Does NIS2 apply to my Swedish business?

NIS2 applies to medium and large organizations (50+ employees or 10M+ EUR turnover) in essential and important sectors. In Sweden, this includes energy, transport, banking, health, digital infrastructure, ICT service management, public administration, and many more. Smaller organizations may also be in scope if they provide critical services. Check with MSB (Myndigheten for samhallsskydd och beredskap) for sector-specific guidance.

What are the penalties for NIS2 non-compliance in Sweden?

For essential entities, fines can reach up to 10 million EUR or 2% of global annual turnover, whichever is higher. For important entities, the maximum is 7 million EUR or 1.4% of turnover. Beyond fines, NIS2 introduces personal liability for management. Board members and executives can be held individually responsible for compliance failures.

What is the NIS2 incident reporting timeline?

NIS2 requires a three-stage reporting process: an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with an initial assessment, and a final report within one month with root cause analysis and remediation measures. In Sweden, reports go to MSB and the relevant sectoral authority.

How does NIS2 relate to GDPR?

NIS2 and GDPR are complementary. GDPR protects personal data; NIS2 protects network and information systems. A security incident may trigger reporting obligations under both frameworks simultaneously. Many NIS2 security measures (encryption, access control, incident response) also help satisfy GDPR Article 32 requirements for appropriate technical measures.

The NIS2 directive (Network and Information Security Directive 2) is an EU cybersecurity regulation that went into effect in 2024. It expands the scope of the original NIS directive to cover more sectors and imposes stricter security requirements, incident reporting obligations, and management accountability for essential and important entities.

NIS2 Compliance Checklist: 12 Steps for Swedish Businesses

The NIS2 directive (Network and Information Security Directive) entered into force across the EU in October 2024, and Sweden's transposition is now in effect. For many Swedish businesses, this is the first time cybersecurity is a legal obligation rather than a best practice.

The directive is broad, but the core requirements are practical. This checklist breaks NIS2 down into 12 concrete steps, each with specific actions you can take. Whether you're just starting or need to verify existing measures, use this as your working document.

Who is in scope? Medium and large organizations (50+ employees or 10M+ EUR turnover) in essential and important sectors. In Sweden, MSB provides sector-specific classification. When in doubt, assume you're in scope. The penalties for non-compliance far outweigh the cost of compliance.

Conduct a Comprehensive Risk Assessment

NIS2 Article 21 requires "appropriate and proportionate" measures based on risk. You cannot determine what's proportionate without first understanding your risk landscape. This is the foundation everything else builds on.

ACTIONS:

Inventory all critical systems, data flows, and dependencies
Identify threats relevant to your sector (ransomware, supply chain, insider)
Assess likelihood and impact for each threat-asset combination
Document risk acceptance decisions with management sign-off
Schedule reassessment at least annually or after significant changes

Establish Management Accountability

NIS2 makes cybersecurity a board-level responsibility. Management bodies must approve security measures and can be held personally liable for non-compliance. This is not something that can be delegated entirely to IT.

ACTIONS:

Assign a named person responsible for NIS2 compliance (CISO or equivalent)
Ensure board members receive cybersecurity training
Include cybersecurity as a standing board agenda item
Document management approval of security policies and risk acceptance

Develop an Incident Response Plan

NIS2 requires a structured incident response capability and strict reporting timelines: early warning within 24 hours, notification within 72 hours, and a final report within one month. You cannot meet these deadlines without a pre-existing plan.

ACTIONS:

Define incident classification criteria (what constitutes "significant")
Create a response playbook with roles, contacts, and escalation paths
Establish reporting procedures to MSB and sectoral authorities
Run tabletop exercises at least twice per year
Maintain an incident log with post-incident reviews

Secure Your Supply Chain

Supply chain attacks accounted for 17% of breaches in the EU in 2025. NIS2 explicitly requires organizations to assess and manage risks from suppliers and service providers. Your security posture is only as strong as your weakest vendor.

ACTIONS:

Inventory all third-party suppliers with access to your systems or data
Assess each supplier's security posture (request certifications, audit reports)
Include cybersecurity requirements in procurement contracts
Monitor supplier security continuously, not just at onboarding
Verify data jurisdiction: where do your suppliers process your data?

Implement Access Control

The principle of least privilege is a NIS2 baseline requirement. Every user should have only the access necessary for their role, and privileged accounts must have additional protections.

