NIS2 Sweden Compliance Guide: Cybersäkerhetslagen SFS 2025:1506, MCF Authority and Nordic Framework for 2026

Sweden’s Cybersäkerhetslagen (Cybersecurity Act, SFS 2025:1506) entered into force on 15 January 2026 — more than a year after the EU’s October 2024 transposition deadline. The delay earned Sweden a formal reasoned opinion from the European Commission in May 2025, but the resulting legislation is one of the most comprehensive NIS2 implementations in Europe, featuring a decentralized supervisory model, a “whole-entity” approach to coverage, and Sweden’s adoption of maximum EU-permitted penalty levels.

For Swedish organizations — and the cyber insurance professionals who underwrite them — this guide covers the legal framework, the newly renamed MCF (Myndigheten för civilt försvar) authority, entity classification, sector-specific obligations across 18 sectors, the CERT-SE incident reporting regime, and the critical registration deadlines already in effect.

Sweden’s NIS2 Legal Framework

The Cybersäkerhetslagen (SFS 2025:1506)

Sweden transposed NIS2 through the Cybersäkerhetslagen (Cybersecurity Act), formally adopted on 11 December 2025 after Riksdag approval on 10 December 2025. The companion regulation SFS 2025:1507 designates sector-specific supervisory authorities. The Act entered into force on 15 January 2026, repealing the previous NIS1-era Act SFS 2018:1174.

The legislative journey began with a national inquiry launched in March 2023 (Dir. 2023:30), which produced the SOU 2024:18 report in March 2024. The Government Bill (Prop. 2025/26:28) was submitted on 14 October 2025 and passed through Parliament in under two months.

Key features of the Cybersäkerhetslagen:

• Covers 18 sectors with a broad “whole-entity” approach — once any part of an organization is in scope, the entire IT footprint is covered
• Extends beyond EU minimums — all Swedish municipalities and regions are covered regardless of size
• Decentralized supervision — sector-specific authorities rather than a single cyber regulator
• Maximum penalty adoption — fines up to €10M/2% turnover for essential entities, €7M/1.4% for important entities
• Personal management liability — board members and executives face personal accountability for cybersecurity failures

MSB Becomes MCF

On 1 January 2026, the Swedish Civil Contingencies Agency (MSB — Myndigheten för samhällsskydd och beredskap) was renamed to MCF (Myndigheten för civilt försvar — Swedish Civil Defence and Resilience Agency). Many legal documents and digital services still reference “MSB” during the 2026 transition period, but the authority’s expanded cybersecurity mandate is clear.

Key Differences from NIS1 (SFS 2018:1174)

Aspect	NIS1 (Previous)	Cybersäkerhetslagen (Current)
Scope	Operators of Essential Services + DSPs	Essential + Important entities across 18 sectors
Authority	MSB (centralized)	MCF as coordinator + 8 sector-specific authorities
Management liability	None	Personal liability + possible management bans
Maximum fines	Limited	Up to €10,000,000 or 2% global turnover
Municipalities	Partially covered	All municipalities and regions covered
Supply chain	Limited	Comprehensive third-party risk management

Competent Authorities

MCF — National Coordinator

The MCF (Myndigheten för civilt försvar) serves as:

• National Coordinator for cybersecurity
• EU Single Point of Contact for NIS2
• Manager of the national entity registry (all essential and important entities must register)
• Setter of core cybersecurity requirements and harmonizer of sectoral enforcement
• Legal escalation authority: remarks, orders, administrative fines, public notices

CERT-SE

CERT-SE is Sweden’s national CSIRT, operating under MCF. Key features:

• Primary incident response coordination body for Sweden
• Current reporting tool: IRON (Incident Reporting Online)
• New incident reporting service launching April 2026
• For active incidents, organizations contact CERT-SE directly

Sector-Specific Supervisory Authorities (Decentralized Model)

Unlike many EU Member States that centralize supervision under one authority, Sweden uses a decentralized model with MCF as coordinator:

Sector	Supervisory Authority
Energy	Swedish Energy Agency (Energimyndigheten)
Transport	Swedish Transport Agency (Transportstyrelsen)
Banking & Finance	Finansinspektionen
Health & Social Care	IVO (Health and Social Care Inspectorate)
Drinking Water	National Food Agency (Livsmedelsverket)
Digital Infrastructure & Telecom	PTS (Post and Telecom Authority)
Public Administration	County Administrative Boards (Länsstyrelser)
Digital Infrastructure (additional)	DIGG

This model means Swedish entities may interact with multiple authorities — MCF for registration and coordination, plus their sector-specific authority for compliance supervision.

