The new cybersecurity law – what the public sector needs to know

Michael Duffy

30 December 2025 Hits: 2396

On 15 January 2026, Sweden's new Cyber Security Act (SFS 2025:1506) will come into force. The Act aims to achieve a high level of cyber security in society and implements the EU's NIS 2 Directive into Swedish law. This means that many organisations will face stricter requirements to improve their protection against cyber threats. The government has emphasised that municipalities and other organisations also need to ‘step up their game’ in their cybersecurity work – the new law will tighten the requirements for these actors. In this article, I summarise the purpose of the law, which public sector organisations are affected, the key obligations (particularly regarding security measures, incident reporting and training) and provide practical guidance ahead of its entry into force.

Purpose and connection to the NIS2 Directive

The background to the Cybersecurity Act is the EU's new NIS 2 Directive (Network and Information Security 2), which was adopted in 2022 to raise the level of cybersecurity throughout the EU. The aim is to expand and tighten the requirements of the previous NIS Directive so that more sectors are covered and all relevant actors take more robust measures against cyber threats. The Swedish Cybersecurity Act implements the Directive nationally and sets clearer requirements for systematic security work, risk management, incident reporting and management responsibility. The goal is to strengthen the protection of critical infrastructure and essential services by ensuring that both the public and private sectors work proactively with cybersecurity.

Which public activities are covered?

The Act applies to a wide range of operators in both the private and public sectors. In the public sector, this basically covers all municipalities, regions and a number of government agencies. According to the government's decision, Sweden's emergency preparedness authorities (central crisis preparedness authorities) are, for example, covered by the law as a starting point. In addition, the Act also covers public bodies and companies operating in the sectors listed in the NIS2 Directive, provided that they meet certain criteria (e.g. size). This means that public activities in areas such as energy supply, transport, health and medical care, drinking water, digital infrastructure and public administration are covered by the Act. All regions and municipalities are included regardless of size, which is a national extension – NIS2 primarily required central and regional authorities to be covered, but Sweden has chosen to include municipalities in order to increase security across the public sector.

Essential and important actors

The Act divides actors into two categories: essential and important operators. Essential operators are those considered most critical to society. These include government agencies, larger municipalities and regions, and larger businesses in critical sectors such as energy supply, healthcare, transport, banking and digital infrastructure. These operators usually have more than 50 employees or significant turnover, which corresponds to at least a medium-sized company. Important operators are other operators covered by the law but not classified as essential – they are therefore not quite as critical to society, but still important for the functioning of society. Examples include providers of IT and cloud services, contractors or companies in sectors such as food, waste management or pharmaceutical manufacturing. The classification as essential/important can affect supervision and sanction levels – in general, essential operators are subject to somewhat stricter supervision (e.g. more audits) and potentially higher penalties for non-compliance. However, all operators under the Act are subject to fundamentally similar security and reporting requirements. For example, if you provide services to a government agency or municipality that is covered, that customer will impose high security requirements on you in its supply chain. Public sector actors are expected to take cybersecurity into account in procurement and contracts, so that their suppliers also maintain a good level of security. In other words, the requirements spread throughout the ecosystem – something that is important to know for anyone who collaborates with the public sector.

Requirements for security measures

A central part of the law is the requirement to implement appropriate security measures to protect network and information systems. Each affected organisation must take technical, operational and organisational measures that are proportionate to the risks in order to prevent and manage incidents. Security work must take an all-risk perspective – i.e. all types of threats and scenarios must be taken into account – and the level of security must be adapted to the organisation's risk profile. The Act specifies that security measures must cover at least the following areas:

