NIS 2 and the Cybersecurity Act – an update

We have previously written posts on the topic of NIS 2, see here and here , among others .

Now NIS 2 comes into force, an EU directive to strengthen cyber security within network and information systems. At the same time, Sweden is preparing the introduction of a new cyber security law, which is expected to enter into force in 2025.

What is NIS 2?

NIS 2 (Directive on Security of Network and Information Systems) is an update of the previous NIS Directive and aims to improve security and achieve a high common level of cyber security throughout the Union. The new directive entails several new requirements for companies and public organizations operating within 18 defined sectors, which are divided into essential and important sectors. Among these are energy, transport, manufacturing and digital infrastructure.

Some of the key changes with NIS 2 are:

  • More sectors covered: Even more companies and organizations will now need to ensure robust security measures.
  • Faster incident reporting: Incidents now have an early warning that must be submitted without undue delay, but no later than 24 hours after becoming aware of it.
  • Personal responsibility of company management: Management bodies are held directly responsible for implementing and maintaining security measures.
  • Focus on the supply chain: The security of the entire supply chain, including subcontractors, is becoming an increasingly important priority.

This is a significant change for many businesses that now need to review their cyber security strategies and processes.

The Swedish Cyber ​​Security Act

To implement NIS 2, a new cyber security law is proposed in Sweden. The law was supposed to be introduced at the beginning of 2025 (already too late), but is now expected to come into effect only in the latter part of 2025. The law is based on the NIS 2 directive but has some national adaptations. When the law enters into force, Swedish companies and authorities will face further demands on how they protect their digital and physical environments.

The investigation, SOU 2024:18, has put forward proposals for necessary adjustments to Swedish legislation. There are also several issues that need to be decided before the Swedish legislation, such as how partner companies and affiliated companies should be included in the calculation of the size of the business, especially in cases where such inclusion can be considered disproportionate.

How are smaller businesses affected?

Small businesses, defined as those with fewer than 50 employees or a turnover of less than 10 million euros, are usually not covered by the new law. But like so many other companies, they can still be affected indirectly . This is because larger companies and public sector actors using small companies as suppliers or partners will need to ensure that their entire supply chain meets the new security requirements. So, even if small businesses are not directly covered by the rules, they may need to adapt to continue working with larger players.

What should you do now?

To ensure that your organization meets the requirements of both NIS 2 and the upcoming Swedish Cyber ​​Security Act, it is important to start preparing now. This means conducting a thorough review of the existing security measures, training staff and developing routines for rapid incident reporting.

NIS 2 and the Swedish Cyber ​​Security Act represent a new era for cyber security in Europe and Sweden. To stay ahead, companies and organizations must adapt to the increased demands, strengthen their protection and ensure that the entire operation, including supply chains, is prepared for the security challenges of the future. There are many different measures that need to be taken, routines, processes and technical and information security measures need to be reviewed. Agreements need to be reviewed.

If you have questions about whether your business is affected or how the business is affected by NIS 2 or the upcoming cyber security law, Delphi can provide guidance. With extensive experience in cyber security and information security issues, we are available to support your organization in meeting the new requirements.

This article was written by Associate Ara Haydar .