Labs Support
EN SV
EU Directive 2022/2555 - in Sweden: Cybersäkerhetslagen (SFS 2025:1506), in force since 15 January 2026

NIS2 expanded cybersecurity requirements to thousands of companies. Are you one of them?

From critical infrastructure to manufacturing, food, and digital services. NIS2 covers more sectors, demands more, and holds management personally accountable. In Sweden, the requirements are enacted through the Cybersecurity Act (cybersäkerhetslagen).

18 sectors covered by the directive
24 hours for early warning on incidents
Personal liability for management on non-compliance
Book a demo
Self-assessment

Are you in scope for NIS2?

Answer four questions to get an initial indication, and concrete next steps regardless of the result.

Are you in scope for NIS2?

Answer four questions to get an indication.
The cascade effect

Even if you're not directly in scope, your customers are

NIS2 requires organizations to assess cybersecurity risks across their entire supply chain. That means the requirements reach you, regardless of whether you fall under the directive yourself.

1 EU adopts NIS2 with requirements for 18 sectors
2 Large companies in scope must comply
3 They must assess supply chain cybersecurity
4 You face requirements from your customers, regardless of your own NIS2 status

The supply chain doesn't stop at your door

NIS2 Article 21 requires in-scope organizations to manage cybersecurity risks in their supplier relationships. That means risk assessments, contractual requirements, and ongoing follow-up of you.

In practice: your enterprise customers will require you to show how you manage information security. Not to be difficult, but because the law demands it of them.

Swedish law

Cybersäkerhetslagen - NIS2 is now Swedish law

Since 15 January 2026, the Cybersecurity Act (cybersäkerhetslagen, SFS 2025:1506) is in force. NIS2 requirements are no longer something that is "coming" - they are Swedish legislation with Swedish supervisory authorities and Swedish penalties.

Same requirements, Swedish enforcement

The Cybersecurity Act transposes NIS2 into Swedish law. Risk management, incident reporting, and management accountability requirements remain the same, but supervision is handled by Swedish authorities coordinated by the Agency for Civil Defence (MCF).

Penalties

Essential entities: up to 2% of global annual turnover or EUR 10 million. Important entities: 1.4% or EUR 7 million. Public entities: up to SEK 10 million.

Incident reporting

Early warning within 24 hours. Incident notification within 72 hours. Final report within one month. Reports go to the supervisory authority and CERT-SE.

Management must be trained

The Cybersecurity Act requires management to undergo training on security measures. Approving measures is not enough - management must understand them.

NIS2 & ISO 27001

NIS2 and ISO 27001 overlap, and AmpliFlow supports both

If you already have an ISO 27001 framework, you're well positioned. Here's how NIS2 requirements map to ISO 27001 and where AmpliFlow helps.

NIS2 requirement ISO 27001 control AmpliFlow support
Risk management measures A.8 – Information security risk management Risk matrices with likelihood × consequence, action plans, follow-up
Incident handling A.5.24–A.5.28 – Incident management Deviation management with categorization, root cause analysis, and timelines
Supply chain security A.5.19–A.5.23 – Supplier relationships Supplier register for tracking suppliers and contact information
Business continuity A.5.29–A.5.30 – Continuity planning Pages (wiki) for continuity plans, checklists for exercises
Security awareness A.6.3 – Awareness and training Competence matrices and training planning
Encryption and access control A.8.24 – Encryption, A.5.15 – Access control Pages (wiki) for documented policies and procedures
What you need in place

Four areas NIS2 demands, and AmpliFlow supports

Organizational governance, not technical tools. AmpliFlow handles processes and documentation, not firewalls or intrusion detection.

Risk management

NIS2 requires you to identify, assess, and manage cybersecurity risks. Not as a one-off project, but continuously, with documented decisions.

Risk matrices in AmpliFlow

Incident handling

Early warning to supervisory authority within 24 hours. Incident notification within 72 hours. Final report within one month. Without a workflow, you will miss the deadlines.

Deviation management in AmpliFlow

Supply chain security

You are responsible for ensuring your suppliers are not a weak link. This requires risk assessment, contractual requirements, and ongoing follow-up.

Supplier register in AmpliFlow

Business continuity

Plans to maintain critical services during cyber incidents. Tested, documented, and updated.