Risk management and analysis: Identify and assess risks to your information systems. Establish strategies for risk analysis and continuity planning (how operations are to be maintained in the event of disruption/crisis). This also includes being prepared for crisis management in the event of serious cyber attacks.
Technical protective measures: Ensure basic protection such as firewalls, antivirus software, updated systems, strong authentication (e.g. two-factor login) and encryption where necessary. This also includes security in the development and maintenance of systems (e.g. secure configurations and regular patches). Measures to control access and manage staff permissions are important, as is the physical protection of server rooms and other facilities.
Incident management: Have procedures in place to detect, manage and log incidents (security incidents that affect the availability, accuracy or confidentiality of information). There should be a clear process for incident response – from initial detection to action and lessons learned. Incident exercises can be carried out to test the procedures.
Supplier and chain security: As many businesses depend on external IT suppliers and cloud services, you need to set requirements for your suppliers. Ensure that security requirements and follow-up are included in agreements and procurements. The law emphasises security in the supply chain, which means that you are responsible for ensuring that critical suppliers also maintain good security.
Monitoring and testing: Have procedures in place to continuously assess and test the effectiveness of security measures. For example, you can conduct internal audits, vulnerability scans or engage independent reviews. The supervisory authority also has the right to carry out security audits, especially at significant operators. Introduce basic cyber hygiene practices throughout the organisation – for example, policies for secure passwords, regular backups, the principle of least access, etc. All employees should receive basic training and awareness in information security, so that security thinking becomes part of everyday life.

All of these areas of action are interrelated and should be documented and integrated into ongoing work. The law does not require perfection or that all conceivable protections are already in place, but you must be able to demonstrate that you are working actively, systematically and consciously with security based on the risks of your business. Following established standards such as ISO/IEC 27001 for information security can be a way to structure your security work and meet the requirements of the law, even if it is not explicitly stated in the law.

Incident reporting – when and how should incidents be reported?

Another key element is the obligation to report serious IT incidents. The law uses the term ‘significant incident’ for incidents that reach a certain level of severity – for example, those that have caused or may cause serious operational disruptions to services, significant financial damage, or significant harm to other persons or businesses. Such incidents must be reported as soon as possible to the competent supervisory authority (the government appoints the authority responsible for each sector).

The time frames are very strict. Initial information about the incident must be provided within 24 hours of the business becoming aware that a significant incident has occurred. (For certain operators providing qualified trusted services, the time limit is 24 hours; for others, it is a maximum of 72 hours for the formal report – but the principle is to act immediately.) This initial report may be preliminary, but its purpose is to alert the authority quickly. A more detailed incident report must then be submitted as soon as possible with more detailed information about what has happened and what measures are being taken. Within one month of the incident, a final report must be submitted summarising the event, or if the incident is still ongoing at that time, a status report after one month and a final report later when the incident has been resolved. In addition to reporting to the authorities, you also have a duty to inform affected users. If a significant incident is likely to have a negative impact on your services to users (e.g. causing interruptions or data loss), you must inform your service recipients of this as soon as appropriate. You must explain what has happened and advise them on any protective measures they can take. Similarly, if you become aware of a serious cyber threat that could affect your users, you must warn them and provide recommendations for dealing with the threat. This communication with users and customers is important in order to reduce the damage caused by incidents and increase transparency.

In summary, public sector organisations need to have clear procedures for incident management and reporting. This includes monitoring systems to detect intrusions, having an internal incident management plan (Who does what in the event of an IT incident? Who should be informed internally and externally?) and practising scenarios. Also ensure that staff know how and to whom incidents should be reported internally, so that nothing is delayed. Being able to act quickly within 24 hours requires preparation. Failure to comply with reporting obligations or other legal requirements may result in intervention by the supervisory authority – in the worst case, penalty fees may be imposed. According to the EU directive, very serious violations can lead to fines of up to €10 million or 2% of turnover, and Swedish law also allows for substantial penalties. For public sector actors, their reputation and trust are at stake, so there are strong incentives to comply with the requirements.p>

Training requirements and management responsibility

A new and important provision in the law is the requirement for training for management. All persons in the highest management of the operator (e.g. administrative managers, executive board or board of directors, depending on the organisation) must undergo training in security measures and cyber security. The aim is to ensure that management has a basic knowledge of cyber risks and an understanding of the security work required. The NIS2 Directive and Swedish law make it clear that cybersecurity is a strategic management issue - it is not enough for the IT department to handle the practical aspects; senior management must monitor and control security work.

In practice, this means that municipal and regional leaders, heads of authorities and similar need to take ownership of the organisation's information security. Management must ensure that there are clear goals, resources and division of responsibility for cyber security in the organisation. The training requirement aims to raise the level of knowledge so that management can make informed decisions: they should understand basic terminology, be familiar with relevant legislation, have insight into the organisation's own risks and ability to handle incidents. The Swedish Civil Contingencies Agency (MCF) offers courses and guidance to support compliance with this requirement, but each organisation is responsible for ensuring that its managers actually undergo the necessary training.