Entity Classification

Size Thresholds

An entity is in scope if it meets both criteria:

• ≥ 50 employees AND
• Annual turnover AND/OR balance sheet total > €10,000,000

Essential Entities

Entities classified as essential include:

• State authorities with cross-border decision-making powers
• Large municipalities and regions
• Operators in Annex 1 sectors (highly critical) that exceed the medium-size threshold
• Public electronic communications providers ≥ medium-sized
• Qualified trust service providers (under eIDAS)
• TLD registries, DNS service providers, domain registration services
• Entities that are the sole provider of a service essential for critical societal/economic activities in Sweden (size-independent)

Supervision: Proactive and regular — essential entities should expect ongoing oversight.

Important Entities

• All covered entities that do not meet the criteria for essential
• Typically smaller operators in Annex 2 sectors
• Supply chain providers serving critical sectors

Supervision: Reactive — audits triggered by incidents, complaints, or risk-based assessments.

The “Whole-Entity” Approach — Critical Swedish Specificity

Once any part of an organization falls within scope, the entire organization (its whole IT footprint and operations) is covered — not just the specific sector-related activity. This means:

• A manufacturing company’s HR systems are covered even though only its production operations triggered NIS2 obligations
• Incorrect self-assessment provides no protection from supervisory action
• Corporate restructuring cannot isolate in-scope activities from the rest of the organization

Sectors Covered (18 Total)

Annex 1 — Highly Critical Sectors (Essential Entity Sectors)

1. Energy — electricity, gas, hydrogen, district heating, oil
2. Transport — air, rail, water, road
3. Banking — credit institutions
4. Financial market infrastructure — trading venues, central counterparties
5. Healthcare — hospitals, labs, pharma, medical devices
6. Drinking water — supply and distribution
7. Wastewater — collection and treatment
8. Digital infrastructure — IXPs, DNS, TLD registries, cloud, data centers, CDNs
9. B2B ICT service management — MSPs, MSSPs
10. Public administration — central and regional government
11. Space — ground-based infrastructure

Annex 2 — Other Critical Sectors (Important Entity Sectors)

12. Postal and courier services
13. Waste management
14. Chemical manufacturing/production/distribution
15. Food production/processing/distribution
16. Digital suppliers — online marketplaces, search engines, social networks
17. Research — research organizations
18. Manufacturing — medical devices, electronics, electrical equipment, machinery, vehicles

Swedish Extension Beyond EU Minimums

Sweden extends NIS2 coverage further than the Directive requires:

• All municipalities are covered regardless of size — the EU allows small municipalities to be excluded
• All regions (landsting/regioner) are covered
• Public administration is broadly in scope with no automatic exemptions

This means many smaller Swedish public entities face NIS2 obligations that their EU counterparts may avoid.

Key Compliance Requirements

Security Measures

All essential and important entities must implement proportionate technical, operational, and organizational measures:

• Risk analysis and information system security policies
• Incident handling — detection, response, and recovery
• Supply chain security — supplier and service provider risk assessments
• Network security — access control, encryption, segmentation
• Business continuity — crisis communication and disaster recovery
• Training — mandatory for all staff and management
• Vulnerability management — handling and disclosure policies
• Multi-factor authentication and secure communications

Incident Reporting via CERT-SE

All significant incidents must be reported through CERT-SE’s reporting tools:

Report Type	Deadline
Early warning	Within 24 hours of becoming aware
Detailed incident notification	Within 72 hours (24 hours for trust service providers)
Final report	Within 1 month of initial notification

Reports must include indicators of compromise, severity assessment, cross-border impact, and corrective measures. The new incident reporting service launching in April 2026 will streamline this process.

Registration Process

Registration is already open — the portal launched on 2 February 2026 via MCF’s e-service portal.

