Sweden’s NIS2 Enforcement Is Live: MCF’s €10M Penalty Ladder, Named Public Sanctions, and the Management Ban Step Most Organisations Miss
Sweden was among the last EU member states to transpose the NIS2 Directive into national law. The Cybersäkerhetslagen (SFS 2025:1506) entered into force on 15 January 2026 — fifteen months after the EU’s October 2024 transposition deadline. The European Commission had already issued a formal infringement opinion in May 2025.
The delay does not mean a soft landing. The registration deadline for entities in scope passed on 16 February 2026. MCF (Myndigheten för civilt försvar — the authority formerly known as MSB) is now actively coordinating enforcement, and seven sector-specific authorities hold live supervisory mandates over their industries.
What most compliance briefings skip is how the enforcement mechanism actually escalates. The Cybersäkerhetslagen creates a four-step ladder: from a formal remark that enters your supervisory record, through a supervisory order that can require you to publicly disclose your own non-compliance, to administrative fines reaching €10 million or 2% of global turnover, and finally a court-ordered ban on your CEO or legal representative exercising management functions. This guide maps each step, identifies which authority supervises your sector, and explains why the named-and-public mechanism is the enforcement step most organisations have not planned for.
Who Must Comply Under Sweden’s Cybersäkerhetslagen
The Cybersäkerhetslagen covers 18 sectors — more than double the 7 sectors that fell under Sweden’s predecessor Information Security Act (2018:1174). Sweden applies a whole-entity approach: once your organisation qualifies, all of its operations are subject to the Act, not just the specific systems used to deliver regulated services.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
Two classification tiers determine your maximum penalty exposure:
| Classification | Example Sectors | Maximum Administrative Fine |
|---|---|---|
| Essential Entity | Energy, transport, banking, financial markets, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space | Higher of €10,000,000 or 2% of total global annual turnover |
| Important Entity | Postal/courier, waste management, chemicals, food production, manufacturing of critical products, digital service providers (search engines, online marketplaces, social networks), research | Higher of €7,000,000 or 1.4% of total global annual turnover |
| Public Sector Body | Municipal authorities, state bodies | Maximum SEK 10,000,000 (fixed cap regardless of size) |
The NIS2 Directive’s size thresholds apply to the private sector: large enterprises (250 or more employees, or annual turnover above €50 million) in most sectors fall into the essential tier; medium enterprises (50 to 249 employees) may qualify as important. Sector competent authorities retain discretion to classify smaller operators as essential where they deliver services critical to public safety or economic stability.
Not sure whether your organisation is in scope? The applicability criteria under Sweden’s Cybersäkerhetslagen mirror the NIS2 Directive’s provisions, which we cover in detail in our NIS2 scope and applicability guide.
MCF and Sweden’s Decentralised Supervision Model
On 1 January 2026, the Swedish Civil Contingencies Agency — MSB (Myndigheten för samhällsskydd och beredskap) — was renamed Myndigheten för civilt försvar (MCF). All cybersecurity responsibilities transferred intact. If your organisation built compliance processes around the MSB name, those now sit with MCF; the statutory obligations did not change at the point of renaming.
MCF’s role under the Cybersäkerhetslagen is coordination and escalation, not frontline inspection. Sector-specific competent authorities carry out primary supervision. This creates two distinct relationships: your MCF relationship for registration and cross-border liaison, and a sector authority relationship for compliance auditing and enforcement.
| Sector | Competent Authority |
|---|---|
| Energy | Energimyndigheten (Swedish Energy Agency) |
| Transport | Transportstyrelsen |
| Banking and financial markets | Finansinspektionen |
| Health and social care | IVO (Health and Social Care Inspectorate) |
| Drinking water | Livsmedelsverket |
| Digital infrastructure and digital service providers | PTS (Post and Telecom Authority) |
| Public administration | Länsstyrelser (County Administrative Boards) |
The enforcement philosophy differs by entity tier. Essential entities fall under Article 32 of the NIS2 Directive and are subject to proactive supervision: sector authorities may conduct on-site inspections, request security audits, demand documentation access, and issue compliance requirements without waiting for an incident to occur. Important entities fall under Article 33 and face primarily reactive oversight, with supervision typically triggered by a reported incident or a third-party complaint. An essential entity in energy, banking, or healthcare should plan for periodic audit cycles; an important entity in manufacturing is more likely to encounter enforcement only after a breach surfaces.