In addition to management, it is wise to involve the entire staff through regular security training and exercises. A security-conscious culture where all employees are aware of their roles (e.g. reporting suspicious emails, following information management guidelines, etc.) is often the best defence against cyber attacks. The law explicitly requires ‘basic cyber hygiene practices’ and training, which signals that continuous skills development in cyber security should be on the agenda.

Supervisory authorities under the Cybersecurity Regulation

In addition to the Cybersecurity Act, the government has also adopted the Cybersecurity Regulation (SFS 2025:1507). The regulation supplements the act by specifying which authorities are supervisory authorities for different sectors and types of activities. This is a central part of the regulatory framework, as it is to these authorities that incidents must be reported and which supervise compliance with the requirements of the Act. The Regulation means that supervision is divided by sector, in line with the structure of the NIS2 Directive.

For example, the following main principles apply:

The Swedish Civil Contingencies Agency (MCF) has overall coordination responsibility and is the supervisory authority for several government agencies and certain cross-sectoral functions.
The Swedish Post and Telecom Authority (PTS) is the supervisory authority for digital infrastructure, electronic communications services and certain digital service providers.
The Swedish Energy Markets Inspectorate is responsible for supervision in the energy sector.
The Transport Agency supervises the transport sector.
The Health and Social Care Inspectorate (IVO) is responsible for supervision within health care and social care.
The Financial Supervisory Authority is the supervisory authority for financial actors covered by the Act.
Other sectors, such as food, pharmaceuticals and drinking water, are subject to supervision by the respective sectoral authority in accordance with the Regulation.

For municipalities and regions, this means that supervisory responsibility may vary depending on the nature of the activity. For example, a municipality may be supervised by different authorities for its IT operations, its water and sewage operations and its health and medical care. It is therefore important that each organisation identifies which supervisory authority or authorities are relevant to its own activities.

The Cybersecurity Regulation also clarifies that operators must:

know which supervisory authority is competent,
notify it of their contact details,
report significant incidents to the appropriate authority within the prescribed time frame.

Establishing contact with the appropriate supervisory authority at an early stage and following their guidance is an important part of the preparatory work ahead of the law coming into force.

Practical guidance – preparations for entry into force

With little time left until 15 January 2026, it is high time for the public sector to ensure compliance with the new law. Here are some practical steps and tips on how municipalities, regions and authorities can prepare:

