Sweden’s new Cybersecurity Act transposes the NIS2 directive into Swedish law. It places responsibility on leadership, not the IT department. The board must approve risk management measures, verify they work and have enough knowledge to understand what’s at stake.
This is corporate governance. Not IT operations.
But the law doesn’t apply to everyone. And that’s where it gets dangerous.
”We’re not covered” is not the same as “we’re safe”
I’ve seen it happen. Organisations that assumed “we’re not in scope” also meant “we don’t need to care”. I’ve been responsible for these issues for 25 years, as IT director in a municipality with NIS obligations and as CIO across eight countries. I know how it ends.
A supplier with no requirements. A small municipality with limited resources. A company never classified as critical infrastructure.
Any of them can be the weakest link in a chain that actually is regulated, and that expects the entire chain to hold.
Cyber threats don’t care about legal scope.
This is business risk, not IT incidents
Most boards and executive teams understand business risk. But many still fail to connect cybersecurity with the risks they manage every day. Here are four scenarios that require no technical background:
Lost customer contracts
More customers and public procurement bodies now require information security in their supplier assessments. If you can’t demonstrate basic controls — risk analysis, incident management, access control — you risk losing the deal. Not because you were attacked, but because you can’t show you took the issue seriously.
Production downtime in days, not hours
Ransomware hits hardest where recovery has never been tested. Having backups isn’t enough. You need to know the backups work and that the recovery plan has been tested.
Without that, a disruption that should take hours can take weeks.
Personal liability in the boardroom
The Cybersecurity Act imposes personal accountability on the management body in regulated organisations. But even outside the law’s scope, board members have a duty under the Swedish Companies Act to act in the company’s interest. If no one on the board made decisions about known risks, or even knew about them, it becomes difficult to claim that duty was fulfilled.
The insurance that won’t pay
Cyber insurance is becoming more common, but policy terms are tightening. Many insurers require basic safeguards — multi-factor authentication, network segmentation, regular patching. If those are missing when a claim is filed, coverage may be denied entirely.
The bar and the reality
The Cybersecurity Act sets the bar for regulated organisations. It defines what society expects from organisations that carry critical functions. But the law defines a floor, not a ceiling.
What separates a prepared organisation from an unprepared one isn’t whether the law covers it. It’s whether leadership understands what’s actually at stake: in revenue, in contracts, in liability and in trust.
That understanding doesn’t start with technology. It starts with questions:
- What is business-critical and worth protecting in our organisation?
- Which dependencies could shut down our core processes?
- Who owns the risks, and can that person make decisions under pressure?
- Do our controls work in practice, or only on paper?
If you can’t answer those questions today, it’s not an IT problem. It’s a leadership problem.
Start with what matters
You don’t need a full-scale ISMS to take the first step. But you do need an honest picture of where you stand. That means:
- Identify what needs protecting. Which systems, data and processes can your business not function without?
- Map the dependencies. Which suppliers, services and connections could bring you down if they fail?
- Test your assumptions. Does your incident response plan work? Have you practised? Does everyone know what to do?
- Anchor it with leadership. Security that only lives in the IT department is security without a mandate.
Cybersecurity has no end date. It demands the same attention from leadership as budgets and compliance.
Business risk makes no exceptions. Regardless of size. Regardless of industry. Regardless of whether the law mentions you by name.
Need help understanding where your organisation stands? Contact us for a complimentary assessment.
More insights
Related articles
Six frameworks. One governance structure. No excuses.
NIS2, GDPR, DORA, CRA, AI Act and the Cybersecurity Act impose overlapping requirements. Five signs your governance falls short.
The Cybersecurity Act and leadership accountability. Are the rules really the same for everyone?
The Swedish Cybersecurity Act imposes the same requirements on public and private sectors, but the consequences for non-compliance differ significantly. We examine what this means for leadership accountability.