CRA Compliance in Sweden
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Sweden manufacturers.
Sweden has designated its National Cyber Security Centre (NCSC-SE) — a collaborative body involving SÄPO, FRA, MSB, and Försvarets materielverk — as the national competent authority for the CRA. Swedish manufacturers in the telecoms, automotive, and defence supply chain sectors face both CRA obligations and overlapping requirements under Sweden's national cybersecurity strategy. CERT-SE, operated by the Swedish Civil Contingencies Agency (MSB), serves as the national CSIRT for Article 14 notifications.
National Competent Authority (CRA)
NCSC-SE
Swedish National Cyber Security Centre
NCSC-SE is a collaborative centre involving SÄPO, FRA, MSB, and FMV. It serves as Sweden's CRA national competent authority and coordinates with ENISA on cross-border matters. Day-to-day market surveillance is conducted through MSB.
https://www.ncsc.se →CRA Enforcement in Sweden
NCSC-SE coordinates CRA enforcement across its member agencies. MSB (Myndigheten för samhällsskydd och beredskap) handles market surveillance activities, while SÄPO and FRA contribute national security expertise for higher-risk product categories. Swedish manufacturers must comply with CRA Annex I requirements and maintain a technical file. Sweden's Post and Telecom Authority (PTS) retains specific competence for radio equipment, and the CRA market surveillance responsibilities are coordinated with existing PTS oversight. The NCSC-SE publishes Swedish-language guidance and participates in ENISA's CRA technical working groups.
Article 14 Incident Reporting for Swedish Manufacturers
Swedish manufacturers report actively exploited vulnerabilities and significant security incidents to CERT-SE, operated by MSB. CERT-SE maintains a 24/7 incident reporting capability and a secure submission portal at cert.se. The Article 14 early warning must be submitted within 24 hours of discovering active exploitation; the full notification within 72 hours. CERT-SE has extensive experience coordinating vulnerability disclosures across the Swedish public and private sectors and participates actively in the EU CSIRTs network. Manufacturers should pre-register with CERT-SE and establish a named contact before any incident occurs.
Market Surveillance & Penalties
MSB conducts market surveillance for the CRA in coordination with NCSC-SE, with PTS retaining authority over radio-connected products. Sweden will implement the full CRA penalty framework: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Sweden's enforcement tradition tends toward constructive engagement before punitive action, but MSB has demonstrated willingness to escalate when manufacturers are non-cooperative. Manufacturers should expect surveillance to begin with documentation reviews and potentially progress to laboratory testing of high-risk product samples.
Support for Swedish Manufacturers
MSB publishes the Swedish Information Security Standard (SIS) guidance and a range of cybersecurity handbooks aligned with international standards. NCSC-SE coordinates free workshops for manufacturers on CRA readiness and publishes Swedish translations of key ENISA guidance. Sweden has a well-developed ecosystem of SP Technical Research Institute (RISE Research Institutes of Sweden) accredited laboratories capable of supporting CRA conformity testing. The Swedish Trade Federation and Teknikföretagen (Association of Swedish Engineering Industries) provide sector-specific CRA implementation guidance for their members.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for CERT-SE, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact NCSC-SE or CERT-SE as a manufacturer?+
NCSC-SE can be contacted through ncsc.se, while CERT-SE is reached through cert.se. For CRA compliance enquiries, MSB's industry liaison team at msb.se is typically the most appropriate first contact for manufacturers seeking implementation guidance. CERT-SE should be contacted directly for Article 14 incident reporting. Both organisations publish extensive guidance in Swedish and English.
Does Sweden have national-level CRA implementing legislation?+
Sweden is transposing CRA requirements through amendments to the Cybersäkerhetslag (Cybersecurity Act), which also transposes NIS2. The government has published consultation documents on the alignment of CRA market surveillance powers with existing product safety legislation. National implementing regulations are expected to be finalised ahead of the CRA's December 2027 application date, with MSB and NCSC-SE leading the implementation process.
How does the CRA interact with Sweden's NIS2 implementation and NIS Act obligations?+
Sweden's NIS2 transposition through the Cybersäkerhetslag creates incident reporting obligations for essential and important entities that partially overlap with CRA Article 14 for manufacturers also operating critical infrastructure. MSB and CERT-SE are expected to provide unified guidance allowing a single notification to satisfy both frameworks where applicable. Swedish manufacturers in the energy, transport, and digital infrastructure sectors should conduct a combined NIS2 and CRA gap analysis.
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.