In many Swedish municipalities, there’s one information security coordinator. One. Sometimes part-time. Sometimes the responsibility landed with the IT manager, not because it was planned but because nobody else picked it up.
That person is expected to manage risks in operations they never made decisions about. Systems they never procured. Without a mandate. Without resources. Without a formal connection to leadership.
From the outside it looks fine. Checklists are ticked. Policies exist. An ISMS structure can be shown at audit.
But underneath, a debt is accumulating. An organisational debt made up of decisions that were never documented, risks that were accepted verbally, and measures pushed to the future without traceability.
The problem isn’t the person. It’s the structure
The information security coordinator often ends up in an impossible position. They’re supposed to advise, but lack access to the boardroom. They’re supposed to oversee operations that own their own systems and risks. They’re supposed to coordinate without any authority to demand.
In practice, the coordinator becomes an administrative function rather than a governing one. Policies are produced without anchoring in the organisation’s actual decision-making. Risk assessments are carried out without clear ownership of the results.
Security work lives its own life alongside the business. It shows up in documents but not in decisions.
The Cybersecurity Act exposes the gap
On 15 January 2026, the Swedish Cybersecurity Act (SFS 2025:1506) entered into force. For organisations in scope, the law sets new requirements for traceability, allocation of responsibility and systematic work.
The supervisory authority can request documents and records (Chapter 3, Section 3). Security audits can be conducted (Chapter 3, Section 5). When violations are assessed, intent or negligence is considered (Chapter 4, Section 2).
Having a policy isn’t enough. You need to be able to show how decisions were made, by whom and on what basis.
This is exactly where the lone coordinator’s situation becomes problematic. Not because they’re doing a poor job, but because the organisation never gave them the conditions to do a traceable one.
As we described in The Cybersecurity Act and leadership accountability: in a Swedish municipality, the municipal board is formally the management body. Responsibility for cybersecurity ultimately rests at the political level. But in practice, operational responsibility is delegated downward — often to a function that lacks both mandate and resources.
Three warning signs to take seriously
There are patterns that reveal governance isn’t holding together.
Risk decisions without traceability
Risks are identified in an assessment. Someone says “we accept that” in a meeting. But it’s never formally documented.
Six months later, nobody knows who made the decision, what information it was based on, or what conditions applied. Under the Cybersecurity Act, that’s not sufficient. The supervisory authority can request records showing the basis and the decision-maker.
Responsibility without authority
The coordinator is responsible for driving security work forward but has no seat in the leadership group, no budget and no ability to place demands on the business units.
The result is a function that documents but doesn’t govern. It creates an illusion of control.
System knowledge that doesn’t exist centrally
No single person, and often no single function, has a complete picture of where the municipality’s sensitive information resides. Nor which systems depend on each other, or where the critical dependencies are.
Without that picture, leadership doesn’t know which risks they should own. And then they can’t make informed decisions about them.
It doesn’t start with tools
It’s tempting to believe the answer is a platform or a framework. But a structural problem can’t be solved with technology. It’s solved with governance.
It starts with understanding where information moves. Which systems connect to each other. Where the dependencies are. Only then can leadership decide which risks to manage, which to accept, and document them in a way that holds up under supervision.
As we noted in a previous analysis: Sweden doesn’t lack expertise, reports or awareness. What’s missing is systemic change. And that change doesn’t start with the coordinator. It starts in the boardroom.
What can municipalities do in practice?
The Cybersecurity Act creates a framework. But it’s the organisation that needs to fill it with substance.
Give the coordinator a formal mandate. Connect the role to the delegation of authority. Ensure access to the leadership group and a documented reporting line to the municipal board.
Establish risk ownership. Every operation handling sensitive information needs a named risk owner. Not the IT manager. Not the coordinator. The business itself.
Make risk decisions traceable. Every risk acceptance needs documentation: who made the decision, on what basis, under what conditions and with what expiry date.
Map information flows and system dependencies. Before the organisation can assess risk, it needs to understand where sensitive information resides. That work requires active involvement from the business units, not just the coordinator.
Give leadership operational situational awareness. The municipal board needs more than an annual report. They need ongoing decision support showing the current risk picture, status of measures and any deviations. Without it, they lack the conditions to exercise their statutory responsibility.
The debt that accumulates in silence
There’s a parallel to technical debt in software development. Every shortcut, every undocumented decision, every risk accepted without a formal process — it accumulates. Not visibly. Not immediately. But it’s there.
When the supervisory authority asks, or when the incident occurs, the debt suddenly becomes visible.
The information security coordinator who sits alone with the responsibility today often knows exactly where the gaps are. They’ve tried to raise them. They’ve written memos nobody read. They’ve requested resources that weren’t granted.
The question isn’t whether the coordinator is doing enough. The question is whether the organisation is giving the coordinator the conditions to do what’s required.
Where in your organisation are risk decisions being made without anyone able to show who made them?
Need help building governance that holds, not just policies that look good on paper? Contact us for a complimentary assessment.
More insights
Related articles
Security that isn't communicated is security that doesn't exist
The right risk picture isn't enough if leadership can't act on it. How to reach decisions upward and behaviour downward.
Your supply chain is your biggest cybersecurity risk – not your size
42 percent of Swedish organisations have low supply chain maturity. Being small doesn't protect you – it makes you the weakest link.