Missing headers are a concrete, evidenceable gap in that requirement — not a matter of interpretation.
FAQ
Ready to see what your website actually does?
Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.
Book a full audit