NIS2 in Sweden: What the Banking and Finance Sector Needs to Know

The NIS2 Directive is a comprehensive update of the EU's cybersecurity strategy, intended to strengthen the protection of critical infrastructure from cyber threats. The directive tightens requirements on risk management, incident reporting and management responsibility – and the banking and finance sector is identified as one of the sectors of particular importance.

In this article we go through what NIS2 means in practice, who is covered in Sweden, and what banks and financial institutions need to focus on to stay compliant.

What is NIS2?

NIS2 (Directive (EU) 2022/2555) is the successor to the original NIS Directive from 2016. It formally entered into force in the EU in January 2023, and member states were required to implement it in national law by October 17, 2024.

Compared to the original NIS Directive, NIS2 is significantly broader in scope. More sectors are covered, more entities are classified as "essential" or "important", and the requirements on security measures, reporting and supervision are clearer and more harmonized across the EU.

Implementation in Sweden

Sweden missed the EU deadline of October 17, 2024 for transposing the directive into national law. The implementation was handled in the government bill 2024/25:39 "Implementation of the NIS2 and CER Directives", and the new cybersecurity act and act on the resilience of critical entities have been adopted by the Riksdag.

This means that earlier discussions about "upcoming legislation" are now outdated – the framework is in place. Supervisory responsibility for the financial sector lies with Finansinspektionen, which is also the supervisory authority under DORA (the Digital Operational Resilience Act), which applies in parallel for the finance sector.

What NIS2 Means for the Banking and Finance Sector

The banking and finance sector is identified as a sector of "high criticality" under the directive. For banks, payment institutions, investment firms and other financial entities, this brings requirements in the following areas:

• Risk management. The business must have a documented, risk-based cybersecurity strategy that covers, among other things, access control, encryption, backup, incident handling and supplier risks.
• Incident reporting. Significant incidents must be reported to the supervisory authority in several steps – an initial notification within 24 hours, a more detailed report within 72 hours, and a final report within one month.
• Management responsibility. The board and management are personally responsible for approving and overseeing cybersecurity measures. Management must also undergo cybersecurity training.
• Supply chain. Risk management must extend to third-party suppliers and the entire supply chain – especially important for financial entities that often rely on cloud services and fintech providers.
• Sanctions. In case of non-compliance, the supervisory authority can impose fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher.

How DORA and NIS2 Fit Together

The finance sector is also subject to DORA – the EU's Digital Operational Resilience Act – which applies from January 17, 2025. DORA is lex specialis to NIS2 for financial entities, meaning that DORA's more detailed requirements take precedence in areas where the two regulations overlap.

In practice, most banks and financial institutions report and manage ICT risk under DORA, while NIS2's broader framework fills in where DORA does not provide specific requirements. Both regulations essentially require the same thing: documented risk management, clear management responsibility, and structured incident reporting.

What Should Financial Institutions Do Now?

Many small and medium-sized financial institutions still have work to do to be fully compliant. Concrete next steps:

1. Run a gap analysis. Which NIS2 and DORA requirements do you already meet, and what is missing?
2. Classify your suppliers. Which are critical? Are there contractual clauses for security, incident reporting and audit?
3. Ensure reporting capability. Can you deliver an initial incident report within 24 hours? Who is responsible?
4. Anchor with management. Make sure the board and management understand their personal responsibility and have completed relevant training.

Keeros' Role

At Keeros we follow the developments around NIS2 and DORA closely and continuously adapt our platform to meet the requirements placed on financial entities. We work actively with our customers to make sure our platform supports their compliance work – from access control and logging to incident handling and supplier documentation.

For further reading we recommend ENISA's official resources at enisa.europa.eu.