Am I covered by NIS2? Decision guide for Swedish organizations 2026

TL;DR

NIS2 covers you if all of these are true:

1. You operate in one of the 18 sectors the directive lists (energy, transport, healthcare, digital infrastructure, food, etc.)
2. You are medium-sized or larger (≥50 employees OR ≥10M EUR revenue), or designated regardless of size
3. You provide the service within the EU

If all three apply: you likely have a notification obligation to MSB and must comply with art. 21 (risk management measures).

Detailed decision tree below.

Step 1. Is your sector included?

NIS2 divides entities into essential and important. Both are covered but with different supervisory levels.

Essential sectors (Annex I)

• Energy (electricity, district heating, oil, gas, hydrogen)
• Transport (air, sea, rail, road)
• Banking
• Financial market infrastructures
• Healthcare
• Drinking water
• Wastewater
• Digital infrastructure (DNS providers, TLD registry, cloud services, data centres, CDN, IXP, TSP, e-com hosting operators etc.)
• ICT service management (B2B)
• Public administration (at central level)
• Space

Important sectors (Annex II)

• Postal and courier services
• Waste management
• Manufacturing of critical chemicals
• Food production + distribution
• Manufacturing (medical equipment, IT equipment, electronics, vehicles, machinery)
• Digital providers (online marketplaces, search engines, social networks)
• Research organizations

If you're not in any of this: you're likely not covered by NIS2. But customers and suppliers who are will demand security from you via contract.

Step 2. Are you large enough?

NIS2 uses the EU definition of medium-sized companies:

• ≥50 employees OR
• ≥10 million EUR annual revenue AND simultaneously ≥10 million EUR balance sheet total

Small companies still covered

Even if you're below threshold, NIS2 applies if you are:

• Sole provider of a service in a member state
• Providing a service whose disruption would have significant impact
• Designated by MSB for other reasons (critical societal function)
• TLD registry, DNS provider, cloud service provider, data centre, CDN, TSP (trust services, eIDAS), number-independent communication services, these apply regardless of size

Step 3. Where do you operate?

NIS2 applies if you provide the service within the EU. The head office determines which member state is the responsible authority. For Swedish entity → MSB.

What does it mean if I'm covered?

Three concrete obligations:

1. Notification obligation to MSB

By 17 January 2026 (or when you become covered) you must register with MSB with:

• Organization name + organization number
• Address + contact details
• Sector + sub-sector
• Which services you provide within NIS2

2. Risk management measures (art. 21)

You must implement appropriate and proportionate technical, operational and organisational measures to manage risk. The directive lists ten measure areas as management's responsibility:

1. Policies for risk management
2. Incident handling (incl. CSIRT notification)
3. Business continuity, backup, crisis management
4. Security in the supply chain (vendor risk)
5. Security in acquisition, development and maintenance of network/IT systems (← pentest belongs here)
6. Measurement + evaluation of measure effectiveness
7. Basic cyber hygiene + training
8. Cryptography and encryption
9. HR security, access control, asset management
10. Multi-factor authentication + secured communication channels

3. Incident reporting

On significant incident:

• Within 24h: early warning to CSIRT (MSB/CERT-SE)
• Within 72h: incident notification with classification
• Within 1 month: final report

4. Personal management liability

Management board members must approve risk management measures and oversee their implementation. On intentional violation, management can be held personally liable for damages.

5. Sanctions

• Essential entity: up to 10 MEUR or 2% of global revenue (whichever is higher)
• Important entity: up to 7 MEUR or 1.4% of global revenue

Is pentest mandatory under NIS2?

Not explicitly, the directive doesn't list "pentest" as a requirement. But art. 21(2)(e) "security in acquisition, development and maintenance" + art. 21(2)(f) "measurement + evaluation" make penetration testing de facto best practice. Supervisory authorities (MSB) consider pentest a reasonable measure to fulfill "appropriate and proportionate" technical measures.

In practice: if you're covered by NIS2 and don't do pentest, you must document why you don't. That's harder than just doing a pentest.

What does pentesting.se do for NIS2-covered organizations?

Pentesting.se maps every finding directly to NIS2 articles in the compliance report. You get:

• Daily automated scanning = "measurement + evaluation" per art. 21(2)(f)
• Supply chain vulnerabilities (vendor scanning) = art. 21(2)(d)
• Manual pentest for deeper verification = art. 21(2)(e)
• Incident documentation ready to send to MSB within the 24h window

All data is stored in Sweden by Adminor AB, no exposure to US Cloud Act, which is relevant both for art. 21(2)(h) (cryptography) and for art. 21(2)(d) supplier risk assessment.

What do I do next?

1. Identify your sector perspective, use the checklist above. If in doubt, call MSB's NIS2 team (08-XXX-XXXX) or email [email protected].
2. Register with MSB if you're covered and haven't already done so.
3. Perform a gap analysis, which of the 10 measure areas are in place? Which are missing?
4. Prioritize critical gaps, multi-factor authentication, backup strategy, supplier risk assessment are often the quickest wins.
5. Establish continuous monitoring, point-in-time annual tests are no longer enough. Vulnerabilities arise daily and NIS2 supervision looks at processes, not one-time measures.

Need help interpreting whether NIS2 applies to you, or a concrete pentest-based gap analysis? Contact us, we've delivered NIS2-adapted pentest engagements for Swedish entities since the directive came into force.

See also in the glossary: NIS2, MSB, CSIRT, CERT, CDN, pentest.