MCF also acts as Sweden’s single point of contact to ENISA and the NIS Cooperation Group, coordinating cross-border incident notifications. For a full explanation of how supervisory jurisdiction is allocated when your organisation operates in multiple EU member states, see our Article 26 jurisdiction guide.
Sweden’s Four-Step Penalty Escalation: From Formal Remark to €10M Fine
The Cybersäkerhetslagen structures enforcement as a progressive ladder. Supervisory authorities work through steps proportionately, though they retain discretion to apply financial penalties or seek a management ban directly when the severity of non-compliance justifies it.
Step 1: Anmärkning — Formal Remark
A formal remark (anmärkning) is a written reprimand that enters the organisation’s supervisory record. It signals that a compliance gap has been identified and documented. Remarks are proportionate to minor or first-time deficiencies and carry no direct financial consequence on their own. Their significance is structural: they establish the documented non-compliance baseline that makes subsequent penalties more likely, and that supervisory authorities consider when calculating proportionality at later stages.
Step 2: Föreläggande — Supervisory Order with Mandatory Disclosure
A supervisory order (föreläggande) requires the organisation to take specific corrective action within a defined timeframe. This is where Sweden’s enforcement model diverges from what most compliance officers expect: the föreläggande can include an obligation to publicly disclose the non-compliance — a naming-and-shaming mechanism built into the order itself, not reserved for a later stage.
Mandatory disclosure means non-compliance becomes a public record before any financial penalty is applied. For organisations in financial services or healthcare, where client trust is operationally critical, a public supervisory order carries reputational cost independent of the fine that follows. Under Article 32(4) of the NIS2 Directive, supervisory orders may also include binding remediation instructions, cease-and-desist requirements, and directions to notify affected service users of identified cyber threats.
Step 3: Sanktionsavgift — Administrative Fine
Administrative fines apply when the organisation fails to comply with a supervisory order, or when the underlying violation is serious enough to bypass earlier steps.
| Entity Type | Maximum Fine | Minimum Fine |
|---|---|---|
| Essential Entity | Higher of €10,000,000 or 2% of total global annual turnover | SEK 5,000 |
| Important Entity | Higher of €7,000,000 or 1.4% of total global annual turnover | SEK 5,000 |
| Public Sector Body | SEK 10,000,000 (fixed maximum) | SEK 5,000 |
Article 32(7) of the NIS2 Directive sets the proportionality factors that every sector authority must apply when calculating a fine: the severity and duration of the violation; whether it was intentional or negligent; actual or potential damage caused; the organisation’s cooperation with the supervisory authority; prior violation history; and whether the organisation had adopted recognised codes of conduct.
Sweden’s enforcement culture provides context for how these factors play out in practice. PTS has issued substantial financial sanctions under the säkerhetsskyddslagen (security protection law) — including decisions against Telenor (case 22-11253) and Telia (case 23-1722) — with proportionality assessments that weighted the extent of remediation action and the organisation’s cooperation with the supervisory process. A comparable methodology will apply under the Cybersäkerhetslagen.
Step 4: Ledningsförbud — Management Ban
If administrative sanctions fail to produce compliance, the sector authority may petition a court to prohibit the CEO or legal representative of an essential entity from exercising management functions until the identified deficiencies are remedied. This mechanism reflects Article 32(5) of the NIS2 Directive, which allows temporary suspension of certifications and court-ordered prohibitions on individuals at CEO or legal representative level. The prohibition is lifted once the organisation brings itself into compliance.
