Netnod on the national cybersecurity strategy

During the spring of 2025 the Swedish government released the national strategy on cybersecurity. While the strategy itself is clear and detailed, it does not directly address the long-term consequences of short-term priorities, nor does it explore how to align the long-term incentives of for-profit actors to Sweden’s national security interests.

The context

While precise in regards to the behaviour of public entities, the strategy does not directly address the issue that digital infrastructure, both essential and non-essential, is run by for-profit organisations who have to make long-term investments for this infrastructure to function.

These long-term investment horizons are not covered in the current strategy. A similar issue appears in the market design of energy markets, where the Swedish government recently decided to subsidise capital costs related to infrastructure investments.

It seems clear that the second the digitalisation market stops growing at an exponential rate, so will the investments in its infrastructure.

The importance here for cybersecurity cannot be overstated: the availability aspect of cybersecurity is almost exclusively maintained by infrastructure investments into redundancy and/or over-capacity.

The strategy, then, needs not only to take account of the situation today, where market capitalisation is increasing, but also to accommodate the forms necessary for cybersecurity in decreasing or stagnated markets.

In addition, the strategy relies heavily on the national NIS2 and CER implementations for operational effects. Both NIS2 and CER are based on risk and proportionality. Neither of these two approaches have been proven effective in ensuring threat mitigation and robustness. There is, today, no firm proof that NIS, NIS2 or CER creates an efficient use of resources for attaining a higher level of cybersecurity.

Sanctions and fines in the security frameworks of today, including NIS2 and CER, are almost exclusively ex-ante and are based on being compliant with process requirements. That is, there is a minimum level of organisational overhead which needs to be reached to avoid any risk of fines; so the for-profit optimisation organisation focuses on reaching this minimum level in the cheapest and fastest way.

Some of these topics were covered in a recent panel discussion — The gaps and overlaps of compliance and security — at the Netnod Meeting 2025.

Our recommendations

Outside of the overreliance of NIS2 and CER on process compliance versus operational effects, we see no need to change the contents of the strategy. However, we see a need for additional measures to address the other issues mentioned above.

In particular, the strategy needs to establish the forms enabling for-profit organisations to make long-term investments into digital infrastructure at all levels; and to handle the more complex issue of the cybersecurity perspective beyond merely a cost and compliance issue.