But because the question of scope is still unclear for many, and because it directly affects how you design your system support, we cover the basics here.
The Cybersecurity Act came into force on 15 January 2026 and is the Swedish implementation of the EU's NIS2 Directive. It sets concrete requirements for risk management, incident reporting, and management responsibility for thousands of Swedish organisations. If you are uncertain about your specific legal situation, contact NCSC or a legal adviser.
Two questions that determine most cases
In most cases, two questions are sufficient:
1. Does your organisation operate within any of the 18 designated sectors?
The Cybersecurity Act applies to organisations in the following sectors:
- Energy — electricity, gas, district heating
- Transport — aviation, rail, maritime, road
- Health and medical care — hospitals, laboratories
- Finance — banks, financial market infrastructure
- Drinking water — suppliers and distributors
- Wastewater — treatment facilities
- Digital infrastructure — data centres, DNS, cloud services
- ICT services — managed service providers
- Public administration — national and regional authorities
- Space — ground-based infrastructure
- Post and courier — postal operators
- Waste management — collection and treatment
- Chemicals — manufacturing and distribution
- Food — production, processing, distribution
- Manufacturing — medical devices, electronics, machinery, vehicles
- Digital services — marketplaces, search engines, social platforms
- Research — research organisations
2. Are you a medium-sized or larger organisation?
As a general rule, the law applies if you have at least 50 employees or an annual turnover exceeding 10 million euros. If you fall below that threshold, you are in most cases exempt.
The exception that often surprises
A common follow-up question in our client conversations is: "We are a small company, can we relax?" Not necessarily.
Certain organisations are covered regardless of size. This includes providers of critical digital infrastructure, certain DNS services, and domain name registrars. If you are a small operator but play a systemically critical role in your sector, the size threshold is not an automatic exemption.
Why scope matters for your system support
This is the part that rarely features in regulatory guidance but is central when you start thinking about implementation.
How your organisation is classified under the Cybersecurity Act — as an essential or important entity — directly affects which requirements apply, and therefore how a compliance system needs to be configured. Essential entities face stricter requirements for incident reporting and supervision. Important entities have slightly more flexibility but are still subject to the law's nine security areas.
This means classification is not just a legal question. It is a system question. Which workflows need to be automated? Which roles in the organisation need access to what? How should deviations be escalated? The answers differ depending on how you are classified.
The registration requirement: what applies now?
If you are subject to the law, there is a registration obligation. NCSC opened its registration portal on 2 February 2026. NCSC has not yet communicated clearly what applies to organisations that missed the initial registration window. That is a question we recommend raising directly with NCSC.
What registration does not resolve is the actual compliance work. Knowing that you are subject to the law is step one. Having a system that continuously tracks requirements, deadlines, and measures is step two — and that work should begin in parallel with registration, not after.
Are you subject to the law and are starting to think about system support?
Hy5 is Hybridity's compliance system that puts the requirements of the Cybersecurity Act into practice across the entire organisation — from management to operational level. The system handles mapping, follow-up, and incident management without requiring parallel processes or manual administration.
Hy5 kan drastiskt öka effektiviteten och precision för compliancearbete.
