Cybersecurity: from IT issue to boardroom responsibility

New cybersecurity regulation reflects the recognition that digital systems constitute critical infrastructure. Responsibility for their protection now sits at the highest level of organisational leadership.

Cybersecurity in an interconnected society

Network and information systems form the backbone of modern business and public administration. As organisations have become more dependent on these systems, they have also become more attractive targets for cyber threats. State-sponsored actors and organised criminal groups are increasingly targeting European organisations, deploying methods ranging from supply-chain attacks to ransomware, which can force operational shutdowns.

The effects of such incidents often extend beyond the organisations directly affected, impacting critical services more widely. For instance, a cyber-attack on a logistics company could lead to food distribution being disrupted, while a data breach at a cloud service provider could result in government services going offline. What may start as a technical failure can quickly escalate into a wider societal issue.

In response, the EU adopted the NIS2 Directive, which has now been implemented in Sweden through the Cybersecurity Act. The Act entered into force on 15 January 2026 and represents a significant shift in cybersecurity regulation. It expands the number of organisations covered, introduces clearer and more demanding security requirements, tightens incident-reporting obligations and explicitly places responsibility for cybersecurity with management and the board.

Key elements of the Cybersecurity Act

The scope of the Cybersecurity Act is deliberately broad. As well as traditional critical infrastructure such as energy, transport and healthcare, it also applies to digital service providers, manufacturers, postal and courier services, waste management, food production and distribution, and large parts of the public sector.

Medium and large enterprises operating in these sectors must now comply with the Act’s requirements. Estimates suggest that thousands of Swedish entities are affected, many of which have never before been subject to mandatory cybersecurity regulation.

The substantive requirements are also more demanding. Organisations must carry out regular risk assessments, implement appropriate technical and organisational security measures, and ensure that these measures are proportionate to the risks they face. Supply-chain security is explicitly addressed: organisations must assess cybersecurity risks arising from suppliers and service providers and take steps to manage and mitigate those risks.

Significant cybersecurity incidents must be reported to the relevant supervisory authority within 24 hours of detection to enable an early warning coordinated response. A more detailed notification must follow, and a final report is required once the incident has been resolved. These reporting obligations are intended to improve situational awareness across sectors and reduce the risk of incidents escalating further.

Governance expectations have also shifted fundamentally. Management is now explicitly responsible for overseeing cybersecurity measures and ensuring compliance. Boards can no longer treat cybersecurity as a purely technical matter handled elsewhere in the organisation. They are expected to understand the risks, approve the measures taken and ensure that sufficient resources are allocated to managing those risks effectively.

The consequences of non-compliance are far-reaching. Supervisory authorities may impose administrative fines of up to EUR 10 million or two per cent of global annual turnover. The Act also introduces clearer accountability for senior management in the event of non-compliance.

Systemic risk and resilience

The NIS2 Directive and the Cybersecurity Act do not exist in isolation. They reflect a broader recognition that digital systems are critical infrastructure in their own right. Disruption to these systems can have a highly destructive impact, affecting not only individual organisations, but also wider society. A major cybersecurity incident can undermine trust and disrupt essential services, with repercussions across sectors and borders.

For this reason, NIS2 forms part of a broad EU regulatory effort to strengthen Europe’s resilience. This effort includes GDPR for personal data, DORA for operational resilience in the financial sector, the CER Directive for the physical resilience of critical entities, as well as additional sector-specific rules. These frameworks overlap deliberately, and a single incident may trigger obligations under several regimes at once.

Taken together, they represent a transition from a fragmented and largely unharmonised approach to a more comprehensive regulatory framework. The aim is to strengthen the resilience of the systems and organisations on which the economy and society depend.

What organisations should do now

With the Cybersecurity Act now in force, the key question for organisations is how to meet the requirements in a proportionate and financially viable manner.

• Start by understanding whether the organisation is in scope. The Act’s broad application means that many organisations are covered for the first time.
• Carry out a meaningful risk assessment. Identify realistic scenarios that could disrupt operations or compromise the services the organisation provides.
• Ensure governance is in place. Management and boards must understand the organisation’s cybersecurity risks, approve the measures taken and ensure adequate resources.
• Prepare for incident response. Organisations should be able to detect significant incidents and know which authority to notify within what timeframe. They should also have plans for containment and recovery.
• Recognise the higher bar being set. The Cybersecurity Act reflects the reality that digital systems underpin essential services and that protection and resilience are no longer optional. Organisations that treat cybersecurity as a core governance issue, rather than a compliance exercise, will be better equipped to meet these requirements.

Read Mannheimer Swartling Annual Publication 2026.