NIS2 — What does your company need to do?

NIS2 is the EU's directive on cybersecurity. It sets clearer requirements, covers more sectors, and gives supervisory authorities real power to act when compliance falls short. If your company doesn't already know whether you're covered by NIS2, now is the time to find out.

This guide walks through what NIS2 means in practice, whether your organization is subject to the law, what you concretely need to do, and what happens if you don't.

NIS2 in brief

NIS2 (Directive on Security of Network and Information Systems, EU 2022/2555) is the EU's updated cybersecurity framework. It replaces NIS1 from 2016 and entered into force at EU level in January 2023. In Sweden, the directive was implemented through the Cybersecurity Act (2025:1506), which applies from 15 January 2026. At the same time, the previous Swedish NIS Act was repealed.

Compared to its predecessor NIS1, the differences are significant. The number of regulated sectors has more than doubled, from seven to eighteen. Requirements are sharper and more concrete. Fines are substantial. And leadership can no longer keep its distance from these issues.

In Sweden, supervision is divided by sector. The Swedish Civil Contingencies Agency (MCF) coordinates the work at national level, but it is sector-specific authorities that monitor compliance in practice, including:

‍

• The Swedish Transport Agency for transport

• Finansinspektionen for the financial sector

• The Swedish Energy Agency for energy

• The Swedish Post and Telecom Authority (PTS) for electronic communications

‍

Does your company fall under NIS2?

The Cybersecurity Act divides organizations into two categories: essential and important. The requirements for security measures are broadly the same for both, but supervision differs. Essential entities are subject to ongoing, proactive supervision. Important entities are reviewed reactively, meaning only when there are indications of shortcomings.

Essential sectors include energy (electricity, gas, oil, district heating, hydrogen), transport (aviation, rail, road, maritime), banking and financial market infrastructure, health and medical care, drinking water and wastewater, digital infrastructure, and public administration.

Important sectors include postal services, waste management, chemical manufacturing, food production, manufacturing of medical devices and motor vehicles, and digital providers.

The list above is not exhaustive. The full list of sectors can be found in the Cybersecurity Act and at mcf.se.

Size criteria: As a general rule, the law applies to medium-sized and large organizations, meaning organizations with at least 50 employees or a turnover and balance sheet total exceeding 10 million euros. Micro and small businesses are exempt unless they belong to a sector where they are considered particularly critical. The vast majority of government agencies, regions, and municipalities are covered regardless of size.

Do you belong to a covered sector, meet the size criteria, and operate in Sweden? You are likely subject to the law. The next step is to register your organization with the Swedish Civil Contingencies Agency (MCF).

Unsure whether your organization is covered? Consult a lawyer or contact the supervisory authority for your sector.

‍

The core requirements — 10 security measures

Article 21 of the NIS2 Directive lists 10 security measures. Everyone covered by the law must have them in place.

‍

1. Risk analysis and information system security

You must continuously identify, assess, and manage risks to your systems. This means having a clear picture of what assets you have, what threats exist, and how you prioritize protection. This work must be ongoing, not something you do once and put in a drawer.

‍

2. Incident handling

You must be able to detect, manage, and recover from security incidents. That requires clear roles and people who know what to do when something happens. A plan that has never been tested provides false reassurance. Practise your procedures.

‍

3. Business continuity

Backups, recovery plans, and crisis management must be in place. The goal is to keep operations running even when things go wrong. Map which systems are critical and what you depend on.

‍

4. Supply chain security

You are not only responsible for your own environment. Suppliers and subcontractors who deliver digital services to you are also your risk. Map your supply chain and set security requirements in contracts.

‍

5. Security in the acquisition, development, and maintenance of systems

Security must be built in from the start, not added after a system is already in production. This includes keeping systems patched, managing vulnerabilities, and having procedures for acting on new vulnerability information.

‍

6. Evaluation of security measures

You must be able to show that what you're doing actually works. That requires follow-up and measurement of your security work. Regular security testing, such as penetration testing, is a natural part of this.

