Increased requirements with the new cyber security law

Despite increased awareness of cyber threats, many organisations still lack a systematic approach to cybersecurity. Furthermore, according to Cybersäkerhetskollen, the Swedish Civil Contingencies Agency’s tool for measuring cybersecurity maturity in Swedish organisations, the pace of improvement has stalled in several areas.

There is an increasing demand for systematic risk management.

At the same time, the Cybersecurity Act – Sweden’s implementation of the EU’s NIS2 Directive – means that the requirements for public and private sector organisations are increasing. Those covered by the Act must work systematically on risk management, report serious incidents, and manage cyber security risks in the supply chain.

However, legislation does not build capacity.

”Many people feel that the field is so vast and overwhelming that they don’t know where to start,” says Johanna Parikka Altenstedt, acting head of the Digital Security unit at RISE.

She compares the current situation with sustainability efforts to where they stood 15–20 years ago. Since then, sustainability has progressed from its infancy to the point where everyone now has management systems in place and is fully on top of things. Cybersecurity is now set to follow the same path, but Johanna Parikka Altenstedt says we don’t have much time to protect our most valuable assets against cyberattacks.

Lessons can also be learnt from the sustainability transition.

”There, you eventually learnt that you have to start somewhere. You have to prioritise and make up your mind,” says Johanna Parikka Altenstedt.

'Cybersecurity must be integrated into the organisational structure.'

One reason why the pace of improvement has stalled may be that Sweden was relatively late in implementing the NIS2 Directive. Many organisations chose not to start work until the legislation was in place.

'We’ve also been slow to consider how other countries have dealt with the situation. There's no need to reinvent the wheel. Denmark, for example, has produced a checklist for local authorities detailing what they need to do and bear in mind. Here, each local authority has to learn the law independently. That takes time,' says Johanna Parikka Altenstedt.

In many cases, cybersecurity work has been treated as an additional task carried out alongside day-to-day operations, rather than as the business-critical issue it is.

”It’s simply not part of the structure. Cybersecurity must be integrated into organisational structures, becoming part of management teams and boards,” says Johanna Parikka Altenstedt.

”You need to consider issues other than just IT. These may include physical security, personnel matters, access rights, key management, and protection against insider threats. Cybersecurity concerns the entire organisation.”

Essentially, it's about taking a proactive rather than a reactive approach.

”Of course, targeted measures are needed if a serious shortcoming is identified that requires addressing. However, you can’t just patch things up; a systematic approach and continuity are required. This pays off in the long run,” says Johanna Parikka Altenstedt.

The challenge lies in translating legal requirements into practical, long-term cybersecurity work.

For many organisations, the challenge lies not in understanding the requirements, but in translating them into practical, long-term cybersecurity work.

As an independent organisation, RISE can provide cybersecurity assistance tailored to the specific needs of both public and private sector organisations.

”Cybersecurity remains an undefined area of operation for many organisations. That is why we sit down with the client to analyse the situation and carry out a vulnerability assessment. We can then help address any issues that have come to light, with RISE involved every step of the way”, says Johanna Parikka Altenstedt.

As a research institute, RISE has expertise in technology, AI, law, management, and strategic analysis. AI presents both risks and opportunities: while the technology creates new vulnerabilities, it can also be used to detect threats, analyse large volumes of data, and strengthen digital defences.

”We also have certification expertise and can provide training. We have the technical infrastructure of the Cyber Range, where we can carry out advanced exercises. We can collaborate with our clients' IT departments, create a replica of their systems and demonstrate the consequences of an attack. This enables them to determine their response strategy”, explains Johanna Parikka Altenstedt.

She believes that it is easy to become overwhelmed by technology, legal requirements and security measures. Ultimately, however, cybersecurity is about creating organisations that are both resilient and capable of evolving.

”If you take it to its logical conclusion, the safest option would be to stop running any operations. But that is obviously not the aim. Our goal is to be able to carry out operations, produce goods, and maintain a functioning society, all while ensuring that we are adequately protected.”