top of page

NIS2 and the Cybersecurity Act – what does it mean?

Digitalisation has made our societies faster and more efficient—but also more vulnerable. Cyberattacks are no longer something that affects only individual companies; they can impact entire societal functions. It is in this context that the EU’s NIS2 Directive comes into play, and in Sweden it is now becoming a reality through a new Cybersecurity Act.

But what does this actually mean and why is it so important for your business?

What is the Cybersecurity Act and are you subject to its requirements?

 

To implement the NIS2 Directive in Sweden, a new Cybersecurity Act is being introduced. Among other things, it requires companies to adopt a more structured approach to their security efforts. In short, the aim is to raise the baseline level of security for networks and information systems across the EU.

What’s new is that more organisations are now covered and yours may be one of them. This applies not only to traditionally critical sectors such as energy and transport, but also to areas like digital services, the public sector, and parts of the wider business community.

Want to understand how this affects your organisation? Get in touch with us.

In addition, stricter requirements are being placed on how organisations actually work with security. It is no longer enough to have a “reasonable level of control” over IT security. Companies are now expected to integrate security into their daily operations by:

  • Working systematically with risk management

  • Establishing clear procedures for detecting and reporting incidents

  • Ensuring that leadership is engaged and accountable for security

  • Being able to demonstrate compliance with the requirements

 

This represents a clear shift—from recommendations to concrete obligations.

The role of the Swedish Civil Defence Authority

 

This is where the Swedish Civil Defence Authority (MCF) comes in. Their new role is not only to impose requirements, but also to support Sweden’s civil defence by strengthening resilience across businesses and workplaces.

The requirements can feel overwhelming at first, and it may be difficult to see how they apply to your specific organisation. That’s where we come in. With the right experience and tools, we can support and simplify your journey towards compliance.

What does this mean in practice?

 

For organisations covered by the Cybersecurity Act, it ultimately comes down to taking cybersecurity seriously—and doing so in practice, not just on paper.

In many cases, this means:

  • Mapping critical systems and identifying risks

  • Implementing clearer security procedures

  • Practising incident response

  • Training both employees and leadership

For some organisations, this is a natural next step. For others, it requires a more significant transformation and additional support.

​​

Challenges but also business opportunities

There is no doubt that the Cybersecurity Act introduces higher demands, and customer expectations are increasing rapidly as well. This can lead to higher costs and a need for new competencies—particularly for smaller organisations or those that have not previously worked in a structured way with security.

At the same time, there are clear benefits. Stronger security practices reduce the risk of disruptions, build trust with customers and partners, and make your organisation more resilient in the long term.

Make sure you leverage your security efforts as a key reason why customers can trust you and what you deliver. By doing so, you turn compliance requirements into business value and stronger customer relationships.

Contact us to learn how you can best meet both customer expectations and the requirements of the Cybersecurity Act.

bottom of page