One link, one click, and the systems go down. Attacks on the public sector are increasing rapidly, yet many Swedish municipalities still lack the ability to protect themselves. Meanwhile, the NIS2 Directive is being implemented, introducing new requirements for preparedness and accountability.
When the municipality's digital systems go down, the entire community is affected. Home care services don't know which users need medicine and food, waste collection is halted when routes can't be determined, and school staff can't access schedules or contact information for guardians. Until the problems are resolved, everyone has to try to work with what they have – analog, with pen and paper.
– Then it becomes an incredible burden to try to catch up, says Johan Rosell, head of the Centre for Cyber Security at RISE.
Sweden among the most vulnerable countries in Europe
Cyber attacks are on the rise. According to a new report from Check Point Research, attacks in Sweden increased by 75 percent in the first quarter of 2025 compared to the same period last year. This makes us one of the most vulnerable countries in Europe.
– We are far ahead in terms of digitalisation, but not so far ahead in terms of cybersecurity. There is a gap that makes us vulnerable, says Johan Rosell.
Who is behind the attacks varies – and is not always clear.
– Previously, there was a clear distinction between state actors and cybercriminals. Now, however, we are seeing how they often work together. It has become more difficult to discern whether a group is a criminal hacker collective looking to make money or a state actor with other motives. According to Johan Rosell, it becomes part of a hybrid toolbox designed to undermine trust in our democratic institutions.
Municipalities are particularly vulnerable. In principle, a Swedish municipality is locked out of one of its systems every week. Small municipalities are hit harder and more often because they have fewer resources, making it more difficult to maintain redundancy in the form of backup systems and to recruit cyber security experts.
Attacks are often simple in structure. The most common scenario is someone clicking on a link in a phishing email. A virus then spreads between computers in the network until everything locks up.
– The municipalities then receive a message demanding payment in cryptocurrency to unlock the systems. However, paying is not an option as this only creates more incentives for new attacks. There is also no guarantee that your data will be restored, says Johan Rosell.
It's always more expensive to clean up afterwards when you have to bring in people to work three shifts to get the business back on its feet than it is to think ahead. You have to weigh up the costs when talking about investing in cyber security.
The cost of restoring hacked systems is increasing
Instead, systems need to be restored from backups – if they exist. IT consultants often have to be called in to get everything up and running again quickly, which is expensive. Following the high-profile cyber attacks against Kalix and Kalmar, for example, the costs ran into millions.
It's always more expensive to clean up afterwards when you have to bring in people to work three shifts to get the business back on its feet than it is to think ahead. You have to weigh up the costs when talking about investing in cyber security, says Karl Resare, Business Developer at Cyber Range, RISE's cybersecurity test and demonstration environment.
– Just as an individual inspects their car every year, municipalities should inspect their cybersecurity – continuous exercises, training, and risk analyses. Soon, this will also be a legal obligation.
The new EU directive NIS2, which is due to be introduced into Swedish law in 2025, will make cyber security the formal responsibility of municipal authorities. The new rules impose mandatory requirements for security levels, incident reporting and continuous risk management, and allow penalties to be imposed for non-compliance.
– To help meet these requirements, we have developed a management training course aimed specifically at municipal leaders. They need to understand the requirements, says Johan Rosell.
Advanced training in digital twin environments
In addition, RISE offers training ranging from basic cyber hygiene to specialised courses for technical staff. Certification, vulnerability analysis and advanced exercises in digital twin environments are also available.
– You can see what happens when a system crashes. It's like a computer game – it's safe to test with us. But when you're attacked in real life, you'll be better equipped to cope, says Karl Resare.
As an independent research institute, RISE can act as a neutral partner in the work to strengthen cybersecurity in the public sector.
– We have no other interests than to make Sweden stronger, says Karl Resare.
WHAT IS NIS2?
NIS2 is an EU directive that sets stricter requirements for cybersecurity in essential and critical activities – both public and private. The aim is to strengthen resilience to cyber-attacks across the EU, and the directive will be implemented in Swedish law in 2025.
Organisations covered by the directive must implement cybersecurity procedures, report incidents within certain timeframes and manage supply chain risks. Management will also be legally responsible for ensuring compliance.
Failure to comply could result in penalties of up to €10 million or 2% of annual turnover, depending on the type of entity.
