NIS 2 Status Schweden

NIS 2 status in Sweden

What the directive requires, how Sweden transposed it late, and where MCF and CERT-SE sit inside the picture.

Simon OrzelSimon Orzel·

Overview

The NIS 2 directive is the EU layer. It binds every member state, including Sweden, with one cybersecurity floor for essential and important entities. Sweden must put that floor into Swedish law and run a supervision regime under it.

Sweden missed the EU transposition deadline of 17 October 2024. The European Commission issued a reasoned opinion on 7 May 2025 for failure to notify full transposition. Only the Cybersäkerhetslagen (SFS 2025:1506), issued on 11 December 2025 and in force since 15 January 2026, finally carried the directive into Swedish statute.

MCF (Myndigheten för civilt försvar, known as MSB until 31 December 2025) is the national coordinator and Single Point of Contact for NIS 2. CERT-SE remains the national CSIRT and sits inside MCF. Sweden runs a decentralised supervision model: sector regulators such as PTS, Energimyndigheten, Transportstyrelsen, Finansinspektionen, IVO and Livsmedelsverket carry out the operational supervision in their respective sectors.

Where the rules live
Three layers that anyone reading the Swedish version of NIS 2 needs to keep apart.

EU directive

Directive (EU) 2022/2555 (NIS 2)

The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities. The transposition deadline was 17 October 2024.

EU implementation

Commission Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in Sweden without national transposition.

Swedish transposition

Cybersäkerhetslagen (SFS 2025:1506), in force since 15 January 2026

The Swedish NIS 2 transposition. Issued on 11 December 2025 on the basis of Proposition 2025/26:28 'Ett starkt skydd för nätverks- och informationssystem'. Accompanied by the Cybersäkerhetsförordning and rules issued by the sector regulators. Repeals the old 2018 NIS 1 act, which continues to apply to events occurring before 15 January 2026.

Three things to know
What changes for entities operating in Sweden.
Transposition

Cybersäkerhetslagen (SFS 2025:1506)

Carries the NIS 2 obligations into Swedish law. The Commission had opened an infringement procedure with a reasoned opinion on 7 May 2025. With the Cybersäkerhetslagen, in force since 15 January 2026, Sweden is formally transposed. The accompanying Cybersäkerhetsförordning and sector-regulator rules fill in the operational detail.

Authority

MCF as SPOC, CERT-SE as CSIRT, sector regulators as supervisors

Sweden runs a decentralised supervision model. MCF (Myndigheten för civilt försvar, formerly MSB) is the national Single Point of Contact and hosts CERT-SE as the national CSIRT. Operational supervision sits with the sector regulators: PTS for digital infrastructure and telecoms, Energimyndigheten for energy, Transportstyrelsen for transport, Finansinspektionen for finance, IVO for health, Livsmedelsverket for drinking water.

Deadlines

Registration and reporting

MCF runs the national notification portal under the Cybersäkerhetslagen. In-scope entities must self-identify and notify without undue delay after entry into force. Significant incidents follow the directive's cadence: 24-hour early warning, 72-hour notification, one-month final report. For trust service providers the main notification window shortens to 24 hours.

Two principles that decide every edge case
Use these before reading a Swedish commentary on NIS 2.

Local law applies inside Sweden

Operations on Swedish territory follow the Swedish transposition. A German Geschäftsführer running a Swedish subsidiary reads Cybersäkerhetslagen (SFS 2025:1506) for that subsidiary, not the German BSIG. The directive obligations are the same; the procedure, the notification portal and the sanctions live in Swedish law.

Sweden cannot go below the EU floor

The directive is a minimum harmonisation instrument. Sweden can go stricter and has used some of that headroom, in particular through a 'whole-entity' approach that captures the full organisation rather than only the service-providing part. Sweden cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.

Who does what in Sweden
Three institutions that show up in almost every NIS 2 question.
SE

MCF (formerly MSB)

Myndigheten för civilt försvar, under this name since 1 January 2026, previously Myndigheten för samhällsskydd och beredskap (MSB). National Single Point of Contact for NIS 2 and host of CERT-SE. Runs the notification portal under the Cybersäkerhetslagen. Operational sector supervision does not sit with MCF; it sits with the sector regulators.

SE

CERT-SE

The national CSIRT for Sweden, organisationally part of MCF. Receives significant-incident notifications under NIS 2, supports entities 24/7, and exchanges information inside the EU CSIRTs Network. Reachable at cert@cert.se. In summer 2026, part of the operational and strategic cyber activities are scheduled to move from MCF to Försvarets radioanstalt (FRA); CERT-SE remains the national reporting point for the time being.

EU

ENISA

The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Swedish entities; MCF and the sector regulators are.

Pitfalls
Mistakes we see when Swedish entities first read NIS 2.

  • Sweden and Germany regulate this the same way.

    The directive obligations are identical, the structures are not. Germany centralises supervision through BSI under the BSIG. Sweden splits the roles: MCF is the national SPOC and hosts CERT-SE, while operational supervision sits with a set of sector regulators. A German parent with a Swedish subsidiary needs the sector regulator as the supervision address for that subsidiary, not MCF.

  • As long as nobody contacts me, I am out of scope.

    Like most member states, Sweden runs a self-classification model. An entity that meets the directive's size and sector test is an obligated entity, regardless of whether MCF publishes a list. MCF runs the national notification portal and first registration had to be completed without undue delay after entry into force. A missing letter from the authorities is not a defence against sanctions.

  • We only deal with our sector regulator.

    The sector regulator is the supervisor, MCF is the notification address and CERT-SE the incident channel. In practice NIS 2 work touches all three: registration through the MCF portal, ongoing supervision by PTS, Energimyndigheten, Finansinspektionen or another sector regulator, and incident notification to CERT-SE. Treating any one of them as the only counterparty misreads the Swedish architecture.

Practitioner view

Most Swedish operators we see spent the whole of 2025 in limbo. Until mid-December 2025 the Cybersäkerhetslagen sat at the Riksdag as Proposition 2025/26:28 and nothing more. The consequence: many managing directors paused their NIS 2 work, then had to compress notification and first documentation into the window shortly after 15 January 2026.

The practical move is the same as everywhere else in the EU: confirm scope under the directive, register through the national portal (here MCF), set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight), and document the minimum. The sector regulator remains the supervision address; MCF and CERT-SE are the operational channels.

How the platform helps

We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Swedish subsidiary using Cybersäkerhetslagen, a German parent using BSIG, and a Dutch sister using the Cyberbeveiligingswet. Article references switch per locale; the substantive obligations do not.

For Swedish scope you start with the applicability check, then move to registration with MCF, incident reporting through CERT-SE, supply chain clauses and management body sign-off. Where PTS, Energimyndigheten or Finansinspektionen issue sector rules, we reference them; we do not duplicate them.

Sources
  • Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
  • Commission Implementing Regulation (EU) 2024/2690
  • Cybersäkerhetslagen (SFS 2025:1506) — Sveriges riksdag
  • Proposition 2025/26:28 'Ett starkt skydd för nätverks- och informationssystem' — Sveriges riksdag
  • MCF (Myndigheten för civilt försvar, formerly MSB) — official site
  • CERT-SE — Swedish national CSIRT (hosted at MCF)
  • European Commission — NIS2 Directive implementation in Sweden (digital-strategy.ec.europa.eu)
  • PTS, Energimyndigheten, Transportstyrelsen, Finansinspektionen, IVO, Livsmedelsverket — sector regulators
Check your Swedish scope in under five minutes
The applicability check applies the directive's size and sector test. If your Swedish subsidiary is in scope, the next step is the MCF notification portal.
Run the applicability check