Pages and checklists in AmpliFlow
Book a demo
Board accountability

NIS2 and the Cybersecurity Act make cybersecurity a board issue

Article 20 of NIS2 is clear: management bodies must approve risk management measures, oversee implementation, and can be held personally liable for non-compliance.

What this means in practice

Management can no longer delegate cybersecurity responsibility to the IT department and hope for the best. NIS2 requires management to actively participate in risk management decisions and to have these decisions documented.

In case of non-compliance, individual board members can be held personally liable, with potential fines and temporary bans from exercising management functions.

AmpliFlow gives management oversight and documentation

  • Risk assessments that management can review, with traceability on decisions and responsible persons
  • Audit plans showing cybersecurity measures are followed up systematically
  • Incident history documenting how the organization handled security events
  • Complete compliance overview: policies, measures, and responsible persons in one place
FAQ

Questions about NIS2 and AmpliFlow

What is the NIS2 Directive?
NIS2 (EU Directive 2022/2555) is the EU's updated directive for cybersecurity. It expands the original NIS Directive to more sectors, places higher requirements on risk management and incident reporting, and introduces personal accountability for management bodies. For the financial sector, DORA acts as lex specialis: DORA requirements take precedence over NIS2 where they overlap.
Who does NIS2 apply to?
NIS2 covers "essential" and "important" entities in sectors including energy, transport, healthcare, water supply, digital infrastructure, banking, manufacturing, food, chemicals, waste management, postal services, digital services, and public administration. Size criteria determine whether you are classified as essential or important.
What is the difference between essential and important entities?
Essential entities operate in sectors such as energy, transport, health, drinking water, digital infrastructure, and banking. They face stricter supervision and higher fines (up to EUR 10 million or 2% of turnover). Important entities cover sectors like manufacturing, food, chemicals, postal services, and digital services. They face lower fines (up to EUR 7 million or 1.4%) and reactive rather than proactive supervision. Size also matters: medium enterprises (50+ employees) are normally classified as important, while large enterprises (250+ employees) in the same sector are classified as essential. Some entities are essential regardless of size, such as qualified trust service providers and DNS providers.
How does NIS2 relate to ISO 27001?
ISO 27001 provides a structured framework for information security that overlaps with many NIS2 requirements. An ISO 27001 certification covers risk management, policies, and security measures. However, NIS2 places additional requirements on incident reporting to authorities within specific timeframes and on supply chain security.
What are the penalties for non-compliance?
Essential entities face fines of up to €10 million or 2% of global annual turnover. Important entities face up to €7 million or 1.4%. Beyond fines, management bodies can be held personally liable.
How does AmpliFlow support NIS2 compliance?
AmpliFlow handles organizational governance: risk assessment via risk matrices, incident management through the deviation process, pages (wiki) for policies and procedures, supplier register for contact information, audit planning, and competence tracking. AmpliFlow does not replace technical security solutions like firewalls or SIEM systems.
We're not directly in scope. Should we care?
Most likely yes. Organizations covered by NIS2 must assess cybersecurity risks in their supply chain. If you are a supplier to a NIS2 organization, they will impose information security requirements on you, regardless of whether you fall under the directive yourself.
What is the Cybersecurity Act (cybersäkerhetslagen)?
The Cybersecurity Act (cybersäkerhetslagen, SFS 2025:1506) is the Swedish national law that transposes the NIS2 Directive. It entered into force on 15 January 2026, replacing the previous Act on Information Security for Essential Services (SFS 2018:1174). The requirements for risk management, incident reporting, and management accountability are largely the same as NIS2, but supervision is conducted by Swedish authorities coordinated by the Agency for Civil Defence (MCF).
Related

Explore more

ISO 27001

International standard for information security

Risk Management

Risk matrices and risk assessments in AmpliFlow

Deviation Management

Manage incidents and deviations

Supplier Register

Supplier register and contact information

Cyber Resilience Act

EU regulation for cybersecurity in products

DORA

Digital operational resilience for financial sector

Want to see how AmpliFlow supports NIS2 and Cybersecurity Act compliance?

Book a demo and we'll show you how risk management, incident reporting, and document control work in practice. We tailor the demonstration to your situation.