ISMS Copilot for Nordic critical infrastructure operators
Sweden, Denmark and Finland each transposed NIS 2 differently — classification, supervisors and enforcement diverge across the three.
Three Nordic NIS 2 regimes, mapped separately
- Sweden: classify as vasentlig or viktig verksamhetsutovare under 1 kap. 9 § Cybersakerhetslag (SFS 2025:1506)
- Denmark: classify as vaesentlig or vigtig entity under NIS 2-loven (Lov nr. 434 af 6. maj 2025)
- Finland: classify as keskeinen or muu kuin keskeinen toimija under §§ 3-4 Kyberturvallisuuslaki 124/2025
- Map the correct sector supervisor in each country — they are split, not centralised
- Track three incident-reporting timelines (24h / 72h / one-month, with national wording differences)
- Compare Denmark's criminal-track enforcement (§ 32) against Sweden's and Finland's administrative-penalty models
Built for multi-Nordic CI compliance leads
Per-country classification walkthroughs (1 kap. 9 § SE, vaesentlig/vigtig DK, §§ 3-4 FI)
Sweden supervisor map via Cybersakerhetsforordningen 2025:1507 §§ 7-8 (PTS, Energimyndigheten, Finansinspektionen, Livsmedelsverket, IVO; MCF as CSIRT)
Denmark §§ 12-13 incident cascade and § 33 registration procedure
Finland § 26 sector-supervisor map (Traficom, Energiavirasto, Tukes and others) and Kyberturvallisuuskeskus as § 18 contact point
Enforcement-divergence matrix: DK criminal track (§ 32) vs SE 4 kap. 10 § / FI §§ 37-39 administrative penalties
One internal evidence set reconciled against all three transpositions
Three Nordic NIS 2 transpositions, three different regimes
Operators assume NIS 2 is harmonised across the Nordics. It is not — the directive sets the floor, the national acts diverge. Sweden's Cybersakerhetslag (SFS 2025:1506) classifies verksamhetsutovare as vasentlig or viktig under 1 kap. 9 §, with sector supervisors split across Cybersakerhetsforordningen 2025:1507 §§ 7-8 and MCF as the CSIRT and common contact point. Denmark's NIS 2-loven (Lov nr. 434 af 6. maj 2025, in force 1 July 2025) uses vaesentlig / vigtig classification, a § 13 reporting cascade and § 33 registration — and notably enforces through the criminal-law track under § 32 rather than direct administrative fines. Finland's Kyberturvallisuuslaki 124/2025 (in force 8 April 2025) splits keskeinen and muu kuin keskeinen toimija under §§ 3-4, runs a § 26 multi-supervisor model, and applies administrative penalties under §§ 37-39 with Kyberturvallisuuskeskus as the § 18 contact point. ISMS Copilot keeps the three analyses separate so you do not over- or under-comply in any one country.
Sweden NIS 2 guidance →Frequently Asked Questions
Is NIS 2 not harmonised across the Nordics?
Only the directive is. The national transpositions diverge: Sweden's SFS 2025:1506, Denmark's Lov nr. 434/2025 and Finland's Kyberturvallisuuslaki 124/2025 differ in classification terms, supervisory structure, registration procedure and — most sharply — enforcement. ISMS Copilot walks each separately so a group operating in all three does not assume one regime covers it.
How does enforcement differ between the three?
Denmark enforces NIS 2 through the criminal-law track under § 32, so sanctions are set by courts rather than as direct administrative fines. Sweden (4 kap. 10 § Cybersakerhetslag) and Finland (§§ 37-39 Kyberturvallisuuslaki 124/2025) use administrative penalties with different ceilings. ISMS Copilot maintains a divergence matrix so you understand your exposure per country.
Which supervisor do we report to?
It is sector-specific in every Nordic country and the split differs. In Sweden, Cybersakerhetsforordningen 2025:1507 §§ 7-8 assigns PTS, Energimyndigheten, Finansinspektionen, Livsmedelsverket or IVO, with MCF as CSIRT. In Finland, § 26 designates Traficom, Energiavirasto, Tukes and others. ISMS Copilot helps you identify the right authority per entity and country.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.