Cybersecurity Act (NIS2) in force: from formal compliance to operational resilience

With the Swedish implementation of the NIS2 directive now in force, we look at what this means for organisations in the public sector, what to consider, and the relationship between compliance and operational resilience.

Note: This is an English version of a Swedish blogpost by Frederik Lindeberg, published here.

Cybersecurity Act (NIS2) in Sweden

NIS2 aims to raise the level of cybersecurity across the EU and replaces the previous NIS directive. As with many other EU member states, Sweden did not meet the original implementation deadline of October 2024. The legislative proposal passed parliament during the fall of 2025 and entered into force on 15 January 2026. Technically the act (lag) and ordinances (förordning) are in force, while the majority of sector specific regulations (föreskrifter) are yet to enter into force.

NIS2 and the Public Sector

The NIS2 measures are high level, that is they concern the information security management system (often abbreviated as ISMS) rather than the operational cybersecurity capabilities of covered actors. Fines are likely to be issued for not reporting incidents, or for not being systematic or proportional enough in selection of risk management measures, rather than actual incidents.

One of the most significant changes with NIS2 compared to NIS1 is the expanded scope. The directive now covers significantly more sectors, including public administration, food, and waste management. For the public sector, this implies stricter requirements for risk management measures and incident reporting. However, there is an ongoing discussion regarding how fines should be applied. In the Swedish legislative proposal, there are indications of exceptions for the public sector regarding certain fines compared to private actors, which has been a subject of debate during the consultation rounds.

Despite this debate, it is vital that public-sector organisations ensure robust processes—not only to comply with NIS2, but to safeguard the essential societal functions they provide.

The relationship between NIS2 and CER

Parallel to the implementation of NIS2, the Critical Entities Resilience directive (CER) is also being introduced. These are often regarded as "sister directives" with a different focus:

NIS2 focuses on cybersecurity and the protection of network and information systems.
CER focuses on physical security and resilience, for example through background checks on personnel and physical protection of facilities.

It is important to note that digital infrastructure is principally exempt from CER and is regulated almost exclusively through NIS2, while other sectors may need to manage both directives in parallel.

Public sector focus: operational resilience over formal compliance

In the face of new regulations like NIS2, there is a risk that focus shifts to administrative processes. I want to emphasise the crucial distinction between formal compliance and actual operational security.

A paradox can easily arise where an organisation is formally compliant with NIS2 through correct documentation and processes, yet still maintains a low level of operational cybersecurity. Conversely, an organisation can have extremely high technical security but miss the administrative requirements of NIS2.

Instead of treating cybersecurity as a separate administrative 'silo,' it is crucial that the focus remains on actual operational improvements. It is crucial that resources are not solely allocated to writing reports and policies (ex-ante measures) at the expense of the actual technical capability to withstand and manage incidents. A well-designed implementation of NIS2 should lead to genuine operational improvements, not solely to an increased administrative burden.

In this regard, here are some suggestions for where to focus:

1. Remember that cybersecurity is part of virtually everything today. You cannot handle cybersecurity as a separate vertical in your organisation.

2. Look at your incident reporting: how does this compare to how you should report incidents under NIS2? Make sure you understand the practical process of sending in an incident report. Do you need a special PGP-key? Do you need to prepare a certain kind of document? Do you have the instructions for sending in an incident report available off-line? Can you report via landline? Do you know what web page or email address to use for reporting?

3. Allocate resources: a well-designed NIS2 implementation is likely to produce actions for improvements. You should not only design these actions, you must also implement and manage them.

4. In terms of operational improvements, I suggest looking at your real dependencies. What are you dependent on for maintaining your level of service or function? Which dependencies can be replaced in an emergency situation, and which can’t?

Netnod and NIS2

Throughout the NIS2 implementation process, Netnod has contributed expert knowledge to ensure that the regulatory framework is as accurate as possible for digital infrastructure.

Our position is that legislation must be clear and take into account the technical functioning of the Internet. For example, Netnod has actively argued that DNS root server operators should not be included in the directive in a way that risks fragmenting the global Internet.

Strengthening operational reliance: How Netnod can support you

Netnod has extensive experience in operating critical infrastructure with the highest requirements for availability and security.

For organisations in both the private and public sectors navigating this landscape, it is important to understand your dependencies and supply chain. Netnod is available to discuss how you can strengthen your operational resilience and ensure that you not only meet legal requirements on paper but also in practice.