We must all take more responsibility to protect Sweden’s critical infrastructure” – new research finds gaps in national cyber resilience

Sweden’s National Cybersecurity Strategy 2025–2029 (“En ny era av cybersäkerhet”) stresses that national resilience depends on collective responsibility across the public sector, private operators, and individual citizens. However, new research from cybersecurity services provider DNV Cyber indicates that critical infrastructure companies’ leaders see national cyber resilience as someone else’s responsibility, and the public do not understand their role in securing society from cyber-attacks.

A quarter (26%) of executives in Swedish companies operating in sectors classified as critical by the European Union are unsure whether their organization is essential to society, and more than half (54%) say the resilience of critical infrastructure is seen by executives in their company as a responsibility for someone else. Critical infrastructure includes energy, transportation, water, healthcare, financial services, and other systems vital for society, the economy, and national security.

“Many critical infrastructure companies are privately owned or operated,” says Mikael Lagström, Team Leader for Application Security, DNV Cyber. “While they need to secure their own organization and manage incidents as all businesses do, they must also recognize that a cyber breach of their systems has wide-ranging implications for society. Companies shouldn’t believe that national resilience can be left to a higher power to manage.”

Among Swedish citizens, most (60%) expect a society-disrupting cyber incident to affect the country in the next two years. One in five (21%) say that their everyday life has been affected by cyber incidents over the last 12 months. At the same time, half of the Swedish public believe they cannot influence the cybersecurity of critical infrastructure, even though everyday technologies such as connected home energy systems can create entry points for attacks on critical infrastructure, like the electricity grid.

“It’s important that Sweden’s citizens are not only aware of cyber risk, but also understand how they can help reduce it.” says Lagström “Many feel powerless against cyber threats, but we all actually play a crucial role in preventing these attacks from succeeding.”

Both business leaders and the public’s perceived lack of responsibility or control to influence the cybersecurity of critical infrastructure drives strong public support for government action. Both parties broadly support stronger government action on cyber risk, including tougher regulation and intelligence sharing. There is also wide acceptance that expanded government powers may be needed: six in 10 executives (57%) of Swedish companies support politically sensitive measures including surveillance of public data; a majority of the public (62%) say authorities should have more powers to stop cyber-attacks even if this means breaching consumer privacy. 

For government, the challenge is how to secure critical infrastructure while not directly managing it – a challenge that authorities acknowledge in the National Cybersecurity Strategy.

“Governments can set expectations, enforce accountability, share intelligence, encourage cooperation, and build public awareness, but they cannot directly secure infrastructure they do not own. Cyber resilience depends on how well businesses, the public, and authorities each understand and fulfil their role in an interconnected system,” says Peter Hellström, Head of Cybersecurity Management Consulting, DNV Cyber. “We must all take more responsibility to protect Sweden’s critical infrastructure.”

DNV Cyber’s report ‘How cyber resilient is Sweden?’ draws on a survey of 200 executives working within critical infrastructure and 500 members of the Swedish public, and includes commentary from cyber leaders at Telia, SKF Automotive, Howden, Energi-CERT, the Swedish e-Health Agency, Axfood, The Swedish Cyber Command, and DNV Cyber. 

Emphasizing the work still needed to realize Sweden’s national security strategy, the report outlines eight key actions:

1. Collaborate, and better understand vulnerabilities in supply chains
2. Shift the emphasis towards response and remediation
3. Strengthen regulation, develop incentives
4. Buildunderstanding ofcritical infrastructure and what it includes  
5. Clarify responsibilities within national cyber resilience
6. Build cyber and AI skills across the workforce
7. Empower the public
8. Prepare the public for cyber disruption

How cyber resilient is Sweden? – About the research 

The report How cyber resilient is Sweden? is part of DNV Cyber’s Nordic Cyber Resilience research exploring the state of national cyber resilience in Norway, Sweden, Finland, and Denmark. The research covers sentiment and priorities among key actors and the public, addresses the threat landscape, and evaluates the preparedness of critical infrastructure organizations to manage cyber risk – including providing recommendations to strengthen cyber resilience. 

DNV Cyber will publish dedicated reports for Sweden, Norway, Finland, and Denmark. This builds on DNV Cyber’s influential Cyber Priority research exploring the state of cybersecurity in energy and maritime industries globally. 

About the survey 

The survey was conducted by FT Longitude on behalf of DNV Cyber between 6 November and 11 December 2025. A total of 2000 members of the public, 500 per country, completed a webbased survey across Sweden, Finland, Norway, and Denmark. Some 800 executives working in critical infrastructure organizations, 200 per country, also completed the survey. 

Respondents were recruited via proprietary market research panels and had double opted in to participate. A quota sampling methodology was used to ensure that the sample reflected relevant population proportions in terms of age and gender.

About DNV Cyber   

DNV Cyber is a leading cybersecurity services provider empowering businesses with complex needs to become safer and more resilient. With a global team of more than 500 experts and 30 years of IT and operational technology security experience, DNV Cyber safeguards what is critical – enabling businesses to thrive. 

About DNV  

DNV is an independent assurance and risk management provider, operating in more than 100 countries. Through its broad experience and deep expertise, DNV advances safety and sustainable performance, sets industry standards, and inspires and invents solutions.