€10M or 2% of Global Turnover
The ceiling for essential entities, whichever is higher. Fines are set per infringement of Article 21 or 23. Important entities face up to €7M or 1.4%.
NIS2 covers energy, transport, health, digital infrastructure, manufacturing, public administration and any IT supplier to them. Your board now carries personal liability for getting this wrong.
From incident handling and supply-chain security to board-level training. Every measure must be documented.
Without 24/7 detection you will miss the window. The clock starts on awareness, not on completed investigation.
Board members can be temporarily barred from holding executive roles for non-compliance.
Trusted by 100+ Swedish Kommuner, Regions and
EU-Regulated Enterprises Since 2002








Sweden’s supervisory authority, MCF (formerly MSB), holds active oversight powers from 15 January 2026. The audit programme is running now.
The ceiling for essential entities, whichever is higher. Fines are set per infringement of Article 21 or 23. Important entities face up to €7M or 1.4%.
The clock starts on awareness. An early warning within 24 hours, notification within 72 and a final report within one month.
Essential-entity boards can be temporarily barred from holding executive roles; important-entity boards face binding orders and public disclosure instead.
The fine is only part of the cost. Recovery, downtime, legal fees and reputational damage typically exceed the regulatory penalty itself. IBM Cost of a Data Breach Report 2025.
Without active 24/7 monitoring, most organisations discover breaches months after they occur, long after the 24-hour reporting deadline has passed. IBM Cost of a Data Breach Report 2025.
Three in four organisations report a competitive advantage from NIS2 compliance, winning contracts and tenders that non-compliant competitors lose. CyberSmart NIS2 Research 2026.
Read through these. If three or more describe your organisation today, you have material gaps that the supervisory authority can act on right now.
Your last security incident was discovered through a customer complaint, an external report, or by chance, not by your own monitoring.
Article 21(2)(b) requires active detection capability. Reactive discovery means the 24-hour reporting window is already gone before you start counting.
You have a list of IT vendors. You do not have documented security assessments attached to each one.
Article 21(2)(d) requires every third-party ICT vendor relationship to be assessed, documented and kept current. A spreadsheet of supplier names does not satisfy this.
Your board members have not completed cybersecurity training, or there is no record that they have.
Article 20 imposes a personal training obligation. Forwarding a policy document does not count. Completion must be documented and provable.
You are not certain whether you are classified as an essential or important entity.
Classification determines your fine ceiling, your supervision model and which obligations apply. Not knowing means you cannot know your compliance status.
You have a firewall and antivirus. You do not have a documented incident response plan that covers the Article 23 reporting cascade.
Having security tools is not the same as having a tested process that generates the notifications and evidence regulators expect to receive.
Every Article 21 obligation, and the eBuilder Security service that satisfies it directly.
Documented policies for risk assessment, reviewed regularly and demonstrably effective.
Active detection. Early warning within 24 hours, full report within 72 hours, final report within one month.
Backup management, disaster-recovery plans and crisis-management documentation.
Assessment of every third-party ICT vendor, documented and kept current.
Security embedded in procurement, development and maintenance.
Regular testing and audit of cybersecurity measure performance. Regulators check this first.
A recurring programme for all staff. A one-time induction does not satisfy this obligation.
Policies on cryptography, access control and personnel security, a maintained asset inventory, and MFA where appropriate.
Boards approve, oversee and complete personal training on cybersecurity risk measures. Liability applies and can't be delegated.
Maps your current state against all ten Article 21 controls. Takes about 20 minutes. The output is board-ready.
No obligation · EU data residency · Results reviewed in a 30-minute call.
See where you stand on Articles 20 and 21, scored in plain language. The output is board-ready and reflects current MCF guidance.
No spam. EU data residency.
We are not a global firm that adapted generic content for Sweden. Cybersäkerhetslagen, MCF (formerly MSB) oversight, and Swedish public-sector requirements are what we design our services around.
See Full Article 21 CoverageHuman analysts watching every signal, every minute, every day. Logs stay in Sweden.
Industry response times average 1–24 hours. We measure ours in minutes and escalate threats fast enough to matter.
Signed Monday. MDR live Thursday. Complorer rolled out by Wednesday.
Cybersecurity practice within eBuilder, a Swedish enterprise-software company operating since 2002.
Independently audited and certified to the ISO 27001 information-security standard for our SOC.
All services mapped to NIS2 Article 21 risk-management measures.
Human-led monitoring, secure data handling and infrastructure aligned with GDPR and Schrems II requirements.
Real questions a board or IT lead asks before engaging on NIS2, answered in two to three sentences.
The Cybersecurity Act (Cybersäkerhetslagen) is Sweden’s legal instrument that transposes the EU NIS2 Directive into domestic legislation, effective 15 January 2026. NIS2 sets the EU framework; the national act specifies supervision and enforcement in Sweden, with MCF (formerly MSB) as the primary supervisory body.
Possibly. Size thresholds apply: essential entities require 250+ employees or €50M+ revenue; important entities require 50+ employees or €10M+. However, the supervisory authority can designate smaller organisations in scope if they perform a critical function. Do not assume size exempts you without verifying the function your organisation performs. The gap score includes a scope determination.
