Everyone needs to stay informed – and more than that. New cybersecurity legislation is on the horizon. On January 15, 2026, the EU’s NIS2 Directive will enter into force in Sweden. It differs from its predecessor, NIS, in several ways. Among other things, it sets clearer requirements for risk analyses and security measures. More organizations than before will be included.
The EU, which concluded that the original NIS directive was too weak, now wants to see greater resilience in essential services and a high common level of cybersecurity throughout the union. NIS2 comes in a package together with another regulation, the CER Directive, which aims to protect critical infrastructure. The idea is that they should complement each other to strengthen Sweden’s and the EU’s collective security.
We spoke with Mats Larsson, IUC Syd, and Johanna Cederström, Ideon Science Park, who both represent a cybersecurity initiative funded by Region Skåne. The purpose of the ongoing project is to help small and medium-sized companies strengthen their cybersecurity and digital resilience.
“The new, powerful regulations make it clear that cybersecurity must be handled systematically,” says Johanna. “The regulations are business-supportive. Companies need to maintain operations – and the market demands it.”
Many companies will be affected. The legislation applies to 18 sectors of essential services.
“If you are covered and plan to buy security services, you must buy them from suppliers who also meet the same security requirements,” Johanna points out.
Mats represents IUC Syd’s member companies, which are industrial firms:
“Our members are typically manufacturers and product owners. They sell to end customers, such as machinery manufacturers, for various purposes. Most are subcontractors. Our members can, for example, be mechanical workshops or plastics companies.”
Most will be affected by the new rules. A large part of business life consists of subcontractors to major system suppliers such as Tetra Pak:
“Behind the big companies are component suppliers. They produce the different parts that are then assembled by the large customers. Each system, each product, is completely dependent on subcontractors being able to deliver,” says Mats. “That’s a vulnerability. Another challenge is that suppliers handle sensitive customer information in their systems.”
The risks of not working systematically with cybersecurity
Failing to do so means facing two major risks:
- A key supplier may become unable to deliver due to a cyberattack – machines could be knocked out, or design data lost.
- Sensitive values and information could be leaked or spread.
“There are threats throughout the supply chain,” says Mats. “And many of our members produce equipment that is essential to society.”
Meeting requirements to keep delivering
If you want to be sure of continuing to deliver to your major customers, you must now have started – or strengthened, and above all systematized – your digital security work.
“The previous legislation, NIS, essentially had the same purpose,” says Johanna. “But it soon became clear it was not enough – it was too soft. Especially in how it defined things.”
For example, organizations were expected to designate themselves.
“NIS gave uneven results and not what was expected. It didn’t create the common baseline that cybersecurity requires.”
With NIS2, the EU has taken a new approach.
“It will no longer be possible to ‘just’ buy security services from other companies or outsource the entire IT environment,” says Johanna. “You are required to own the issue and take direct responsibility.”
This means carefully analyzing your own business. What happens if we fail to deliver? How does it affect others?
“The analyses cannot be outsourced. Companies must have their own process and ongoing security work,” says Johanna.
Different scenarios, same systematic approach
During the project, Mats has interviewed more than fifteen member companies.
“The common denominator,” says Mats, “is that they are relatively profitable. Those we spoke to have both the incentive and the ability to protect their operations. They also have the resources to do so.”
Examples:
- One company preparing for IPO on Nasdaq needed airtight cybersecurity. They wanted to build competence in-house to be able to demonstrate this to investors and other key stakeholders.
- Suppliers to the automotive industry with highly automated machine parks – including robots connected to the internet – wanted to build this digital competence.
- A smaller company had outsourced its security to third-party providers but concluded they still needed to build their own core competence and understanding of the threats they face.
“Unlike the previous legislation, NIS, NIS2 clearly states that cybersecurity must be governed from the company’s top management,” says Johanna. “Leadership cannot be outsourced and it cannot be negotiated away. That’s the very first requirement in the new law. To underscore the importance, penalties are linked to non-compliance.”
If management fails to take responsibility for security, companies risk losing a share of their annual turnover. Leaders who don’t meet the requirements may even be disqualified from holding management positions.
The conclusion is that it is risky not to comply with NIS2.
“If you don’t govern cybersecurity, you can lose the right to govern companies altogether,” Johanna concludes.
Get help: This is what we can offer
We help you build basic competence within your own organization.
- Ongoing cybersecurity seminars during autumn 2025.
- A pilot training program for company management on how to govern security work.
- In-depth NIS2 webinars throughout the fall.
To see if your company can join the pilot training, get in touch! Your company should be highly digitalized.
CYBERSECURITY
Since early 2025, IUC Syd and Ideon Science Park have been running a cybersecurity initiative funded by Region Skåne, aimed at SMEs. Together, we represent the project Cybersecurity in Skåne:
Mats Larsson, IUC Syd
Mats has worked as a consultant in business development, project management, and change management since 1990, and also works with IT development since 1995.
“Cybersecurity is fairly new to me, but it’s an exciting and important field.”
Johanna Cederström, Ideon Science Park
While Mats is the expert on SMEs and their conditions, Johanna is a business consultant with experience from large corporations, groups, and the public sector. She is also an expert in cybersecurity and systematic implementation in practice.
