In January 2026, the Swedish Cybersecurity Act (Cybersäkerhetslagen) is expected to come into effect, aligning national legislation with NIS2, the updated EU-wide cybersecurity regulation.
Reversec has been at the forefront of helping organizations across the Nordics prepare for this shift. Our unique expertise in offensive-driven security and international security frameworks like ISO 27001 and ISO/IEC 62443 has made it easier for organizations to turn complex requirements into effective security programs.
We also heavily contributed to implementing the Finnish NIS2 law, including participating in advisory hearings with the Finnish Parliament, commenting on the draft legislation, and serving as a key member of a working group that formulated implementation guidance for the Finnish industry.
Key requirements of the Swedish Cybersecurity Act
- Expanded scope – Now applies to 18 sectors, including ICT, manufacturing, and shipping businesses with at least 50 employees or an annual turnover exceeding €10 million.
- Executive accountability – Leadership must undergo cybersecurity training and may be held accountable for non-compliance.
- Stricter incident reporting requirements – Significant incidents must be reported within 24 hours of becoming aware, with a formal incident notification submitted within 72 hours.
- Enhanced supervision and sanctions – For essential entities, the maximum administrative fine is €10 million or 2% of total worldwide annual turnover from the previous financial year.
How we can help you navigate NIS2
We can support your organization at every stage of your NIS2 and Swedish Cybersecurity Act journey, from current state analysis to implementation. Our consultants will work with you to:
- Review your existing compliance status
- Collaboratively identify cyber risks across your operations
- Build a strategic decision-making framework
- Develop a vendor management program
- Secure executive approval and guidance
- Support implementation and provide training programs
Real-world compliance stories
We have already assisted critical entities in Sweden, Denmark and Finland in navigating NIS2. These case studies demonstrate how our approach has helped organizations build resilient security programs and close compliance gaps.
1. Assessing a British multinational in Sweden
A British multinational company specializing in electrical test, measurement, and monitoring approached us to conduct a current state analysis of its security posture in relation to NIS2. The client sought a rapid yet intensive assessment to close the gap on NIS2 requirements.
Two of our senior consultants carried out an intensive five-day assessment. The project included stakeholder interviews, document analysis and comprehensive deliverables.
We conducted three structured interviews with stakeholders. Our team also reviewed organizational documents, including business continuity plans, IT policies, network configurations, asset inventories, supplier agreements and emergency response protocols.
We assessed the client’s risk management framework, examining how risks were identified and treated, and whether these processes aligned with NIS’s requirement for systematic risk management. Supply chain security was another priority, where we reviewed vendor assessment processes and analyzed contractual security requirements and monitoring procedures.
Technical security controls were assessed, including encryption implementation and policy, the deployment of multi-factor authentication, as well as asset management and classification frameworks. We also analyzed incident response capabilities, focusing on handling procedures and reporting timelines, and their alignment with NIS2’s strict notification requirements. Finally, we reviewed access control mechanisms, privileged access management, and segregation of duties.
We proposed a three-phased implementation approach:
1 – Foundation
- Establish an ISO 27001-aligned Information Security Management System (ISMS )
- Integrate with existing ISO 9001 processes
- Complete critical vendor security assessments
2 – Control implementation
- Deploy a comprehensive risk assessment methodology
- Align incident response with NIS2 timelines
- Expand MFA coverage across critical systems
3 – Operational maturity
- Integrate internal audits with quality management
- Establish management review processes
- Implement continuous monitoring capabilities
We delivered a comprehensive report with findings, recommendations, and an implementation roadmap. An executive summary highlighted key risks and strategic priorities, while a board presentation was delivered to senior management and the CEO. The report included implementation guidance covering all ten NIS2 requirement areas with step-by-step guidance for each.
The engagement allowed the client to successfully close critical gaps across all identified NIS2 requirements, strengthen its vendor security posture, and improve its incident response capabilities to meet regulatory expectations. The engagement also laid the groundwork for potential ISO 27001 certification. By leveraging its existing ISO 9001 infrastructure, the company could accelerate implementation by 30%.
