Sweden: Cybersecurity Act (2025:1506) enters into force

On 15 January 2026, the Cybersecurity Act (2025:1506), transposing Directive (EU) 2022/2555 (NIS 2 Directive), enters into force. The Act applies to public and private operators that fall within its scope under Chapters 1 and 2, including operators in sectors listed in Annexes I and II to the NIS 2 Directive and meeting the applicable size or designation criteria. Operators in scope are subject to binding obligations to register with the competent supervisory authority, implement appropriate and proportionate technical, operational, and organisational cybersecurity risk management measures, ensure management training on security measures, and comply with multi-stage incident reporting and information obligations. The Act also implements a supervisory and enforcement framework, including supervisory audits and scans, injunctions, administrative sanction fees, remarks, and, in cases of serious infringements, applications for prohibitions on holding management positions, as provided for under the Cybersecurity Act (2025:1506). The Cybersecurity Act (2025:1506) repeals and replaces the Act (2018:1174) on Information Security for Essential and Digital Services, which continues to apply only to violations that occurred before its repeal.