The Cybersecurity Act is here: from formal compliance to operational resilience

Frederik Lindeberg
On 15 January 2026, the Cybersecurity Act (Cybersäkerhetslagen) and the Cybersecurity Ordinance (Cybersäkerhetsförordningen) entered into force, thereby implementing NIS2 into Swedish law. For many businesses, this means stricter requirements on risk management measures, incident reporting, and governance/responsibility, while guidance and sector-specific regulations may be introduced gradually. Now that the Swedish implementation of the Cybersecurity Act (the NIS2 Directive) is in force, we analyse the current status and highlight the most important aspects for your business.

Note: This is an English version of a Swedish blogpost by Frederik Lindeberg, published here
 

The process of implementing the EU’s NIS2 Directive has been extensive and complex. Although the directive has been formally accepted and published at the EU level, work on the national regulations in Sweden still remains. Throughout this process, Netnod has contributed expert knowledge to ensure that the regulatory framework is as correct as possible for digital infrastructure. We review the current status, how the public sector is affected, and why compliance is not always synonymous with actual security.

Current status and implementation in Sweden

The Cybersecurity Act (NIS2) aims to raise the level of cybersecurity within the union and replaces the previous NIS Directive. Like many other member states, Sweden missed the original deadline, which was October 2024. The legislative proposal was adopted by the Riksdag (Swedish Parliament) in December 2025 and came into effect on 15 January 2026. Formally, the law and ordinances are in place, but most of the sector-specific regulations have not yet been published or begun to be applied.

Through the consultation process, Netnod has actively argued that root server operators should not be included in the directive in a way that risks fragmenting the Internet. Our position is that the legislation must be clear and take into account the technical function of the Internet.

Public Sector – the same need for robustness, regardless of sanction model

The Cybersecurity Act covers more sectors than before, including parts of the public administration. For the public sector, this entails stricter requirements on risk management measures and incident reporting. However, an important discussion concerns the application of sanctions. The Swedish legislative proposal includes indications of exemptions for the public sector regarding certain sanctions compared to private actors, which has been a topic of debate during the referral rounds. Regardless of how sanctions and supervision are exactly applied in different parts of the public sector, the core remains: essential societal functions need robust working methods for risk management, incident reporting, and continuity.

Regardless of sanction rules, it is crucial that public organisations ensure robust processes, as they constitute essential societal functions.

The Relationship between the Cybersecurity Act and the CER Directive

In parallel with the implementation of the Cybersecurity Act, the introduction of what is called the Act on the Resilience of Critical Entities (LoM), i.e., the incorporation of the CER Directive, is underway, focusing on broader resilience including physical security and personnel security. These directives are often referred to as "sister directives" but differ in focus:

  • The Cybersecurity Act (NIS2) focuses on cybersecurity and the protection of network and information systems.
     
  • LoM focuses on physical security and resilience, for example, through background checks of personnel and physical protection of facilities.

LoM is expected to enter into force during 2026. In practice, more actors need to coordinate their work so that security measures, continuity, and crisis management are coherent, instead of becoming parallel "compliance tracks." It is important to note that digital infrastructure is essentially exempt from LoM and is regulated almost exclusively by the Cybersecurity Act, while other sectors may need to manage both directives in parallel.

Netnod's perspective: measurable effect and operational benefit

In the face of extensive new regulations, there is a risk that the focus shifts from operational work to administrative processes. We want to emphasise the crucial difference between formal compliance and actual operational security. In the referral work, Netnod has highlighted the importance of regulation leading to clear, measurable improvements and not just increased ex-ante administration, and that requirements need to be practically feasible and support real risk reduction. For digital infrastructure, it is particularly important that the design takes into account how the internet and digital services are actually built, operated, and interconnected across borders.

A paradox can easily arise where an organisation formally complies with the Cybersecurity Act through correct documentation and processes, but still maintains a low operational cybersecurity level. Conversely, an organisation may have extremely high technical security but miss the administrative requirements of the Cybersecurity Act.

Instead of allowing cybersecurity to end up in a separate administrative ‘silo,’ it is crucial to manage cybersecurity together with other security and operations to achieve actual operational improvements. It is important that resources are not solely allocated to writing reports and governing documents (ex-ante measures) at the expense of the actual technical ability to withstand and manage incidents. Compliance with the Cybersecurity Act should lead to real operational improvements, not just an increased administrative burden.

Here are some suggestions to facilitate your work with Cybersecurity issues:

1. Remember that cybersecurity is part of practically everything today. You cannot manage cybersecurity as a separate vertical in your organisation.

2. Review incident reporting: are your processes updated to comply with the Cybersecurity Act? Ensure you understand the actual process for submitting an incident report. Do you need a special PGP key? Do you need to prepare a certain type of document? Are instructions for incident reporting available even when systems are down? Can you report via landline phone? Do you know which web page or email address to use for reporting?

3. Allocate resources: A well-designed management system for compliance will likely lead to improvement measures. You must not only design these measures; you must also implement and manage them.

4. Regarding operational improvements, we suggest that you review your existing dependencies. What are you dependent on to maintain your service level or function? Which dependencies can be replaced in an emergency, and which cannot? In particular, consider cyber-physical dependencies, including when digital systems affect physical systems such as access control, unlocking of medicine cabinets, or on-call vehicles, etc

Strengthen operational resilience: how Netnod can help

Netnod has extensive experience in operating critical infrastructure with the highest requirements for availability and security. We can support businesses covered by the Cybersecurity Act in translating requirements into practical implementation in operations and management, focusing on dependencies, incident capability, and continuity.

Please feel free to contact us if you would like to have an initial meeting to identify your needs and next steps. We will help you ensure that you not only meet the Cybersecurity Act's requirements on paper but also live up to them in practice.

 

 

 

Tags
Policy
Cybersecurity