Sweden: Cybersecurity Act (2025:1506) was introduced to Parliament

On 14 October 2025, the Cybersecurity Act (2025:1506), transposing Directive (EU) 2022/2555 (NIS 2 Directive), was introduced to the Swedish Parliament. The Act would apply to public and private operators that fall within its scope under Chapters 1 and 2, including operators in sectors listed in Annexes I and II to the NIS 2 Directive and meeting the applicable size or designation criteria. Operators in scope would be subject to binding obligations to register with the competent supervisory authority, implement appropriate and proportionate technical, operational, and organisational cybersecurity risk management measures, ensure management training on security measures, and comply with multi-stage incident reporting and information obligations. The Act would also implement a supervisory and enforcement framework, including supervisory audits and scans, injunctions, administrative sanction fees, remarks, and, in cases of serious infringements, applications for prohibitions on holding management positions, as provided for under the Cybersecurity Act (2025:1506). The Cybersecurity Act (2025:1506) would repeal and replace the Act (2018:1174) on Information Security for Essential and Digital Services, which would continue to apply only to violations that occurred before its repeal.