Conduct a security analysis (current status assessment): Start by mapping how your current information security measures stand up to the requirements of the law. Identify which parts of your operations are covered and what gaps exist in your procedures, policies and technical safeguards. Conduct a risk and vulnerability analysis for your critical systems – which threats are most relevant and how serious could the consequences be? The results of this analysis will form the basis for your action plan.
Appoint responsible persons and contact persons: Clarify roles and responsibilities for cyber security in the organisation. Management should appoint one or more people to coordinate security work – for example, a Chief Information Security Officer (CISO) or security coordinator. This function should have the mandate to implement measures and inform management about the status. You should also register a formal contact person with the relevant supervisory authority (MCF or other, according to upcoming regulations) so that there is a clear channel for information and incident reporting. Do not forget to update contact details if responsible persons are replaced – the law requires that changes be reported within 14 days.
Update security governance and policy documents: Based on your current situation analysis, revise or develop the necessary governance documents: information security policy, access management guidelines, incident response plan, continuity plans, etc. Ensure that these documents are known and applied within the organisation (documents that gather dust are of no use). The documentation of security work must be kept up to date and traceable so that, if necessary, you can show the supervisory authority how you meet the requirements.
Implement the necessary technical and organisational measures: Address any identified gaps in your protection. Prioritise measures that have the greatest impact on risk reduction – for example, you may need to improve network segmentation, introduce multi-factor authentication on all accounts, or tighten up your backup procedures. Also review physical security measures (locked server rooms, fire protection for data centres, etc.). On the organisational side, this may involve introducing procedures for supplier audits, change management of IT systems, or staff background checks for sensitive positions. Draw up a realistic action plan with timelines and responsible persons for each measure. Establish or refine your incident procedures so that you meet the strict reporting requirements of the law. Define what constitutes a ‘significant incident’ for your business (the authorities can provide guidance on thresholds) and ensure that staff know how to escalate such an incident. Establish an internal incident reporting chain that enables rapid reporting to the appropriate decision-maker/lawyer/communicator internally, and on to the supervisory authority within 24 hours if necessary. Prepare incident report templates so you don't have to start from scratch under stress. It is also wise to prepare communication plans in advance: how do we inform the public or those affected if a serious incident occurs? Practise incident management through simulated attacks, so that both the IT team and management can practise their roles.
Train management and employees: Ensure that managers undergo mandatory training in accordance with the law. Plan this well in advance – MCF, for example, offers web-based introductory courses for management. At the same time, you should raise awareness among all staff. Conduct information sessions on basic IT security, phishing simulations, or other training initiatives to build a culture of security. All employees need to know their responsibilities, such as how to handle sensitive documents or report suspicious incidents. Remember that training is not a one-off effort – plan for regular reminders and updates, especially as the threat landscape evolves.
Information management and confidentiality: Review how you classify and protect information internally. The new law also introduces certain changes to confidentiality rules, including allowing information about vulnerabilities and incidents to be shared without disclosing sensitive information. Ensure you have procedures in place to handle confidential information about your systems and risks securely. Only authorised persons should have access to details of your vulnerabilities or incident reports. At the same time, you need to be able to share necessary information with the supervisory authority and possibly other affected parties in the event of an incident – find the balance between transparency and confidentiality. Consider updating your internal guidelines for information classification and compliance with public access and confidentiality legislation in light of the new requirements.
Involve your suppliers: Identify which external suppliers are critical to your IT operations and information management (e.g. operating partners, cloud service providers, system suppliers). Communicate with them about the upcoming requirements – many suppliers are already aware of NIS2 and have begun to tighten their security. Ensure that your new or renewed agreements include relevant security clauses, such as requirements for incident reporting from the supplier to you, your right to review their security work, and requirements for them to follow good practice (perhaps even that they are certified according to ISO 27001 or similar). By setting clear requirements in procurement now, you are not only fulfilling the law's intention regarding supply chain security – you are also protecting your own business.
Follow developments and plan for continuous improvement: Keep up to date with clarifications from authorities. The MCF and other regulatory authorities will issue regulations specifying the legal requirements (e.g. what constitutes a significant incident in different sectors, or details of security measures). Feel free to subscribe to newsletters or information mailings from the relevant authorities. You can already access guidance published by MCF, such as ‘The role of management in information and cyber security’. Finally, view cybersecurity work as an ongoing process, not a project with an end date. After 15 January 2026, it will be important to continue identifying areas for improvement, measuring progress and adapting to new threats. Build cybersecurity into your regular quality assurance and risk management work. This will ensure that your organisation is better equipped, not only to comply with the law, but also to meet the cyber challenges of the future.

Conclusion

The new cybersecurity law marks a shift towards more proactive and uniform cybersecurity work across the public sector. By understanding what requirements are imposed – and why – municipalities, regions and authorities can not only avoid breaking the law and incurring sanctions, but also increase their own resilience to cyber attacks. The ultimate aim is to protect citizens and socially important functions in an age of increasing digital threats. By following the spirit of the law: plan, educate, secure and collaborate – the public sector will be better prepared when the next cyber crisis hits. The message of the law is clear: cybersecurity is everyone's responsibility, from IT technicians to senior management. There is now a concrete framework to support this responsibility – it is up to each organisation to put it into practice. Good luck with your continued cyber security work! This summary is based on the new legal text, government information and press releases, as well as guidance from the MCF. For those who want to delve deeper, we recommend reading the Cybersecurity Act (2025:1506) in its entirety and the MCF's upcoming regulations, as well as taking advantage of training courses and support materials before the law comes into force on 15 January 2026.

Book a free Cybersecurity consultation

Michael Duffy

CEO, Excedo Networks AB

Michael Duffy is the CEO and CISO of Excedo Networks, with more than 30 years of experience in IT and cybersecurity. A recognized expert in the field, Michael is driven by a mission to make the internet safer for individuals and businesses. Through his work at Excedo, he has collaborated with major Swedish government entities to protect critical systems against an ever-evolving cyber threat landscape.

Corporate Address

Jan Stenbecks torg 17
164 40 KISTA
SWEDEN

+46-8-50161200

Premium digital solutions