Energy, transport, finance and drinking water production are some of the 18 sectors that the EU has identified as critical to society in NIS2, the directive that affects Swedish companies through the new Cybersecurity Act and Cybersecurity Regulation. Cyber lawyer Johanna Parikka Altenstedt answers questions for those who are affected.
“The background to NIS2 is a great need for coordination across national borders, especially for companies with operations in different countries. It became clear that different countries handled cyber security in different ways,” says Johanna Parikka Altenstedt, lawyer and coordinator of Cybernode (the EU’s national competence community in cyber security, which in Sweden is located at RISE), and continues:
"To create an understanding that transcends our national borders – because malware does not stay within one country, it spreads to neighbouring countries too – the EU passed the NIS Directive in 2016."
How NIS2 is implemented through the Swedish Cybersecurity Act
NIS2 is an extension of its predecessor NIS and strengthens the protection of services that are important to society, as well as expanding the scope to 18 sectors (see fact box) affected by the new requirements. NIS2 generally applies to companies with at least 50 employees or a turnover of at least €10 million. Certain activities, such as providers of internet-critical infrastructure, are covered regardless of size. In a fact box further down in the article, you will find more information on "how NIS2 affects you".
"This is a broad directive that spans so many industries that virtually all companies with more than 50 employees should investigate whether they are affected. The risks of not acting when you actually have to are considerable," says Johanna Parikka Altenstedt, who is also acting head of the Centre for Cyber Security at RISE.
She explains why NIS2 became a directive rather than a regulation, and why that matters.
“NIS2 is the result of a compromise between Member States. Some wanted NIS2 to be a regulation, which would have meant that the law would have been directly binding in all EU countries at the same time. Instead, it became a directive, so each country has some flexibility to adapt the requirements to its own legal system,” explains Johanna Parikka Altenstedt.
How can we help you?
Do you need guidance on how the new Cybersecurity Act and Cybersecurity Regulation affect your business and how you can adapt to the new requirements? Contact us by filling out the form:
In Sweden, NIS2 has been implemented through the Cybersecurity Act, which came into force on 15 January 2026. The Act is specified in the Cybersecurity Regulation (not to be confused with an EU regulation), which regulates how supervision should be carried out and how reporting should take place.
At the time of writing this article, in February 2026, the supervisory authorities, the Swedish Civil Contingencies Agency (formerly MSB) and the Swedish Post and Telecom Authority, are establishing detailed regulations that further specify how the legal requirements are to be met. In short, it is a three-step process that converts NIS2 into Swedish requirements.
What is most important for doing the right thing – and where should one begin?
"That's an excellent question! You need to analyse your business and really get down to the nitty-gritty. What is the most essential thing you do that creates social value? That's what you need to protect", says Johanna Parikka Altenstedt.
What is the most essential thing you do that creates societal value? That's what you must protect.
A risk analysis and a gap analysis (a strategic method for identifying the difference between the current situation and the desired target situation) help to identify threats and security gaps. RISE can help companies and organisations to carry out this type of analysis.
"Employees shouldn't have to worry about national security; it's more about protecting their own work. If you've been working on a project for two years and have built up a collection of large Excel spreadsheets, it's not fun if malware gets in. That's why it's a good idea to have a backup. By going down to the team and individual level, it becomes easier to motivate employees to work more cyber securely", says Johanna Parikka Altenstedt.
A management responsibility: cyber security cannot be delegated
Management responsibility is a central part of NIS2 and thus also of the Cybersecurity Act. It is not possible to delegate responsibility for cybersecurity or view compliance as just another IT project among many others.
If management has not decided on appropriate measures or followed up on known deficiencies, this may result in penalty fees. Persons in management positions may also be held personally liable for regulatory violations, through temporary bans on CEO or board assignments in NIS2-covered operations.
A clear regulatory framework to adhere to is better and fairer than an unregulated market.
RISE trains management teams in NIS2 to help companies and their management teams tackle the new regulations with a solid knowledge base. The next step could be to put their products and services under the microscope in RISE's Cyber Range test and demonstration environment, or to certify their information security management system.
NIS2 and cybersecurity – primarily a question of people
Johanna Parikka Altenstedt points out that people generally think that cyber security issues are primarily about technology. That misses the point, she says.
"People start with technical firewalls, when what they really need are human firewalls. I usually talk about the four cornerstones of cyber security. The first is that people working in the organisation are knowledgeable about cyber security issues at their level. Some are super experts, while others have basic cyber hygiene – but everyone has the knowledge. It's also important to consider cybersecurity when departments are eager to create or order new digital products and solutions", says Johanna Parikka Altenstedt.
The second cornerstone is safety culture. There needs to be an open atmosphere so that people dare to speak up when something goes wrong. An employee who is afraid of making mistakes and risking sanctions will not speak up when something goes wrong. And that poses a major risk to the entire organisation.
The third cornerstone is compliance. This is where NIS2 and the Swedish Cybersecurity Act come into play. Only then, as the fourth cornerstone, does technology come into play.
“A clear regulatory framework is fairer”
Johanna Parikka Altenstedt believes that everyone covered by the rules discussed in this article should view the regulations as a tool for protecting what is worth protecting.
"Some people think that there are so many rules from the EU that it slows down business development. That is not the view we hear at Cybernoden. A clear set of rules to follow is better and fairer than an unregulated market", says Johanna Parikka Altenstedt.
She also points out that the EU's cybersecurity regulations are largely based on the same fundamental principles:
- A risk-based approach.
- A thorough analysis of your own operations, including both IT and OT (Operational Technology).
- Clear responsibility for cyber security, including requirements for suppliers and others who depend on socially important activities.
- An established cyber security management system with procedures for handling incidents and ensuring continued operation.
"If you have already done this work, for example within the framework of ISO 27000 or IEC 62443 certifications, it goes a long way regardless of which regulatory framework we are talking about," she says.
NIS2 and the Swedish Cybersecurity Act
What is NIS2?
NIS2 is the EU's new cybersecurity directive that tightens the requirements for how socially important and digital businesses must protect their IT and information systems. The directive replaces the previous NIS directive.
When was NIS2 decided and when did it come into force?
- Adopted at EU level in December 2022.
- To be implemented in national law by 17 October 2024.
How has NIS2 been implemented in Sweden?
Sweden has NIS2 and the Swedish Cybersecurity Act
The regulations came into force on 15 January 2026 and replace the previous NIS Act.
Who is affected?
Medium-sized and large organisations within:
- energy,
- transport
- banking, finance and financial market infrastructure
- health care
- drinking water
- sewer
- digital infrastructure and IT services (including operations and cloud delivery)
- public administration
- space sector
- postal and courier services
- waste management
- manufacture and distribution of chemicals
- foodstuffs
- manufacturing
- research
Operations are divided into essential and important entities. Some are covered regardless of size.
Cybernode
Cybernoden is Sweden's national competence community within cybersecurity research and innovation. It is run by RISE on behalf of Sweden's National Coordination Centre for Research and Innovation in Cybersecurity (NCC-SE) within the framework of the EU project European Cybersecurity Competence Centre and Network (ECCC) and is funded by Vinnova. Together with NCC-SE, Cybernoden constitutes a national arena with the aim of initiating research and innovation in cybersecurity. The Swedish competence community is currently the largest in all EU countries, with over 450 organisations from the private and public sectors and academia.
