NIS2 is here – is your organisation ready?

Energy, transport, finance and drinking water production are some of the 18 sectors that the EU has identified as critical to society in NIS2, the directive that affects Swedish companies through the new Cybersecurity Act and Cybersecurity Regulation. Cyber lawyer, Johanna Parikka Altenstedt answers questions for those who are affected.

How can we help you?

Do you need guidance on how the new Cybersecurity Act and Cybersecurity Regulation affect your business and how you can adapt to the new requirements? Contact us by filling out the form:

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
By submitting the form, RISE will process your personal data.

In Sweden, NIS2 has been implemented through the Cybersecurity Act, which came into force on 15 January 2026. The Act is specified in the Cybersecurity Regulation, which regulates how supervision should be carried out and how reporting should take place.

At the time of writing this article, in February 2026, the supervisory authorities, the Swedish Civil Contingencies Agency (formerly MSB) and the Swedish Post and Telecom Authority, are establishing detailed regulations that further specify how the legal requirements are to be met. In short, it is a three-step process that converts NIS2 into Swedish requirements.

What is most important for doing the right thing – and where should one begin?

"That's an excellent question! You need to analyse your business and really get down to the nitty-gritty. What is the most essential thing you do that creates societal value? That's what you need to protect", says Johanna Parikka Altenstedt.

What is the most essential thing you do that creates societal value? That's what you must protect.

A risk analysis and a gap analysis (a strategic method for identifying the difference between the current situation and the desired target situation) help to identify threats and security gaps. RISE can help companies and organisations to carry out this type of analysis.

"Employees shouldn't have to worry about national security; it's more about protecting their own work. If you've been working on a project for two years and have built up a collection of large Excel spreadsheets, it's not fun if malware gets in. That's why it's a good idea to have a backup. By going down to the team and individual level, it becomes easier to motivate employees to work more cyber securely", says Johanna Parikka Altenstedt.

A management responsibility: cyber security cannot be delegated

Management responsibility is a central part of NIS2 and thus also of the Cybersecurity Act. It is not possible to delegate responsibility for cybersecurity or view compliance as just another IT project among many others.

If management has not decided on appropriate measures or followed up on known deficiencies, this may result in penalty fees. Persons in management positions may also be held personally liable for regulatory violations, through temporary bans on CEO or board assignments in NIS2-covered operations.

A clear regulatory framework to adhere to is better and fairer than an unregulated market.

RISE trains management teams in NIS2 to help companies and their management teams tackle the new regulations with a solid knowledge base. The next step could be to put their products and services under the microscope in RISE's Cyber Range test and demonstration environment, or to certify their information security management system.

NIS2 and cybersecurity – primarily a question of people

Johanna Parikka Altenstedt points out that people generally think that cyber security issues are primarily about technology. That misses the point, she says.

"People start with technical firewalls, when what they really need are human firewalls. I usually talk about the four cornerstones of cyber security. The first is that people working in the organisation are knowledgeable about cyber security issues at their level. Some are super experts, while others have basic cyber hygiene – but everyone has the knowledge. It's also important to consider cybersecurity when departments are eager to create or order new digital products and solutions", says Johanna Parikka Altenstedt.

The second cornerstone is safety culture. There needs to be an open atmosphere so that people dare to speak up when something goes wrong. An employee who is afraid of making mistakes and risking sanctions will not speak up when something goes wrong. And that poses a major risk to the entire organisation.

The third cornerstone is compliance. This is where NIS2 and the Swedish Cybersecurity Act come into play. Only then, as the fourth cornerstone, does technology come into play.

“A clear regulatory framework is fairer”

Johanna Parikka Altenstedt believes that everyone covered by the rules discussed in this article should view the regulations as a tool for protecting what is worth protecting.

"Some people think that there are so many rules from the EU that it slows down business development. That is not the view we hear at Cybernoden. A clear set of rules to follow is better and fairer than an unregulated market", says Johanna Parikka Altenstedt.