Authentication: BankID, Freja+, or foreign eID

Required information:

• Organization name, registration number, contact details
• Sector activity and subsector(s) — multiple can be selected
• Essential or important classification (self-assessment)
• EU/EEA scope of activities
• Internet identifiers (IP addresses, domain names)

Critical timing: Supervisory action is possible if registration is not received within 14 days of the Act being in force. Changes to registration details must also be notified within 14 days.

Penalties and Enforcement

Financial Penalties

Sweden adopted the maximum fine thresholds permitted by the EU NIS2 Directive:

Entity Category	Maximum Administrative Fine
Essential Entities	Higher of €10,000,000 or 2% of total global annual turnover
Important Entities	Higher of €7,000,000 or 1.4% of total global annual turnover
Public Sector Entities	Between 5,000 SEK and 10,000,000 SEK

Additional Enforcement Tools

• Remarks (officiella tillägelser) — formal reprimands that become part of the supervisory record
• Orders — including obligation to publish information about non-compliance (naming and shaming)
• Management bans — prohibiting individuals from holding senior leadership roles for persistent violations
• Personal liability — board members and executives face personal accountability and potential disqualification from senior roles for cybersecurity governance failures

The combination of maximum fines, management bans, and personal liability makes Sweden’s enforcement framework one of the most stringent in the EU.

Cyber Insurance Implications for Swedish Entities

The Cybersäkerhetslagen creates substantial new risk exposure for Swedish organizations. The “whole-entity” approach, maximum EU-level fines, and personal management liability make cyber insurance a critical component of risk management.

Key Underwriting Considerations

1. Management liability exposure — Sweden’s personal liability provisions and management ban powers create demand for D&O coverage that specifically addresses cybersecurity governance failures
2. Whole-entity scope — insurers must assess the entire IT footprint, not just sector-specific systems, increasing exposure calculations
3. Municipal coverage — Sweden’s extension to all municipalities creates a new market segment of smaller public entities needing affordable cyber coverage
4. Decentralized supervision complexity — entities interacting with multiple authorities face higher compliance risk, which affects underwriting assessments
5. Cross-border Nordic exposure — Swedish entities with operations in Finland, Denmark, and Norway face overlapping Nordic cybersecurity regulations

For a detailed analysis of how NIS2 compliance affects cyber insurance premiums, see our guide on how NIS2 compliance lowers cyber insurance premiums.

Incident Reporting and Claims

Failure to report incidents to CERT-SE within required timelines could:

• Trigger regulatory fines that may not be covered by standard cyber policies
• Jeopardize insurance claims where timely notification is a policy condition
• Create evidence of non-compliance that insurers use to challenge coverage

Organizations should align their CERT-SE reporting procedures with their cyber insurance notification requirements to avoid gaps.

Summary

Sweden’s Cybersäkerhetslagen represents a fundamental expansion of cybersecurity regulation — from the limited NIS1-era framework to comprehensive coverage of 18 sectors with a “whole-entity” approach that extends beyond EU minimums. The Act has been in force since 15 January 2026, and registration is already open with a 14-day compliance expectation.

For Swedish organizations, the roadmap is clear: assess your entity classification (essential or important), register immediately via MCF’s portal, implement NIS2-compliant security measures across your entire IT footprint, establish CERT-SE incident reporting procedures, and address supply chain security. Sweden’s adoption of maximum EU penalties plus personal management liability means this is not just a technical compliance exercise — it’s a board-level governance priority.

For a broader NIS2 compliance framework, start with our NIS2 Compliance Guide and IT Manager Action Plan. For technical measures requirements, see our NIS2 Article 21 Guide. For supply chain obligations, see our NIS2 Supply Chain Security Guide.

Related NIS2 Country Guides:

• NIS2 France (ANSSI) | NIS2 Germany (BSI) | NIS2 Italy (ACN) | NIS2 Netherlands (NCSC-NL) | NIS2 Spain (INCIBE) | NIS2 Poland (NCSA) | NIS2 Belgium (CCB) | NIS2 Austria (NISG 2026)

---

Resiliently provides cyber insurance intelligence for EU risk professionals. Explore our tools for compliance cost assessment and coverage comparison to make informed decisions about your cybersecurity investments.