When the NIS Directive was implemented into Swedish law in 2018, we spoke of a new era for cybersecurity. But it may never have become the systemic shift many had hoped for. The old regulatory framework was more technical, narrower in scope, and in practice limited to operational disruptions in critical IT systems.
Now, with the new proposed regulations arising from NIS2 and coming into force in 2025/2026, we are facing something entirely different: a framework that fundamentally transforms responsibilities, scope, and expectations.
From IT Disruption to Business Risk
The most striking change lies in the scope. Previously, only the security of the IT systems supporting the essential service was covered. Now, the regulations apply to the entire organization. This means that cybersecurity is no longer an IT issue – it is a management issue, a business issue, and ultimately a societal issue. This is particularly evident in light of the new requirements for management training and management accountability.
The number of affected entities in Sweden will increase from around 600 to nearly 1,900, including everything from municipalities to manufacturing industries and the research sector. More organizations are covered – but more importantly, the scope of responsibility has broadened.
Duty to Inform - The Major Innovation
The truly decisive difference, however, is the new obligation to inform service recipients.
Previously, incident reporting was a dialogue between the operator and the authority. Now, organizations are also required to communicate outward – to their customers, citizens, and partners.
It is no longer just about reporting to the Swedish Civil Contingencies Agency (MSB). It is about informing those affected: What happened? What does it mean for you? What do you need to do to protect yourself?
Significant Incident –A Sharper Definition
The definition of what constitutes a significant incident has also been expanded.
Previously, it was sufficient that a disruption affected the continuity of a service. Under the new framework, financial consequences, impact on other actors, repeated events, and even major vulnerabilities that could lead to serious incidents are now included.
This means that risk management and incident reporting merge. Preventive work becomes part of the reporting obligation. It is worth noting that operators must now be able to identify, assess, and report not only incidents that have occurred – but also potential events that could have significant consequences. It will be interesting to see how this is realized in practice.
From Speed to Proportionality
The reporting requirements have also changed – but in a sensible way.
Previously, the first notification had to be submitted within six hours. That sounded fast, but in practice it often meant that reporting competed with crisis management itself.
Now, an initial report is required within 24 hours, followed by a more complete notification within 72 hours. This represents a shift from time pressure to proportionality – the focus should be on managing the incident first, and reporting afterwards.
Conclusion: From NIS to NIS2 – From Reporting to Responsibility
The difference between NIS and NIS2 is not just more regulation. It is a new way of thinking about cybersecurity.
The duty to inform recipients, the stricter definition of incidents, and the expanded scope all drive a new level of maturity across the entire ecosystem.
In summary:
- Reporting takes a slight step back so that incident management can be prioritized.
- Increased transparency simultaneously creates a risk that sensitive information may reach unauthorized parties – how do lawmakers intend to ensure that information sharing does not itself create new vulnerabilities?
- The new proposed regulations are a step in the right direction. They clarify responsibilities, broaden the definition of incidents, and strengthen both information sharing and supervision.
- The ambition to achieve stability and reduced risk, economic efficiency, and enhanced business competitiveness through strengthened cybersecurity is entirely achievable under the proposed regulations – provided that implementation is accompanied by active management responsibility and a long-term commitment to cybersecurity.