Five ways to comply with the Swedish Cybersecurity Act

On 15 January 2026, Sweden’s new Cybersecurity Act and the NIS2 Directive will come into force. With clearer requirements on leadership and the board’s responsibility for the organisation’s cybersecurity. Here are five practical tips on what a company or organisation needs to do to meet the legal requirements, both now and in the long run.

January 9, 2026
Author:
Geir Aasen
CISO
Reviewer:
Per Lagerström
Director of Communication & Marketing
Spread the word

1. Cybersecurity management system

Cybersecurity must be a management issue, not just IT, and your business must establish a security management system, anchored in management and integrated into the overall management of the business. Use a standard framework such as NIST or ISO 27001.

--> By doing this, you can explain how cybersecurity risks are governed and who is accountable.

2. Risk and asset management

You cannot protect what you don’t understand and the business must conduct and document risk assessments to identify vulnerabilities and threats to network and information systems.

--> By doing this, you can clearly explain which risks matter most and why resources are allocated the way they are. 

3. Security measures

The business must introduce relevant, proportionate and documented security measures:

  • Organizational measures: Routines, instructions and updated emergency plans.
  • Technological measures: E.g. strong authentication, access control, segmentation and security monitoring.
  • Physical measures: Securing buildings, infrastructure and access to critical areas.
  • Measures for personnel: Skills development, access control and routines for employees and suppliers.

--> By doing this, you can demonstrate implemented, maintained, and reviewed security measures.

4. Incident detection, reporting and response

You must know when something happens, and able to act fast. The company must have emergency plans, practice incident management and notify the authorities within 24 hours of significant incidents.

--> By doing this, you can run an incident end-to-end without improvising roles or timelines.

5. Supply chain and third-party risk management

Your security is only as strong as your supplier's security. The company is responsible for ensuring that suppliers and third parties comply with digital security requirements.

--> By doing this, you understand which suppliers matter most and have practical control mechanisms, not just contract clauses.

More blog posts you might be interested in

November 11, 2025
Information Security

Black Friday: Scam attempts are on the rise – how to avoid being scammed

Black Friday and Cyber Monday do not only attract shoppers eager to find deals – but also scammers. A global report from security company SEON shows that online scams increased by over 400% during Black Friday in 2024.
Read more
September 29, 2025
Information Security

When cyber risk meets reality - key take aways from ECCP conference in the Phillipines

At the Risk Meets Reality cybersecurity seminar in the Philippines, Junglemap’s partner Tagore showcased how NanoLearning builds resilient security cultures.
Read more
September 24, 2025
Information Security

Cybercriminals’ Focus: People, Not Machines

Despite increasingly advanced technical defenses such as firewalls and security software, the number of data breaches continues to rise. The reason is clear: attackers are increasingly targeting us humans.
Read more
View all