‍

7. Cyber hygiene and training

Everyone in the organization must have enough knowledge not to be a vulnerability. Train your staff and build a culture where secure behaviors are the norm. Leadership must participate actively, not just rubber-stamp decisions.

‍

8. Cryptography and encryption

You must have procedures for how cryptography is used in the organization. This covers protection of data both at rest and in transit, as well as how cryptographic keys are managed.

‍

9. Access control and personnel security

Who has access to what must be governed by role and actual need. This includes procedures when staff join or leave, ongoing review of permissions, and management of IT assets.

‍

10. Multi-factor authentication and secured communications

Strong authentication methods must be used for access to critical systems, both externally and internally. Internal communications and emergency communications must be secured.

‍

Reporting obligations

NIS2 sets clear requirements for how and when you must report incidents. Reports are submitted to the supervisory authority for your sector.

Within 24 hours of becoming aware of a significant incident, an early warning must be submitted. A brief signal that something serious has occurred — nothing more is needed at this stage.

Within 72 hours, a more complete incident notification must be submitted. Here you describe what happened, your initial assessments, and what measures you have taken.

Within one month, a final report must be submitted with a complete analysis of the incident, its consequences, and how you have handled it.

What counts as a "significant" incident? An incident that causes or risks causing serious disruption to your service, or that affects other organizations or societal functions. Contact the supervisory authority for your sector if you are unsure.

Note that late or missing reports can lead to sanctions. You do not need to have suffered a serious attack to face fines — non-compliance with the reporting obligation is enough.

‍

Leadership accountability

One of the clearest changes in NIS2 compared to NIS1 is that leadership accountability is explicit. Cybersecurity can no longer be simply delegated to the IT department.

The board and senior management are responsible for approving and following up on the security measures the law requires. They must educate themselves on cybersecurity in order to fulfil that responsibility seriously. In the event of serious shortcomings, they can be held personally liable.

Sanctions are tied to global turnover. For essential entities, up to 10 million euros or 2 percent of global annual turnover. For important entities, up to 7 million euros or 1.4 percent. The higher of the two amounts applies.

Cybersecurity is no longer an IT matter with its own budget line. It is a leadership issue with legal and financial consequences.

‍

Getting started — an action plan

Full compliance takes time. Structures, procedures, and a security culture are not built in a week. But there is a logical order to work through.

Step 1: Confirm whether you are covered. Go through the list of included sectors. Check your size against the thresholds. Contact the supervisory authority for your sector if you are unsure. Register with the Swedish Civil Contingencies Agency once you have confirmed that the law applies to you.

Step 2: Conduct a gap analysis. Measure your current security level against the ten measures in Article 21. Identify where you have gaps. The foundations are often in place, but the systematics and documentation are missing.

Step 3: Draw up an action plan with named owners. Prioritize by risk and start with what delivers the greatest effect. Decide who is responsible for what and set realistic deadlines. Leadership must be involved — it is a legal requirement.

Step 4: Implement and document. Carry out the measures and document as you go. You must be able to show the supervisory authority that you are working systematically. Documentation is proof that the work is actually being done.

Step 5: Follow up continuously. NIS2 is an ongoing effort. Test your plans, update your risk analysis, and keep training current.

‍

How Cyloq can help

Cyloq works with offensive cybersecurity. We test your systems the same way an attacker would, giving you a concrete picture of where you are actually vulnerable, not just what your policy documents say.

Our services directly address several of the NIS2 requirements. Penetration testing and vulnerability scanning cover requirements 5 and 6 on vulnerability management and evaluation of security measures. Our incident response capability prepares you to meet requirement 2. And business continuity planning strengthens your operational continuity under requirement 3.

Want to know where you actually stand? We offer a NIS2 gap analysis with a clear current-state assessment and a prioritized list of actions.

Contact us

‍

This guide provides a fact-based overview of NIS2 and the Swedish Cybersecurity Act. It does not replace legal advice. Questions about whether your organization is covered by the law, or how specific requirements apply in your context, should be discussed with a lawyer.