Sweden’s new cybersecurity law is now in effect. IT and security leaders must act on training, documentation and risk management.
The Cybersecurity Act (2025:1506) officially came into force on January 15, 2026. This law replaces the 2018 NIS law and implements the EU NIS2 Directive.
The impact will be felt immediately with more sectors covered, stronger cybersecurity requirements, and the introduction of supervisory and enforcement tools. The rules are stricter.
For IT and security teams, the law marks a shift from recommended best practice to clear legal obligation.
The law applies to organizations operating in 18 critical sectors, from energy and healthcare to digital services and food production. Entities are classified as either essential or important, depending on size and societal impact.
1. Leadership training is now mandatory
The Cybersecurity Act introduces a new requirement:
Executive leadership must complete cybersecurity training.
- This is not a suggestion, it’s a legal obligation
- Applies to all individuals in decision-making roles
- Focuses on understanding and overseeing security measures
- Details on scope and content will follow in upcoming regulations
Cybersecurity is now the responsibility of management too, not just the IT department.
What to do now:
- Plan and schedule leadership training
- Ensure documentation of participation and completion
- Establish cybersecurity as a recurring item on management agendas
2. Security training for staff is a legal requirement
In addition to leadership education, the new act mandates that organizations implement basic cyber hygiene and cybersecurity training. This is one of 10 minimum areas required under the law’s technical and organizational measures.
What this means:
- All employees must receive ongoing security awareness training
- Training must be risk-based and adapted to roles and responsibilities
- Should include practical topics such as phishing, password management and secure communication
What to do now:
- Review existing training programs for staff
- Fill gaps in content, regularity or documentation
- Ensure training is easy to access and traceable
3. Incident reporting processes must be in place
The law requires a step-by-step approach to incident reporting:
- Within 24 hours: Early warning
- Within 72 hours: Formal report
- As requested: Status updates
- Within 1 month: Final report
Organizations must also inform service recipients if an incident affects them.
What to do now:
- Define what qualifies as a significant incident
- Map out internal roles, responsibilities and escalation paths
- Prepare reporting templates and response procedures
- Test and document your process
4. Documentation is no longer optional
The Cybersecurity Act requires a systematic and documented approach to security. This includes:
- Risk assessments
- Security controls and their effectiveness
- Staff and leadership training
- Incident response procedures
- Supply chain oversight
- Communication routines
- During inspections, documentation will be key to demonstrating compliance.
What to do now:
- Conduct a gap analysis based on the law’s 10 required areas
- Map critical systems and third-party dependencies
- Document existing controls, and planned improvements
- Build a central repository for policies, logs and reports
5. The details are coming, stay ahead
The core law is already in effect, but additional regulations will be issued during spring 2026. These will clarify:
- What leadership training must include
- How often training needs to be repeated
- Any requirements for certifications or documentation
- Specifics on staff training and incident reporting
What to do now:
- Follow updates from MCF and your sector’s supervisory authority
- Subscribe to relevant newsletters and participate in industry forums
- Allocate time and budget for implementation adjustments
Summary: What IT and security leaders should focus on now
- Confirm whether your organization is covered by the law
- Launch leadership training and prepare for regulatory follow-up
- Review and upgrade staff training programs
- Establish clear, testable incident response routines
- Build a documentation structure to support audits and inspections
Are you looking for a compliant training solution?
Nimblr delivers role-based cybersecurity training for both leadership and staff, designed to support legal compliance and behavioral change. Nimblr meets the NIS2 requirements.