Sweden’s Cybersecurity Act (SFS 2025:1506, “cybersäkerhetslagen”) has been in force since 15 January 2026. It replaces the old NIS law and partially transposes the EU’s NIS2 Directive into Swedish law. The remaining parts are implemented through ordinances and agency regulations.
Many organisations already working with ISO standards are asking how much this actually changes. The answer depends on which standard you have and how thoroughly you’ve applied it.
What the law requires
The law applies to operators in sectors such as energy, transport, healthcare, digital infrastructure, and public administration. Municipalities and regions are covered regardless of size. Government agencies are covered if they make decisions affecting cross-border movement of persons, goods, services, or capital, or if the government specifically designates them. For private actors, the threshold is generally medium-sized enterprises and above.
Obligations under Chapter 2, Section 3 are divided into ten areas that all operators must address:
- Strategies for risk analysis and network and information system security
- Incident management
- Business continuity and crisis management
- Supply chain security
- Security in acquisition, development and maintenance of network and information systems
- Strategies and procedures for evaluating the effectiveness of security measures
- Basic cyber hygiene practices and cybersecurity training
- Strategies and procedures for the use of cryptography and, where appropriate, encryption
- Personnel security, strategies for access control and asset management
- Where needed, use of authentication solutions, secured communications and secured emergency communication systems
The law also requires management to complete training on security measures (Chapter 2, Section 4), and significant incidents to be reported in multiple steps: an early warning within 24 hours (Chapter 2, Section 5), an incident notification within 72 hours (Chapter 2, Section 6) — or 24 hours for trust service providers — and a final report within one month (Chapter 2, Section 8).
Non-compliance? The maximum fine for essential private entities is 2 percent of total global annual turnover or EUR 10 million, whichever is higher. For important private entities, it’s 1.4 percent or EUR 7 million. Public entities are capped at SEK 10 million. (Chapter 4, Section 10)
ISO 27001 covers most of it
ISO/IEC 27001:2022 is the standard closest to the Cybersecurity Act’s requirements. That’s no coincidence: the NIS2 Directive and ISO 27001 are built on the same fundamental information security principles.
The law requires risk analysis (point 1). ISO 27001 requires a structured risk assessment process (clause 6.1.2) and a Statement of Applicability (SoA) documenting which controls you’ve selected and why.
The law requires incident management (point 2). ISO 27001 has controls A.5.24–A.5.28 covering the full cycle: planning, reporting, assessment, and learning from incidents.
The law requires supply chain security (point 4). ISO 27001 Annex A.5.19–A.5.22 covers supplier security, from contractual requirements to follow-up and change management.
The law requires access control and personnel security (point 9). ISO 27001 A.5 and A.6 cover this systematically: background checks, separation of duties, access management.
If you have ISO 27001 and apply the requirements properly, not just documented them, you’re already close. What typically remains is verifying that management reviews address the Cybersecurity Act’s requirements, and that your incident reporting procedure meets the law’s timelines: 24-hour early warning, 72-hour incident notification and final report within one month.
ISO 9001 provides the foundation
ISO 9001 is not an information security standard. But it provides the structure that makes security work actually function in practice.
The PDCA cycle (plan, do, check, act) that ISO 9001 is built on is the same logic the Cybersecurity Act requires for point 6: strategies for evaluating the effectiveness of security measures. You don’t just need to have measures; you need to check that they work and improve them.
Management responsibility under ISO 9001 clause 5 matches the law’s requirement that management complete security training (Chapter 2, Section 4) and take active responsibility. Having an IT manager who owns these questions isn’t enough. The law requires the people in management positions to understand the security measures.
Supplier management (ISO 9001 clause 8.4) supports the law’s supply chain security requirements. If you have processes for evaluating and following up suppliers for quality reasons, you can build on them for security requirements.
ISO 9001 is a solid foundation, but it doesn’t cover everything. It lacks the technical controls and information security-specific framework that 27001 provides.
ISO 42001 applies if you use AI
ISO/IEC 42001:2023, the standard for AI management systems, is relevant if your organisation uses AI systems in operations covered by the Cybersecurity Act.
The law requires supply chain security (point 4) and security in network and information system acquisition and maintenance (point 5). Purchased AI systems are systems, and they carry risks that differ from traditional software: training data dependencies, unpredictable behaviour, third-party dependencies on AI providers.
ISO 42001 clause 6.1.2 requires an AI-specific risk assessment. Annex A.10 covers third-party relationships for AI, exactly the supply chain complexity the law addresses.
The impact assessment in ISO 42001 (clause 6.1.4, Annex A.5) is also relevant for the law’s business continuity requirements (point 3): what happens if an AI system you depend on stops working or produces incorrect outputs in a crisis?
You don’t need ISO 42001 certification to comply with the Cybersecurity Act. But if you use AI systems in your operations, the framework gives you a structured way to manage risk around them, and it creates an audit trail if you’re reviewed.
What you need to do now
Depending on where you are:
You have ISO 27001: Run a gap analysis against the ten points in Chapter 2, Section 3 of the Cybersecurity Act. Verify that your incident reporting procedure meets the law’s timelines of 24 hours, 72 hours and one month. Ensure management has documented completion of security training.
You have ISO 9001 but not 27001: Information security is likely a gap. Start with a risk assessment of your information systems and consider whether ISO 27001 certification is the right path, or whether you can address the requirements another way.
You have neither 27001 nor 9001: Start by determining whether the law applies to your organisation, sector and size determine this. If you’re covered, you need structured security work relatively quickly. A management system based on ISO 27001 gives you both the structure and the evidence.
You use AI systems in the relevant operations: Take stock of which AI systems you use and assess the risks they carry. ISO 42001 provides a framework for that work.
Supervision under the Cybersecurity Act is carried out by sector-specific authorities designated by the government. Essential entities are audited proactively, important entities reactively. When audited, you want documentation showing a functioning system, not a binder you pull out the day the supervisory authority calls.
AmpliFlow supports ISO 27001, ISO 9001 and ISO 42001 in the same system. Risk assessment, Statement of Applicability, incident management, and supplier requirements are all handled in one place. Learn more about how AmpliFlow supports information security work or book a demo.