The management ban is not a theoretical backstop. Energimyndigheten’s supervisory mandate explicitly includes the power to apply to a court for a ban on holding a management position. That legal mechanism is active in Sweden’s enforcement toolbox from 15 January 2026 forward.
When Non-Compliance Becomes a Public Record: The Named-and-Public Mechanism
The föreläggande with mandatory public disclosure is the enforcement tool that most organisations have not modelled into their risk assessment. Its significance is not the financial cost — it is the timing.
The mandatory disclosure obligation attaches to the supervisory order itself. An organisation can be required to publish specific information about its non-compliance — which Article 21 security measures are absent, or that an Article 23 incident notification obligation was not met — before any fine amount is calculated. The sequence matters: disclosure comes at step two of the escalation ladder; the fine comes at step three.
For publicly listed companies, a named supervisory order can trigger market-sensitive disclosure obligations under parallel regulatory frameworks. For organisations in healthcare or banking, a public NIS2 supervision action creates regulatory exposure beyond the Cybersäkerhetslagen: Finansinspektionen and IVO maintain publicly searchable records of supervisory decisions, and a named NIS2 order will compound those records. Few organisations have modelled what a named supervisory order from their sector authority means for their existing regulatory standing.
Sweden’s broader enforcement culture offers a reliable signal of intent. Stockholm’s District Court was ordered to pay SEK 2.5 million under the säkerhetsskyddslagen after deficiencies in protective security work — a public decision. PTS enforcement decisions against Telenor and Telia under the same law are searchable public records. Sweden’s supervisory authorities do not treat enforcement decisions as confidential administrative matters. NIS2 enforcement decisions will almost certainly follow the same transparency standard.
As of mid-2026, there are no public enforcement decisions under the Cybersäkerhetslagen. The law has been in force for six months; enforcement timelines for initial supervisory procedures are consistent with this. What is confirmed is that the named-and-public mechanism is written into the föreläggande framework, not reserved for a final escalation step.
Personal Liability for Management Bodies Under Article 32
The Cybersäkerhetslagen does not allow cybersecurity governance to be delegated away from the management body. Under Article 32(6) of the NIS2 Directive — which Sweden’s implementing legislation mirrors — natural persons responsible for an essential entity’s compliance may be held personally liable for breaching their duty to ensure the organisation meets its statutory obligations.
This provision works alongside the management ban mechanism at Article 32(5). The two create complementary personal accountability tracks: Article 32(5) allows supervisory authorities to seek a court order removing an individual from their management role; Article 32(6) creates the basis for direct personal liability for compliance failures at essential entities.
In practice, this means management bodies at essential entities must do two things. First, they must approve and actively oversee the organisation’s cybersecurity risk management measures — not simply delegate them. The NIS2 Directive requires management bodies to approve the security measures their entity implements and receive periodic cybersecurity training. Second, if enforcement escalates to the fine stage, the supervisory authority’s findings about governance failures form part of the proportionality record. An organisation whose board cannot demonstrate documented oversight of Article 21 measures will face a harder proportionality argument than one with an auditable management trail.
For a full breakdown of what the NIS2 Directive requires from boards and senior management specifically, including training obligations and approval documentation, see our management body and directors guide.
Sweden’s NIS2 Enforcement Timeline: What Is Already Active
| Date | Event |
|---|---|
| 17 October 2024 | EU NIS2 transposition deadline — Sweden missed this |
| 7 May 2025 | European Commission formal infringement opinion issued |
| 1 January 2026 | MSB renamed MCF; all cybersecurity responsibilities transfer intact |
| 15 January 2026 | Cybersäkerhetslagen (SFS 2025:1506) enters into force; sector authority mandates activate |
| 2 February 2026 | MCF registration portal opens |
| 16 February 2026 | Registration deadline for all in-scope entities |
| From 15 January 2026 | Incident reporting obligations under Article 23 active for essential and important entities |
Entities that failed to register by 16 February 2026 face supervisory exposure. The Cybersäkerhetslagen allows sector authorities to initiate compliance procedures against organisations that should have self-identified and registered but did not. The registration data MCF collected in February 2026 gives sector authorities their starting list of supervised entities; the absence from that list is itself a supervisory signal.
