As digitalization increases in Sweden, society becomes more vulnerable to cyber threats. Hackers, ransomware, and attacks on critical infrastructure can have severe consequences, ranging from disruptions in energy supply to interruptions in healthcare or financial systems.
The upcoming Swedish Cybersecurity Act called Cybersäkerhetslagen (CSL) is therefore an important part of Sweden’s total defense in today’s uncertain environment. The law aims to further strengthen the country’s ability to protect critical infrastructure, operations, and information, while establishing clearer rules for how organizations should work to defend against cyberattacks.
What is Cybersäkerhetslagen (CSL)?
The new Cybersäkerhetslagen marks a significant step forward in Sweden’s cybersecurity efforts. The law is the national implementation of the EU’s NIS2 Directive and is designed to enhance the protection of essential and digital services against cyber threats. It also ensures that both public and private sectors work systematically with risk management, incident reporting, and supplier responsibility.
Who does the Cybersäkerhetslag apply to?
The Swedish NIS2 law will apply to public and private organizations within high-critical and critical sectors. Private organizations in these sectors are covered if they meet or exceed a threshold of at least 50 employees and have an annual turnover exceeding €10 million. Below are examples of sectors covered by the CSL:
High-critical sectors:
- Energy
- Transport
- Banking and finance
- Healthcare
- Drinking water and wastewater
- Digital infrastructure and ICT services management
- Public administration
- Space
Other critical sectors:
- Postal and courier services
- Waste management
- Food and chemicals
- Digital providers
- Research
Suppliers may be indirectly affected
Even if your organization is not directly covered by the CSL, you may be indirectly impacted if you supply services to an organization that is directly covered. Organizations subject to NIS2 must analyze risks in their supply chains and take security measures to protect collaborations with suppliers and service providers.
This means suppliers may need to meet certain security requirements or demonstrate how they manage risks, even if they are not directly covered by the law. Regulatory authorities may also clarify security requirements in the supply chain through upcoming Swedish regulations.
When will Cybersäkerhetslagen take effect?
Work on the new Swedish Cybersecurity Act is already underway. The legislative proposal was presented in June 2025, and the Swedish Parliament is expected to make a decision in December 2025. If all goes according to plan, the law will take effect on January 15, 2026.
In the meantime, regulatory authorities in Sweden will develop further regulations to clarify how the rules should be applied in practice:
- MSB (Swedish Civil Contingencies Agency) is responsible for most sectors.
- PTS (Swedish Post and Telecom Authority) will develop regulations for sectors including digital infrastructure and digital providers, ICT service management, space activities, and postal/courier services.
These regulations are additional clarifying requirements on top of Cybersäkerhetslagen. Compliance with the regulations is therefore part of following the law.
What do the additional regulation cover?
MSB will issue four sets of regulations in the following areas:
- Registration and identification
- Incident reporting and information obligations
- Security measures and training
- Security audits and scans
PTS will issue regulations for their sectors covering:
- Security measures
- Domain name registries
- Incident reporting
- Information obligations
Ensuring compliance – supervision, sanctions, and support
While MSB and PTS develop regulations under the Cybersecurity Act, other authorities are given supervisory responsibilities. They ensure that covered organizations comply with the rules and implement security measures in their sectors.
Authorities with this role include:
- Swedish Energy Agency (Energimyndigheten)
- Financial Supervisory Authority (Finansinspektionen)
- IVO (Health and Social Care Inspectorate)
- National Food Agency (Livsmedelsverket)
- PTS (Post- och telestyrelsen)
- Transport Agency (Transportstyrelsen)
- Medical Products Agency (Läkemedelsverket)
- 6 County Administrative Boards (Länsstyrelser)
Non-compliance with the Swedish Cybersecurity Act may result in consequences such as warnings, sanctions, or management being prohibited from holding leadership positions. Sanction fees vary depending on whether the organization is significant, important, or public, ranging from SEK 5,000 to €10 million. This ensures organizations take cybersecurity seriously and protect critical information and infrastructure against threats and attacks.
Assistance for complying with the CSL
To help organizations meet the requirements of Cybersäkerhetslagen and avoid sanctions, assistance and guidance are available from:
- MSB, which offers advice and guidance on cybersecurity.
- Swedish Association of Local Authorities and Regions (SKR), providing resource support to municipalities and other public actors.
- Supervisory authorities, which can clarify requirements and advise on how to best comply.
The goal of this support is to help organizations improve their cybersecurity practices, prevent risks, and act proactively before serious incidents occur.
Upcoming requirements in Cybersäkerhetslagen
Organizations will need to meet specific obligations under the new Cybersecurity Act, which is based on the EU’s NIS2 Directive. Although the law is not yet finalized, NIS2 can already serve as a reference.
NIS2 requires a risk-based approach to cybersecurity with technical and organizational measures, including ongoing risk and incident management, preparedness, backup, and supply chain security. Organizations must also evaluate measures, train staff and management, maintain clear access control and encryption, and report serious incidents within 24 hours.
According to the legislative proposal, Cybersäkerhetslagen also requires organizations to implement security measures including:
- Risk analysis and protection of network and information systems
- Incident, crisis, and continuity management to enable action during disruptions
- Supply chain security and security in development, acquisition, or maintenance of IT systems
- Evaluation of security measures to ensure effectiveness
- Cyber hygiene and training for staff and management
- Encryption, access control, and personnel security to protect information
- Secure communication and authentication during emergencies, if necessary
How to prepare for Cybersäkerhetslagen
With the new Swedish Cybersecurity Act on the horizon, organizations operating in Sweden should begin preparations early. You can start identifying and addressing gaps, building robust routines, and ensuring compliance before the law takes effect, reducing the risk of serious incidents and sanctions.
To get started, organizations can:
- Conduct a gap analysis against NIS2 requirements to identify areas that need strengthening.
- Establish governance and responsibilities, clearly defining cybersecurity accountability at all levels.
- Update incident management plans to ensure clear procedures for identifying, reporting, and resolving incidents, including internal and authority communication.
- Secure the supply chain by analyzing suppliers, setting cybersecurity requirements, and following up on compliance.
Additionally, it is important to:
- Continuously train staff and management on cybersecurity and incident handling.
- Follow the development of MSB and PTS regulations, as these clarify and are binding under the law.
- Document and evaluate security measures regularly to demonstrate compliance.
Stay ahead: Unified GRC solution for cybersecurity
By consolidating cybersecurity work into a GRC platform, it becomes much easier to coordinate across departments, build new processes, and maintain an overview of compliance with Cybersäkerhetslagen.
Building a new compliance culture takes time, as different departments must collaborate and understand their roles in security. With the new Swedish Cybersecurity Act, this collaboration is even more critical — organizations must work together across the entire operation to meet the law’s requirements and ensure all security measures are effective.
By starting to work with Cybersäkerhetslagen in a unified GRC platform now, organizations can build a sustainable cybersecurity culture, improve interdepartmental collaboration, and stay ahead when the law comes into force.