Yes. If you provide ICT services to an in-scope entity, you can be designated as an important entity under Article 21(2)(d) supply-chain obligations. Your municipal customer must assess and document every vendor relationship, including yours. This is the most common route that IT suppliers enter NIS2 scope without initially realising it.
Essential and important entities must self-register with MCF (formerly MSB) under the Cybersecurity Act. Registration requires your entity classification, your sector, and the services you provide within scope. eBuilder’s CISO Advisory service guides you through the process, including annual reporting obligations.
ISO 27001 covers approximately 70–80% of NIS2 Article 21 requirements, the strongest foundation you can have. However, NIS2 adds obligations ISO 27001 does not explicitly require: 24-hour incident reporting, specific supply-chain documentation, and mandatory board training under Article 20. A targeted gap analysis identifies exactly what remains. The gap score for ISO 27001-certified organisations typically takes one week to review.
Late or absent incident reporting is itself a compliance failure subject to separate administrative sanctions, independent of the underlying incident. Article 21(2)(b) requires an early warning within 24 hours, a notification within 72 hours, and a final report within one month. eBuilder’s SOC generates the documentation needed to meet all three deadlines.
Three obligations: approve cybersecurity risk-management measures, not just be informed of them; oversee their implementation on an ongoing basis; and personally complete cybersecurity training. The training obligation is individual and cannot be delegated. Board members who cannot produce completion records cannot credibly claim they fulfilled their Article 20 obligations.
Article 21(2)(d) requires every third-party ICT vendor relationship to be risk-assessed, documented and kept current: cloud providers, software vendors, managed service providers, and any supplier with access to your network or data. Contracts must include security requirements, incident-notification obligations, and audit rights. eBuilder’s CISO Advisory builds and maintains this vendor register.
Yes, though the sanction differs by entity type. Under Article 20, management bodies at both essential and important entities are directly responsible for approving and overseeing cybersecurity risk-management measures. For essential entities specifically, national authorities can impose a temporary ban on individuals from holding management positions (Art. 32(5)); important entities instead face binding compliance orders and public disclosure of the infringement. Board members who have not received training cannot credibly demonstrate they fulfilled their Article 20 obligations, regardless of entity type.
Essential entities face proactive ex-ante supervision: MCF can audit before any incident occurs. Fine ceiling up to €10M or 2% of global annual turnover. Important entities face reactive ex-post supervision, triggered after a reported incident. Fine ceiling up to €7M or 1.4% of global annual turnover. Both entity types must implement all ten Article 21 obligations.
Yes. Supervisory powers were activated when the Cybersecurity Act came into force on 15 January 2026. MCF (formerly MSB) can conduct proactive audits of essential entities and reactive audits triggered by an incident or complaint for important entities. The audit programme is active now, not at a future date.
Yes. NIS2 penalties apply for non-compliance with the security obligations themselves, not only when a breach occurs. Failing to implement the required measures, failing to register with MCF, or failing to maintain required documentation are all independently sanctionable. The obligation is to have the programme in place, not merely to avoid incidents.
A cybersecurity breach involving personal data triggers both NIS2 (24-hour early warning to MCF) and GDPR (72-hour notification to IMY) simultaneously: two deadlines, two authorities, one incident. DORA applies to financial entities and takes precedence over NIS2 for ICT risk in that sector. eBuilder addresses all three through a single integrated programme to avoid duplicated effort.
Not automatically. The technical security measures in NIS2 Article 21 and GDPR Article 32 overlap significantly: both require encryption, access controls, breach detection and staff training. However, GDPR adds obligations NIS2 does not cover: consent management, data-subject rights, DPO appointment and data-protection impact assessments. The technical programme eBuilder provides satisfies both regulations’ security requirements.
DORA takes precedence over NIS2 for financial entities; it is sector-specific legislation. DORA adds requirements NIS2 does not include: a Register of Information for all ICT third-party arrangements, TLPT every three years for significant entities, and EBA-aligned incident-classification thresholds. Our CISO Advisory service addresses both through a combined programme.
Most organisations with a mature IT baseline reach demonstrable compliance within 3–6 months. Our process starts with a gap assessment (2–3 weeks), followed by a prioritised remediation roadmap. Services like 24/7 SOC monitoring can be activated within days and immediately satisfy Article 21(2)(b) and (f) obligations. The gap score tells you your specific starting point before you commit to anything.
Our gap assessment takes 2–3 weeks and produces a scored report against all ten Article 21 controls, a prioritised remediation roadmap, and a summary formatted for board distribution. It maps your current state honestly, including what you already have covered, so the remediation plan is proportionate and efficient, not a full rebuild.
Yes, this is the most common deployment model. eBuilder’s MDR/SOC extends your existing team’s capability rather than replacing it. We integrate with your current tooling, provide the 24/7 coverage your team cannot sustain alone, and hand back enriched alerts with documented context. Your team stays in control; we provide the always-on layer Article 21 requires.
Book a free 30-minute compliance briefing with a Sweden-based advisor. We will tell you exactly where you stand and what needs to be done, with no obligation.
Book a 30-Minute Security Briefing