She also points out that the EU's cybersecurity regulations are largely based on the same fundamental principles:

  • A risk-based approach.
  • A thorough analysis of your own operations, including both IT and OT (Operational Technology).
  • Clear responsibility for cyber security, including requirements for suppliers and others who depend on socially important activities.
  • An established cyber security management system with procedures for handling incidents and ensuring continued operation.

"If you have already done this work, for example within the framework of ISO 27000 or IEC 62443 certifications, it goes a long way regardless of which regulatory framework we are talking about," she says.

NIS2 and the Swedish Cybersecurity Act

What is NIS2?
NIS2 is the EU's new cybersecurity directive that tightens the requirements for how socially important and digital businesses must protect their IT and information systems. The directive replaces the previous NIS directive.

When was NIS2 decided and when did it come into force?

  • Adopted at EU level in December 2022.
  • To be implemented in national law by 17 October 2024.

How has NIS2 been implemented in Sweden?
Sweden has NIS2 and the Swedish Cybersecurity Act

The regulations came into force on 15 January 2026 and replace the previous NIS Act.

Who is affected?

Medium-sized and large organisations within:

  • energy,
  • transport
  • banking, finance and financial market infrastructure
  • health care
  • drinking water
  • sewer
  • digital infrastructure and IT services (including operations and cloud delivery)
  • public administration
  • space sector
  • postal and courier services
  • waste management
  • manufacture and distribution of chemicals
  • foodstuffs
  • manufacturing
  • research

Operations are divided into essential and important entities. Some are covered regardless of size.

Cybernode

Cybernoden is Sweden's national competence community within cybersecurity research and innovation. It is run by RISE on behalf of Sweden's National Coordination Centre for Research and Innovation in Cybersecurity (NCC-SE) within the framework of the EU project European Cybersecurity Competence Centre and Network (ECCC) and is funded by Vinnova. Together with NCC-SE, Cybernoden constitutes a national arena with the aim of initiating research and innovation in cybersecurity. The Swedish competence community is currently the largest in all EU countries, with over 450 organisations from the private and public sectors and academia.

Johanna Parikka Altenstedt

t.f Enhetschef
+46 10 228 46 60 Read more about Johanna

Contact Johanna

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

* Mandatory 

By submitting the form, RISE will process your personal data.

Related

Education offer

NIS2 – what are the requirements and who is covered by them?

The EU’s NIS Directive sets cybersecurity requirements for critical networks and systems. Its update, NIS2, introduces stricter rules and broader responsibilities. What does this mean for your organization? Find out in this one-hour course.
Article

Cyber Resilience Act – how the new regulation affects your business

Do you manufacture or sell products that include digital elements? If so, you are affected by the Cyber Resilience Act (CRA) – the EU's new regulation that tightens requirements throughout the entire product life cycle. Ted Strandberg, an expert in cyber security and functional safety, explains what is expected of your business.
Area

Cybersäkerhet

The number of cyberattacks in Sweden is increasing rapidly. Although the country is far ahead in terms of digitalisation, it ranks 26th in Europe for cybersecurity. Many organisations find it challenging to build technical protection and create awareness among employees to prevent attacks. At the same time, new directives such as NIS2 impose strict cybersecurity requirements and hold management legally responsible, while restoring hacked systems often costs millions of euros. RISE can help you strengthen cybersecurity throughout your organisation. In our unique Cyber Range test environment, you can practise responding to realistic cyber attacks in a secure virtual space — just like a fire drill, but for your digital systems. We perform penetration tests on everything from vehicles and IoT devices to networks and web applications to find vulnerabilities before they are exploited. By achieving certification to standards such as ISO 27001 and ETSI EN 303645, we can demonstrate that your management systems and products meet industry requirements. Our training courses cover everything from basic cyber hygiene for employees to specialised management training for NIS2 compliance, helping you to navigate complex regulations and build resilience in critical infrastructures.