ACTIONS:

Enforce multi-factor authentication on all external-facing systems
Implement role-based access control (RBAC) with documented roles
Review access rights quarterly and on employee role changes
Separate admin accounts from daily-use accounts
Log all privileged access and review logs regularly

Deploy Encryption Appropriately

NIS2 requires the use of cryptography where appropriate. This means encrypting data in transit and at rest, and having policies for key management. "Appropriate" is determined by your risk assessment.

ACTIONS:

Enforce TLS 1.2+ on all web-facing services (our scan checks this)
Encrypt sensitive data at rest in databases and file storage
Implement end-to-end encryption for email containing sensitive data
Establish a key management policy with rotation schedules
Disable deprecated protocols (SSLv3, TLS 1.0, TLS 1.1)

Establish Continuous Monitoring

You cannot protect what you cannot see. NIS2 requires organizations to detect incidents in a timely manner, which demands monitoring of networks, systems, and user activity.

ACTIONS:

Deploy centralized logging for all critical systems
Set up alerting for anomalous activity (failed logins, privilege escalation)
Monitor external attack surface continuously (automated scanning)
Review security logs at least weekly
Consider a managed SOC if internal capacity is limited

Manage Vulnerabilities Systematically

Unpatched vulnerabilities remain the most common attack vector. NIS2 requires vulnerability handling and disclosure practices. This means both finding vulnerabilities and fixing them within defined timeframes.

ACTIONS:

Run automated vulnerability scans at least monthly
Define patching SLAs: critical within 48 hours, high within 7 days
Maintain an inventory of all software and versions in use
Publish a security.txt file for responsible disclosure (RFC 9116)
Subscribe to vendor security advisories for all critical software

Build Business Continuity Plans

NIS2 requires business continuity management, including backup strategies, disaster recovery, and crisis management. The goal is to maintain essential functions during and after a cyber incident.

ACTIONS:

Identify essential business functions and their maximum tolerable downtime
Implement backup strategy with tested restoration procedures (3-2-1 rule)
Create a disaster recovery plan with defined RTO and RPO
Test backups and recovery procedures at least quarterly
Maintain offline backups to protect against ransomware

Train Your People

NIS2 explicitly requires cybersecurity training for management and staff. Human error remains the primary attack vector, and no technical measure can fully compensate for untrained users.

ACTIONS:

Conduct security awareness training for all employees annually
Provide role-specific training for IT staff and administrators
Run phishing simulations at least quarterly
Include cybersecurity in onboarding for new employees
Train management on their NIS2 responsibilities and liability

Establish Reporting Procedures

Meeting NIS2 reporting deadlines requires pre-established procedures. When a significant incident occurs, you have 24 hours for the early warning. There's no time to figure out who to contact and how.

ACTIONS:

Identify your competent authority (MSB and sectoral regulator)
Register as a NIS2 entity with relevant authorities
Create reporting templates for 24h, 72h, and 30-day reports
Designate and train staff responsible for regulatory reporting
Document internal escalation paths from detection to reporting

Document Everything and Audit Regularly

NIS2 compliance is not a one-time project. Authorities can request evidence of your security measures at any time, and you must be able to demonstrate that measures are implemented, maintained, and reviewed. Documentation is your proof.

ACTIONS:

Maintain a central repository of all security policies and procedures
Document all risk assessments, decisions, and management approvals
Keep records of training, exercises, and incident responses
Conduct internal audits at least annually against NIS2 requirements
Consider external audits or ISO 27001 certification as evidence

Where to Start

Twelve steps is a lot. If you're starting from scratch, prioritize in this order:

WEEK 1

Steps 1-2: Risk assessment and management accountability. You need to know what you're protecting and who owns it.

MONTH 1

Steps 3, 5, 6: Incident response, access control, and encryption. These are the measures that prevent and contain incidents.

MONTH 2-3

Steps 4, 7, 8, 9: Supply chain, monitoring, vulnerability management, and business continuity. These build resilience.

ONGOING

Steps 10, 11, 12: Training, reporting procedures, and documentation. These sustain compliance over time.

Start With a Baseline Assessment

Our free SVAR scan covers several NIS2-relevant areas automatically: TLS configuration, email authentication, vulnerability disclosure, software versions, and security headers. It's not a full NIS2 audit, but it gives you a concrete starting point for steps 6, 7, and 8 in about two minutes. For help with the full checklist, explore our cybersecurity compliance services.