According to OneMore Secure’s Cybersecurity Maturity Report 2025, based on more than 750 Swedish organisations, 42 percent score low on supply-chain maturity. 25 percent have no continuity plans.
Almost 40 percent lack data classification. 25 percent don’t encrypt sensitive data.
None of this is new. These are the same technical shortcomings that have been reported since 2010: patching, segmentation, identity governance, backup. After fifteen years of reports, inquiries and strategies, maturity has barely moved.
Lowest public funding in the EU
At the same time, the European Investment Bank (EIB) shows that Sweden is bottom of the EU on public investment support for cybersecurity. Only 3 percent of companies say they have received support. 75 percent fund cybersecurity from their own pockets. The funding gap is the largest since 2019.
Meanwhile the rhetoric keeps escalating: the “cyber billion” programme, NATO exercises, a new cyber strategy, “an opportunity to set a new standard”. The words multiply. The change does not arrive.
Structural dissonance
Cyber threats are described as national security, but the infrastructure is still managed as local IT. Municipal self-governance, lowest-bid procurement, voluntary collaboration. The gap between how the threat is described and how it is handled is not a communication problem. It is a system problem.
Three possible explanations
1. The threat is rhetorically useful
It legitimises budgets without demanding measurable change. FRA and MSB can publish the same risk picture year after year without having to explain why the problems from 2010 are still there. The threat picture serves a purpose, but it does not drive transformation.
2. The system is structurally slow
Many actors, weak central governance, limited operational coordination. NIS2 tries to solve this through obligation, but obligation without supporting structures produces compliance on paper, not in practice.
3. The actual risk appetite is higher than the stated one
91 percent of Swedish companies invest anyway, above the EU average. But the investments go to transformation, product development, energy efficiency. Cybersecurity is a cost line, not a value driver.
Risk appetite is not visible in reports. It is visible in resource allocation.
The Cybersecurity Act without supporting structures
The Swedish Cybersecurity Act entered into force on 15 January 2026. But without supporting structures, and with the largest funding gap in the EU, the likely outcome is: minimum-viable compliance, consultancy projects to tick the boxes, then back to business as usual. Until the first sanction or incident forces real change.
The problem is not knowledge
Sweden does not lack expertise, reports or awareness. What is missing is structural change. As long as cybersecurity is treated as a local operations question rather than a national infrastructure one, maturity will remain stuck. No matter how many strategies get published.
Need help building actual maturity, not just compliance? Get in touch for a free initial review.
More insights
Related articles
Your supply chain is your biggest cybersecurity risk – not your size
42 percent of Swedish organisations have low supply chain maturity. Being small doesn't protect you – it makes you the weakest link.
The law won't protect your business – you have to do it yourself
Sweden's Cybersecurity Act doesn't cover everyone. But the threats do. Four business risks that demand leadership attention.
Alone with the responsibility. The security coordinator who never got a mandate.
One person. No mandate. No resources. That's the reality for information security coordinators in Swedish municipalities.