No public enforcement decisions exist under the Cybersäkerhetslagen as of mid-2026. Six months falls within normal timeframes for supervisory procedures to complete their initial stages. What sector authorities have confirmed is that their mandates are operational: Energimyndigheten’s NIS2 supervisory function is active, PTS’s mandate over digital infrastructure and telecom entities is live, and Finansinspektionen’s integration of NIS2 obligations into its existing supervisory framework is underway.
Incident reporting obligations are active immediately and independently of broader compliance status. Significant incidents must reach the relevant sector authority within 24 hours (early warning) and 72 hours (detailed notification). Organisations that experience a qualifying incident without an operational reporting chain face enforcement risk separate from any Article 21 compliance gaps. For a full breakdown of incident notification timelines and thresholds, see our Article 23 incident notification guide.
Five Steps Before MCF’s First Supervisory Round
- Confirm your entity classification. Determine whether your organisation is essential or important under the Cybersäkerhetslagen using the NIS2 Directive’s sector and size criteria. Your classification determines which sector authority supervises you and your maximum fine exposure at each escalation step.
- Verify your MCF registration. Entities that registered in February 2026 should confirm that all required data fields are accurate and current. Changes to the registered information must be notified within 14 days of the change occurring.
- Map your Article 21(2) measure status. For each of the 10 security domains under Article 21(2)(a)–(j), document whether your current controls are absent, partial, or implemented. Identifying gaps before your sector authority does is the practical difference between a remark and a supervisory order.
- Establish incident reporting procedures. The 24-hour early warning and 72-hour detailed notification timelines under Article 23 require pre-existing reporting chains. Assign ownership, test the process, and ensure the relevant sector authority contact is documented before an incident occurs.
- Build a governance trail for management. Your management body needs to demonstrate active cybersecurity oversight to withstand the proportionality analysis at the fine stage. Document management approval of security measures, maintain training records, and create an auditable chain from CISO to board.
Organisations looking for additional context on how similar enforcement frameworks operate in neighbouring jurisdictions can compare Sweden’s approach with Germany’s NIS2 penalties and enforcement regime and the French ANSSI enforcement framework.
Conclusion
Sweden’s late NIS2 transposition created a 15-month legal gap that closed in January 2026. The Cybersäkerhetslagen’s enforcement framework is now operational: four escalation steps from formal remark to management ban, seven sector authorities with active supervisory mandates, and MCF coordinating the national picture.
The most practically significant enforcement insight is not the financial penalty ceiling. It is the mandatory disclosure mechanism embedded in the supervisory order step — the point at which non-compliance becomes a public record before any fine is calculated. Planning for that step, not just the fine, is the correct risk framing for organisations operating under Sweden’s Cybersäkerhetslagen.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- Cybersäkerhetslagen SFS 2025:1506 — MCF Authority and Nordic Framework 2026 (Resiliently.ai)
- New Cybersecurity Act — Implementation of NIS2 in Swedish Law (Advokatfirman Lindahl)
- NIS2 Directive Article 34 — Administrative Fines (NIS2 Directive 2022/2555)
- NIS2 Directive Article 32 — Supervisory and Enforcement Measures (NIS2 Directive 2022/2555)
- NIS2 Directive Regulations and Implementation in Sweden (Copla)
- Cybersecurity 2026 — Sweden (Chambers and Partners)
- Sanktionsavgifter (Sanction Decisions) (PTS — Post and Telecom Authority)
- Cybersecurity Act (NIS2) (Energimyndigheten — Swedish Energy Agency)
- A New Cyber Security Law — The Swedish Approach to the NIS2 Directive (Setterwalls)
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
