Information Security

The Swedish Transport Administration (Trafikverket) is now focusing on strengthening the protection of information in, for example, road and railway infrastructure against unauthorized access, improper influence, and sudden data loss.

Together with its suppliers, Trafikverket must ensure that information is handled correctly and securely, and that legal requirements are complied with.

Good information security is crucial for protecting information assets and ensuring compliance with laws and regulations. Therefore, starting on 1 January 2026, Trafikverket will introduce a specific contract appendix on Information Security to provide a clearer and more coherent description of the technical and administrative requirements related to information security. This contract appendix, “TMALL 1588 Contract Appendix – Information Security,” is available via the link below.

Cybersecurity in focus – NIS2 and the Cybersecurity Act to be introduced in Sweden in 2026

The NIS2 Directive aims to harmonize and strengthen cybersecurity across the EU. Compared to the current NIS Directive, it imposes clearer requirements for security measures, including stricter demands on risk management, incident reporting, and supply chain security. The NIS2 Directive will be implemented in Sweden through the Cybersecurity Act, which is expected to take effect on 15 January 2026.

Trafikverket is monitoring developments and will adapt the requirements in the contract appendix in line with the new regulatory framework as laws, ordinances, and regulations are established. However, regardless of whether the current NIS or the forthcoming NIS2 applies, the most fundamental requirement is to conduct risk-based and systematic information security work.

More information about NIS/NIS2 can be found on the Swedish Civil Contingencies Agency’s (MSB) website – see the link at the bottom of the page.

Enhancing and ensuring competence in the field of information security

To address the complex challenges within information and cybersecurity, we must jointly strengthen and ensure competence in the field of information security and promote the development of key areas. The Information Security contract appendix marks the starting point for this work.

As part of its implementation, the appendix has gradually begun to be used in procurements since mid-2025, with the aim of identifying effective working methods and other development-related needs.