Sweden's Cybersecurity Act (SFS 2025:1506) entered into force on January 15, 2026. There is no grace period. If your organization falls under NIS2 and you haven't started compliance work, you are already operating in violation. The self-registration deadline with MCF passed on February 16.
This isn't a distant Brussels directive. It's Swedish law, Cybersäkerhetslagen, and MCF (Myndigheten för civilt försvar, formerly MSB) together with sector-specific regulators like PTS are the ones enforcing it.
Key dates you need to know
- December 2025 — SFS 2025:1506 issued by the government
- January 15, 2026 — Law enters into force. No grace period.
- February 16, 2026 — Self-registration deadline with MCF
- Ongoing — MCF and PTS supervisory authority active
If you missed the February 16 registration, register now. Delay makes it worse, not better.
Who is affected by NIS2 in Sweden?
NIS2 divides organizations into two tiers: Essential and Important. The distinction matters because it determines both your obligations and the penalties you face.
Essential entities include energy, transport, banking, health, water supply, digital infrastructure, and public administration. Important entities cover postal services, waste management, food production, manufacturing, digital providers, and research organizations.
The threshold is generally 50+ employees or EUR 10M+ annual turnover. But some sectors (DNS providers, TLD registries, and digital infrastructure) are covered regardless of size.
Not sure if you're covered? If you operate in any of the 18 sectors listed in NIS2 Annexes I and II and meet the size threshold, you almost certainly are. When in doubt, register with MCF. There is no penalty for registering unnecessarily.
The 10 security measures under Article 21(2)
Article 21(2) of NIS2 lists ten categories of security measures. All are mandatory.
- (a) Risk analysis and information security policies
- (b) Incident handling procedures
- (c) Business continuity and crisis management
- (d) Supply chain security, including your vendors and subcontractors
- (e) Network and information system security: acquisition, development, vulnerability handling
- (f) Policies for assessing cybersecurity measure effectiveness
- (g) Basic cyber hygiene practices and cybersecurity training
- (h) Policies on cryptography and, where appropriate, encryption
- (i) Human resources security, access control, and asset management
- (j) Multi-factor authentication and secured communications
Of these 10 measures, four are directly testable with automated scanning: (d) supply chain security, (e) network security, (g) cyber hygiene, and (h) cryptography. The remaining six require organizational policies and documentation. They cannot be verified by scanning your website alone.
Incident reporting: 24 hours to CERT-SE
Article 23 imposes strict incident reporting timelines. This is not optional and the deadlines are aggressive.
- 24 hours — Early warning to CERT-SE (via iron.mcf.se). Just the basics: what happened, suspected cause, cross-border impact.
- 72 hours — Full incident notification. Updated assessment, severity, impact, indicators of compromise.
- 1 month — Final report. Root cause analysis, mitigation measures taken, cross-border impact details.
CERT-SE is Sweden's national CSIRT, operated by MCF. All reporting goes through iron.mcf.se. If your incident affects multiple EU member states, CERT-SE coordinates with other national CSIRTs.
Essential entities: up to EUR 10,000,000 or 2% of global annual turnover, whichever is higher. Important entities: up to EUR 7,000,000 or 1.4% of global annual turnover.
— NIS2 Directive, Article 34 — Administrative fines
Penalties: real numbers, real consequences
NIS2 penalties follow GDPR's model: a percentage of global turnover or a fixed amount, whichever is higher. For a Swedish company with EUR 100M revenue, the Essential tier cap is EUR 2M. For Important entities, EUR 1.4M.
But fines aren't the only risk. NIS2 also allows supervisory authorities to issue binding instructions, order security audits, and, for Essential entities, temporarily suspend management responsibilities. Executives can be held personally accountable.
Check your NIS2 exposure
Vakteye scans your infrastructure against the four scannable NIS2 Article 21(2) measures: network security, supply chain, cryptography, and cyber hygiene. Get a baseline assessment in minutes.
Run a free scanWhat Vakteye covers for NIS2
Vakteye's NIS2 compliance scan evaluates the four technically verifiable measures from Article 21(2):
- Supply chain security (d) — Third-party scripts, CNAME cloaking, dependency analysis
- Network and system security (e) — TLS configuration, HTTP security headers, DNS security, open ports
- Cyber hygiene (g) — Cookie handling, consent implementation, data minimization
- Cryptography (h) — Certificate validity, cipher suite strength, HSTS implementation
For the six organizational measures (risk policies, incident handling, BCP, effectiveness assessment, HR security, MFA), we provide guidance in the compliance report. These require documentation and process, not a website scan.
MCF and PTS: who supervises what
MCF is the general supervisory authority for NIS2 in Sweden. PTS (Post- och telestyrelsen) supervises telecommunications and digital infrastructure providers specifically.
MCF has signaled that its initial enforcement focus will be on self-registration compliance and incident reporting readiness. Expect supervisory audits to begin targeting technical security measures later in 2026.
Don't wait for an audit to find your gaps. By the time MCF comes knocking, you need to already have evidence of compliance, not a plan to start working on it.
NIS2 compliance starts with visibility
You can't fix what you can't see. Vakteye maps your technical NIS2 exposure with evidence-backed findings, the same evidence MCF auditors will look for.
Start your NIS2 assessment