.jpg?width=1920&height=1920&name=iStock-1349030917%20(1).jpg)
The Cybersecurity Act came into force on January 15, 2026. At the same time, the conditions for working with cybersecurity changed. It’s not just about tightened requirements, but also about clearer responsibility and new ways of working. Cybersecurity is now a responsibility for the entire organization.
The Cybersecurity Act is Sweden’s implementation of the EU directive NIS2. The new law not only replaces the previous NIS regulation but also represents a significant shift in cybersecurity. Whereas it was often seen as a technical issue, there is now no doubt about where the focus lies. At the center of the new law are governance, responsibility, and systematic work across the entire organization.
What is the Cybersecurity Act – and why does it matter?
The purpose of the Cybersecurity Act is to raise the overall level of cybersecurity within socially critical and business-critical operations. As a starting point, the law applies to organizations that meet certain size criteria in terms of number of employees and turnover. The assessment also depends on the type of operations carried out.
The Cybersecurity Act covers organizations across several socially essential and business-critical sectors, including energy, transport, healthcare, digital infrastructure, and public administration. Private actors in these areas are also affected. It’s also important to note that organizations not directly covered by the law may be indirectly affected, for example as suppliers or partners to organizations that fall under the requirements.
There are several differences between the new law and the previous NIS2 regulation. The Cybersecurity Act imposes stricter requirements on documentation, follow-up, and reporting. It is no longer sufficient to have individual technical protections or policy documents in place. Organizations need the ability to work in a structured and long-term manner with cybersecurity across the entire organization. This is something we explore further in the article NIS2 – from directive to action.
The responsibility for guidance, coordination, and development of regulations under the Cybersecurity Act lies with the Swedish Civil Defense Agency (Myndigheten för civilt försvar). When it comes to supervision, the Swedish Post and Telecom Authority (PTS) is responsible for oversight of electronic communication and digital infrastructure, among other areas.
Five pillars of the Cybersecurity Act
To understand what the Cybersecurity Act means in practice, it is helpful to break it down into five core pillars. They capture the essence of how the law changes the perspective on cybersecurity.
1. Cybersecurity is a business issue, not an IT issue
One of the clearest changes in the Cybersecurity Act is that cybersecurity is linked to the organization’s ability to function, not just to technical systems. The focus is on continuity, delivery capability, and trust.
This means that more functions than just IT are involved. Cybersecurity needs to be integrated into regular governance and priorities. Risks must also be linked to business-critical processes, not just technology. For many organizations, this requires a new way of talking about cybersecurity internally in terms that are understandable and relevant across the organization.
2. Management and board responsibility for cybersecurity
Under the Cybersecurity Act, ultimate responsibility lies with the organization’s management. Even if operational tasks can be delegated, overall responsibility cannot be abdicated.
In practice, this means that management and the board are expected to have a fundamental understanding of the organization’s cyber risks. Leaders need to be able to make informed decisions about priorities and have the resources and capability to follow up on work over time.
3. Proactive risk work according to the Cybersecurity Act
In the Cybersecurity Act, risk management and incident handling are closely linked. This should not be done on an ad hoc basis but carefully prepared. The law requires systematic and recurring risk work, with established processes for incident management. Companies also need clear reporting, documentation, and follow-up tied to this.
Working proactively with risk means not only being able to react when something happens but being able to show how the organization works before, during, and after an incident. This includes being able to demonstrate how lessons learned from incidents are applied.
In the article Smart priorities for succeeding with NIS2, we discuss the key challenges, the need to prioritise despite limited resources, and the importance of working smarter. Another recommendation is to explore our survival roadmap in the article Prepare your organisation for NIS2 – a practical roadmap.
4. Supplier perspective – central to the Cybersecurity Act
The Cybersecurity Act assumes that organizations are part of a larger ecosystem. The supplier perspective is a key part of the new regulatory framework, and that ecosystem includes, for example, IT partners and other external actors.
In concrete terms, this means that third-party risks must be identified and followed up, dependencies become part of the overall risk picture, and requirements and expectations on suppliers must be clear.
5. Continuity and long-term approach instead of one-off actions
Perhaps the most important principle in the Cybersecurity Act is that compliance is not assessed at a single point in time. The organization’s capability over time is what matters.
This means that continuity weighs more heavily than individual measures. Structure, traceability, and follow-up become crucial. Documentation serves as support for governance, not an end in itself.
If you see the law as a checklist, you risk missing the point. Instead, it’s about a long-term way of working. Only then can you be prepared for supervision and events when they occur.
Cybersecurity with real resilience
The five pillars we’ve gone through show that the Cybersecurity Act is not intended as a technical regulation solely for specialists. It should be seen as a framework to strengthen organizations’ resilience in an increasingly digital and vulnerable environment.
The law clearly rewards accountability, systematic work, and the ability to follow up and improve. It’s less about perfection and more about oversight and decision-making capability.
Common pitfalls with the Cybersecurity Act
A common pitfall is that cybersecurity continues to be treated as an isolated IT issue rather than part of overall business governance. This often results in risks being identified technically but not weighed into strategic priorities and decisions.
Concrete examples include:
- Responsibility for cybersecurity being placed too far down in the organization.
- Management’s role being limited to approval rather than active follow-up.
- Work focusing on producing documents that are not implemented in practice.
- Risk management, incident handling, and supplier governance being run as separate tracks.
When work is carried out this way, the result is often isolated actions that lack context and long-term impact – contrary to the law’s intentions.
Consequences when cybersecurity fails
When cybersecurity fails, the cost of inaction (COI) is clear. The consequences are rarely limited to technical systems. Incidents often impact the organization’s ability to function as a whole and can quickly have cascading effects.
For many organizations this means not only operational disruptions but increased costs, pressure on personnel, and prolonged recovery work.
Inadequate cybersecurity can lead to:
- Interruptions in socially critical or business-critical services.
- Loss of trust among customers, partners, and stakeholders.
- Increased costs for restoration and remediation.
- Supervision measures, demands for improvements, and in some cases sanctions.
When structures for risk management, incident reporting, and follow-up are lacking, it also becomes difficult to demonstrate that the organization had control over the situation. Poor compliance with the Cybersecurity Act can lead to supervisory actions and requirements for corrective measures. In some cases this may be combined with sanctions. This underscores the importance of being able to show how cybersecurity work is being managed.
The Cybersecurity Act as a starting point
The Cybersecurity Act is reality. For some organizations it is seen as yet another regulation to contend with. For others it becomes a catalyst for clearer governance, better coordination, and increased robustness. The best cybersecurity work is both long-term and structured.
Take the next step - Discover how you can structure and streamline your work with the Cybersecurity Act.
%20(1).png?width=600&height=600&name=imaginestratsys_a_woman_standing_outside_an_office_builing_ente_68b8e2c9-0420-480c-81bd-564fe7a586c2%20(2)%20(1).png)