2. Enabling NIS2 compliance in telecommunications
The Danish branch of a multinational telecommunications company faced significant organizational complexity in its path toward NIS2 compliance. As part of a globally distributed enterprise, implementing a risk-based security program would require substantial investment.
We embedded a senior consultant with the company’s Governance, Risk, and Compliance organization for an eight-month engagement. Acting as a trusted advisor, the consultant provided expert-level cybersecurity input to ensure strategic and tactical alignment with NIS2 requirements and the ISO 27001 standard.
During the engagement, the consultant developed and presented strategic objectives to senior leadership and local regulatory agencies, helping to shape the company’s compliance roadmap. We drew on our broader consulting team to support the creation of policies, the development of procedures, and the building of competencies across operational domains.
The engagement resulted in the implementation of policies and procedures that aligned with both NIS2 and ISO 27001. A strategic project plan was presented to the board, CEO, and senior management, and a formal implementation roadmap was presented to regulators.
By combining dedicated advisory support with dynamic access to domain specialists, we enabled the client to rapidly close its compliance gap and meet its security program objectives.
3. Assessing a Danish electricity grid provider
An electricity grid company approached us for support in meeting the requirements of the NIS2 directive. The client needed a clear understanding of its security posture and a roadmap for improvement. We conducted an evaluation using two well-established frameworks:
- The NIST Cybersecurity Framework (CSF)
- The Cybersecurity Capability Maturity Model (C2M2) developed by the U.S. Department of Energy
This approach allowed us to assess the client’s alignment with both enterprise and industry security standards.
We delivered a prioritized roadmap that the client used to secure board-level funding to implement the necessary changes. A follow-up assessment revealed significant progress in compliance. The client demonstrated a proactive commitment to protecting its infrastructure and the surrounding society.
4. Securing the digital supply chain of a global motor vehicle manufacturer
A global motor vehicles manufacturer needed to strengthen the security of its digital supply chain to meet the upcoming requirements of the NIS2 directive. As an essential entity, the organization faced heightened regulatory expectations, including the need to apply risk management procedures across hundreds of direct suppliers.
We supported the client in implementing a program plan that aligned its risk management and governance processes with supplier procurement and management procedures. Supply chain security best practices were integrated into the client’s procurement process.
The client can address supply chain risks iteratively, assessing risks with each new contract and renewal. Using this model, we continue to support the client in conducting risk-prioritized assessments of its supplier backlog, helping to close its compliance gaps.
Why you should choose us
Our experts cut through the complexity of NIS2 with focused services like readiness assessments, risk management and governance design, threat modelling and security assurance. As an offensive-driven consultancy, we approach compliance by thinking like attackers. Our clients don’t just pass audits but build resilience against real-world threats. We offer research-based and practical solutions that go beyond documentation and empower organizations to build security that stands up to scrutiny.
NIS2 is about identifying cybersecurity risks tied to critical business operations. For many industries newly added to its scope, this is easier said than done. We bring extensive hands-on experience in helping organizations meet these requirements in a practical and effective way. We guide the identification of key business and IT processes, systems and the functionalities that empower them.
Through professionally led threat identification and modeling workshops, we enable your risk management teams to gain realistic visibility into the cybersecurity threats and risks affecting your operations, aligned with the Swedish Cybersecurity Act and NIS2 requirements. These workshops also help assess existing controls, evaluate their effectiveness, and plan for any necessary improvements. We have adapted this process, also referred to as business impact analysis, into a NIS2-compliant format.
Ready to reach NIS2 compliance?
NIS2 isn’t about completing checkbox compliance exercises. It’s about identifying and addressing the risks that matter most to your business. Book a free readiness consultation or speak with an advisor to understand what NIS2 and the Swedish Cybersecurity Act mean for your organization. Our experts will help you turn compliance into a key business enabler.
