On 1 January 2025, the Swedish Cybersecurity Act entered into force as an implementation of the EU’s NIS2 directive. The act introduces strengthened cybersecurity requirements for organisations operating essential services.
Who is in scope?
The Cybersecurity Act covers essential and important entities in sectors such as energy, transport, healthcare, drinking water, digital infrastructure, public administration, and several others.
The key requirements
- Risk management: Organisations must carry out systematic risk assessments and implement proportionate security measures.
- Incident reporting: Significant incidents must be reported to the supervisory authority within 24 hours.
- Management accountability: Senior management bears personal responsibility for ensuring that requirements are met.
- Supply chain security: Organisations must consider security risks throughout their supply chain.
What should you do now?
- Determine whether your organisation falls within the scope of the Cybersecurity Act
- Conduct a gap analysis against the new requirements
- Develop an action plan with prioritised measures
- Implement the necessary technical and organisational measures
- Monitor on an ongoing basis using tools such as Securapilot
Need help getting started? Contact us for a complimentary review.
More insights
Related articles
The quantum threat is a leadership question, not a technical one
The quantum threat isn't about when the quantum computer arrives, but how long your information must stay secret. Here's how to begin the move to post-quantum cryptography.
Stop chasing CRA. Start building securely.
The Cyber Resilience Act is already in force, with major obligations phasing in through 2027. The most common mistake is starting from the regulation. Flip the order — build securely with OWASP as your reference, and compliance becomes a by-product.
Proportionality has an expiry date
Why a correct risk assessment can still become your biggest vulnerability in an AI-driven organisation. The assessment was true the day it was written — the question is how long it stays that way.