New Cybersecurity Act introduces stricter requirements for digital security

On 15 January 2026, Sweden’s new Cybersecurity Act (2025:1506) was activated. The new law is based on the EU’s NIS2 Directive and introduces stricter requirements for mandatory security measures, incident reporting, and management responsibility for organisations operating in 18 different sectors, ranging from healthcare to digital infrastructure. The aim is to strengthen resilience to cyberattacks and ensure that functions essential to society are fully operational, such as electricity and water supply, banking, public administration, and transport.

The regulations associated with the act are not yet finalised, and an investigation is now underway to analyse in what way Uppsala University may be affected.

"On behalf of the Vice-Chancellor, an investigation has been launched to assess whether we fall within the scope of these new regulations. The act is extensive, and certain areas will require careful analysis. Once we know if and how we are affected, we will communicate with those concerned," says Fredrik Blomqvist, Chief Security Officer at Uppsala University.

Strategy for high level of cybersecurity

While awaiting the conclusions of the investigation and the Vice-Chancellor’s decision, the University continues its work to strengthen long-term and sustainable cybersecurity. A clear strategy to achieve a high level of cybersecurity by 2030 has already been developed, and work is in progress to strengthen security measures. This includes enhanced technical protections, increased standardisation of IT systems, and mandatory information security training for new employees, introduced by the Vice-Chancellor, to raise awareness of the threats facing the University.

"Over the past year alone, we have made significant progress in our cybersecurity efforts, and we continue to work strategically toward our 2030 targets. We must ensure that our IT environment and technical security maintain a high standard, but the most common form of cyberattack is still phishing emails, and the greatest impact on our cybersecurity is still the human factor. This is why training and increased awareness of security issues are crucial for everyone working at the University. Classifying and storing information correctly is of particular concern," says Blomqvist.

Collaboration with other universities and institutes

The education and research sector is a frequent target of cyberattacks, and Uppsala University follows recommendations from SUHF - the Association of Swedish Higher Education Institutions - to collaborate with other universities and find shared approaches regarding the new Cybersecurity Act as well as the growing threat landscape.

"We have a responsibility to protect both research and other sensitive information. In a time of increasingly complex and advanced cyberthreats, strong, strategic and coordinated cybersecurity is a prerequisite for the University to continue our development and remain a leading institution," says Måns Östring, IT Director, and adds:

"By collaborating with other universities and higher education institutions, for example through the new national consortium UniDig, we can build capacity and structures for security while also strengthening the entire education and research sector."

Martin Löf Nyqvist