On 15 January 2026, the Swedish Cybersecurity Act (SFS 2025:1506) entered into force. It introduces stricter requirements for systematic cybersecurity work, incident reporting and – not least – clearer accountability for organisational leadership. However, a closer examination of the law reveals that the consequences for leadership differ substantially depending on whether the organisation is private or public.
What does the law say about leadership accountability?
The Cybersecurity Act requires the governing body of an organisation to take active responsibility for cybersecurity work. In practice, this means that leadership must undergo training on security measures and can be held accountable for violations.
According to the government bill, the governing body is defined as follows:
- Limited companies: the board of directors and CEO
- Government agencies: the director-general (single-headed authority), the board (board-governed authority) or the committee (committee-governed authority)
- Municipalities and regions: the municipal or regional executive board
The law also provides supervisory authorities with a powerful tool: the ability to apply for a prohibition preventing a person from exercising their leadership role within an organisation. This constitutes direct personal accountability that goes beyond financial sanctions.
The exception: public sector
Here an important distinction arises. The law explicitly states that prohibitions on exercising a leadership role may not be directed at public sector operators. This means that the strongest personal sanction – the ability to actually remove a leader from their role – is unavailable for municipalities, regions and government agencies.
This limitation is confirmed by the Swedish Agency for Civil Defence (MCF) in their FAQ on the Cybersecurity Act, last updated on 12 February 2026.
What applies to the public sector then?
It is important to emphasise that the public sector is not exempt from the law in other respects. Financial sanctions apply in full. For essential operators, penalties can amount to EUR 10 million or 2 per cent of global annual turnover, and for important operators up to EUR 7 million or 1.4 per cent. Supervisory authorities can also issue remarks and injunctions.
The difference lies in who bears the consequences. In a private company, the sanction can affect both the organisation financially and the leadership personally. In a municipality, the financial sanction hits the municipal budget – and ultimately the citizens whose welfare services are funded from it.
Why does this matter in practice?
To understand the practical significance, one needs to examine how governance works in the public sector compared to the private sector.
Term of office and continuity
In a municipality, the governing body consists of elected officials who rotate with political terms of four years. Systematic cybersecurity work requires long-term development and maturity – often three to five years to reach a stable level. This creates a natural tension between the political cycle and the time horizon of cybersecurity work.
Competence and prerequisites
Municipal board members rarely have specialised expertise in information security. Nor is it reasonable to expect them to – but it presupposes that functioning support structures exist and that leadership has access to the right decision-making materials.
Incentive structure
Without the possibility of personal consequences for leadership, the driving force rests entirely on the organisation’s own ability to create internal governance. This is not impossible – but it requires deliberate decisions.
No requirements for an internal oversight role
Another detail worth noting: the Cybersecurity Act does not require organisations to establish an internal oversight role for cybersecurity. However, the law does require that the organisation monitors its own practices and verifies that protections actually work. There is no formal requirement for internal audit of cybersecurity, but the systematic approach essentially presupposes that it takes place.
What can the public sector do?
The absence of the personal sanction tool does not mean that the public sector is without options. It means that the organisation itself must build the governance mechanisms that the law does not compel. Some concrete measures:
Link cybersecurity responsibility to the delegation framework
Make it visible and formal who in the organisation owns different parts of the cybersecurity risk. When responsibility is clearly linked to a function or person, both awareness and the possibility of follow-up increase.
Let internal audit examine cybersecurity
Most municipalities and regions have internal audit functions that review finances and operations. Including information security in the audit plan is a natural step that creates internal accountability without requiring legislative change.
Make leadership training operationally relevant
The law requires that leadership undergoes training. How the training should be designed has not yet been established in regulation. This presents an opportunity to go beyond the formal requirements and give the municipal board tools to actually understand and monitor cybersecurity work.
Elevate cybersecurity into the political governance chain
Cybersecurity should not solely be a matter for the IT department or a single committee. When the municipal executive board is the formal governing body, they also need regular situational awareness reports and decision-making materials – not just annual reports.
Use Cybersäkerhetskollen and MCF’s methodological support
MCF provides freely available tools for assessing and developing systematic cybersecurity work. These offer a structured starting point for organisations that need to get started or further develop their efforts.
Summary
The Cybersecurity Act imposes the same requirements on the public and private sectors. The same obligations regarding risk management, incident reporting and leadership accountability apply. But the consequences for non-compliance differ. The prohibition on exercising a leadership role – the law’s strongest personal sanction – is not applicable in the public sector.
This makes it all the more important that public organisations build internal governance that compensates for this limitation. Mandate, responsibility and risk ownership must be aligned – even when the law does not fully compel it.
Sources
- The Swedish Cybersecurity Act (SFS 2025:1506)
- The Swedish Cybersecurity Regulation (SFS 2025:1507)
- MCF: Questions and answers about the Cybersecurity Act, updated 2026-02-12
- MCF: The Cybersecurity Act for leadership
- MCFFS 2026:1 – Regulations on notification and identification of essential and important operators
- Government Bill 2024/25:45 – Cybersecurity in Sweden
Need support interpreting the Cybersecurity Act and building an effective governance model? Contact us for a complimentary consultation.
More insights
Related articles
NIS2 and the Cybersecurity Act: what applies now?
The Swedish Cybersecurity Act entered into force in January 2025. We walk through the key requirements and what your organisation needs to do.
ISO 27001:2022: the key changes
The updated standard introduces new controls and a restructured control annex. Here is how your ISMS is affected.