Cybersecurity

Netnod provides expert input in policy, regulatory and governance discussions that directly impact the context within which we operate.

On 15 January 2026, the Cybersecurity Act (Cybersäkerhetslagen) and the Cybersecurity Ordinance (Cybersäkerhetsförordningen) entered into force, thereby implementing NIS2 into Swedish law. For many businesses, this means stricter requirements on risk management measures, incident reporting, and governance/responsibility, while guidance and sector-specific regulations may be introduced gradually. Now that the Swedish implementation of the Cybersecurity Act (the NIS2 Directive) is in force, we analyse the current status and highlight the most important aspects for your business.

During the spring of 2025 the Swedish government released the national strategy on cybersecurity. While the strategy itself is clear and detailed, it does not directly address the long-term consequences of short-term priorities, nor does it explore how to align the long-term incentives of for-profit actors to Sweden’s national security interests.

Netnod has provided feedback on the draft legislation for critical services resilience, emphasizing concerns about the interplay between laws, the effectiveness of the all-risk approach, lack of clarity on the law's impact, and the need for positive incentives for cybersecurity.

Netnod argues for keeping content and distribution separate, ensuring that any content can be delivered across any platform. Netnod also stresses the need for robust and available services, especially in times of crisis.

At a high level Netnod has three main concerns with the request for comments regarding a national cybersecurity center (NCSC) - part 2.

Netnod believes that the act named Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers will not lead to the intended effect.