Cybersecurity

On 15 January 2026, the Cybersecurity Act (Cybersäkerhetslagen) and the Cybersecurity Ordinance (Cybersäkerhetsförordningen) entered into force, thereby implementing NIS2 into Swedish law. For many businesses, this means stricter requirements on risk management measures, incident reporting, and governance/responsibility, while guidance and sector-specific regulations may be introduced gradually. Now that the Swedish implementation of the Cybersecurity Act (the NIS2 Directive) is in force, we analyse the current status and highlight the most important aspects for your business.

Netnod provides expert input in policy, regulatory and governance discussions that directly impact the context within which we operate.

During the spring of 2025 the Swedish government released the national strategy on cybersecurity. While the strategy itself is clear and detailed, it does not directly address the long-term consequences of short-term priorities, nor does it explore how to align the long-term incentives of for-profit actors to Sweden’s national security interests.

Netnod has provided feedback on the draft legislation for critical services resilience, emphasizing concerns about the interplay between laws, the effectiveness of the all-risk approach, lack of clarity on the law's impact, and the need for positive incentives for cybersecurity.

Netnod argues for keeping content and distribution separate, ensuring that any content can be delivered across any platform. Netnod also stresses the need for robust and available services, especially in times of crisis.

At a high level Netnod has three main concerns with the request for comments regarding a national cybersecurity center (NCSC) - part 2.

Netnod believes that the act named Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers will not lead to the intended effect.

At a high level Netnod has three main concerns with the NIS2 directive and its Swedish implementation in a cybersecurity context. 

At a high level Netnod has three main concerns with the request for comments regarding a national cybersecurity center (NCSC).

Netnod sees several problems with introducing yet another definition of critical and important services, this one in the context of foreign ownership.

On 2 September 2023, Netnod was given the opportunity by Sweden’s Ministry of Defence to comment on an inquiry into models for contingency supply and planning (SOU 2023:50). Netnod is critical that the investigation did not thoroughly investigate the issue of long term infrastructure investments and costs.