Vinge Logotype
SvenskaEnglish 18D7E0DE-2035-40AE-A740-8F45A358A8F4 Login
  1. Home
  2. Insights
  3. 2025
  4. The Cybersecurity Act: What you need to know about the new legislation
Vinge Insights

The Cybersecurity Act: What you need to know about the new legislation

The new Cybersecurity Act (“the Act”) came into force on 15 January 2026. The Act implements the NIS2 Directive, which aims to ensure a high common level of cybersecurity across the European Union. The scope of the cybersecurity legislation has expanded, bringing more entities under obligations to register, report incidents and implement security measures.
Cyber2

What is the purpose of the Cybersecurity Act?

The Act transposes the NIS2 Directive into national law, with the objective of achieving a high common level of cybersecurity across the European Union. NIS2 and the Act broaden the regulatory scope by extending cybersecurity obligations to additional sectors and categories of entities. As a result, a significantly higher number of organisations will now fall within the scope of the Act compared with the previous regulatory framework.

Does your entity fall within the scope of the Cybersecurity Act?

The Act applies to entities operating within 18 sectors designated under the NIS2 Directive. These are divided into highly critical sectors and other critical sectors.

  • Highly critical sectors include: Energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (business-to-business), public administration, and space.
  • Other critical sectors include: Postal and courier services, waste management, manufacturing, the production and distribution of chemicals, the production, processing and distribution of food, digital service providers, research, and the manufacturing of certain critical products.

An entity operating within any of the designated sectors falls within the scope of the Act if it meets or exceeds the size threshold for a medium-sized enterprise. When calculating the size of an enterprise, it may also be necessary to consider data from other enterprises in the same group.

An entity in these sectors may also fall within the scope of the Act even if it does not meet the size threshold, for example, where the entity is the sole provider in Sweden of a service essential to the maintenance of critical societal or economic activities. In addition, under certain circumstances, government agencies, regions and municipalities are also covered by the Act.

An entity covered by the Cybersecurity Act is generally subject to the requirements of the regulations in all of its operations (in other words, not only in the line of operations covered by one of the designated sectors above).

What does the Cybersecurity Act mean for your entity?

Entities falling within the scope of the Act are subject to, inter alia, the following obligations:

  1. Register your entity. Entities must register with the Swedish Civil Defence and Resilience Agency (“SCDRA”). The authority responsible for supervision may differ depending on the sector in which the entity operates.
  2. Take cybersecurity risk-management  measures. Entities are required to adopt and maintain appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks. These measures must cover areas such as risk analysis, network and information system security, incident handling, business continuity, and supply chain security.
  3. Train the management. Members of the management must receive training in cybersecurity risk-management practices. The training should ensure that management has sufficient knowledge and skills to identify cybersecurity risks, assess appropriate risk-management measures, and understand their impact on the services provided by the entity. 
  4. Establish procedures for handling of incidents. Entities will be required to establish procedures for handling significant incidents. Once becoming aware of a significant incident, entities must within 24 hours submit an early warning to the SCDRA. Furthermore, entities must within the same 24 hours, or 72 hours, submit an incident notification to the same authority. The deadline for the incident notification differs depending on whether the entity provides trusted services or not.

It is important to note that entities which are in breach of the Act risk significant administrative fines. The size of the fines depend on how the entity is classified but may amount to the higher of 2% of the esntity’s total worldwide annual turnover in the preceding financial year or EUR 10,000,000.

What happens next?

On 2 February 2026, the SCDRA's regulations on the reporting and identification of essential and important operators came into force. In 2026, further regulations from the SCDRA and the Swedish Post and Telecom Authority are expected to be published, which will regulate, among other things, incident notifications, information obligations and cybersecurity risk-management measures.
Therefore, it is important to continue monitoring the work of the authorities in the immediate future.

Coworker
Eva Fredrikson
  • Partner, Member of the Swedish Bar Association
  • Stockholm
Max 500 characters
Thank you for contacting me! I will be in touch with you shortly.
Coworker
Mathilda Persson
  • Partner, Member of the Swedish Bar Association
  • Stockholm
Max 500 characters
Thank you for contacting me! I will be in touch with you shortly.
Coworker
Nicklas Thorgerzon
  • Technology & Data Protection Expert, Member of the Swedish Bar Association
  • Stockholm
Max 500 characters
Thank you for contacting me! I will be in touch with you shortly.
Coworker
Siri Blomberg
  • Associate
  • Stockholm
Max 500 characters
Thank you for contacting me! I will be in touch with you shortly.