Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

GRC Challenges In Cyber Security

A Guide to Managing the Matrix

GRC-Challenge2
Published: July 2025

By: Marc de Jong Luneau, Strategic Cyber Security Advisor & General Manager Nordics, Northwave Cyber Security

In the boardrooms of mid-size and large companies, a critical question is surfacing more and more frequently: who is accountable when cyber risk meets regulatory scrutiny? 

This question has become harder to answer as governance, risk, and compliance (GRC) demands become more complex. New EU and Swedish regulations, heightened geopolitical tensions, and rising stakeholder expectations are placing boards under unprecedented pressure. The result is often confusion, fragmented responsibilities, conflicting requirements, and increased liability. This doesn’t only impact the business, but also individual executives. 

To bring order to this complexity, leading organisations are turning to a GRC matrix—a structured, visual method for mapping the relationships and gaps between governance frameworks, risks, and compliance obligations. The matrix helps clarify:

  • who owns what
  • where controls are missing
  • how risks align with business priorities 

In Northwave’s advisory work, we see that companies without a well-defined GRC matrix often struggle to coordinate responses and delay critical decisions. As such, they expose themselves to avoidable risk. In contrast, companies that actively manage their GRC matrix are better equipped to meet regulatory demands, maintain resilience, and lead with confidence. This article explores why now is the time to make the GRC matrix a core part of your strategy. 

Growing Complexity of Cyber Security in Sweden

In Sweden, the regulatory environment for cyber security has evolved dramatically. Cyber security oversight has transitioned from technical departments to a core responsibility of boards and C-level executives. Swedish enterprises now often need to comply with: 

  • Horizontal regulations like the EU’s GDPR, DORA, NIS2 (CSA), and ISO/IEC 27001
  • Sector-specific mandates from Finansinspektionen and the Swedish Civil Contingencies Agency (MSB) 
  • Product-focused rules like the EU Cyber Resilience Act (CRA), impacting connected medical devices, industrial automation, and consumer electronics 
  • Sweden-specific requirements, such as MSB's regulatory framework for critical infrastructure providers and energy companies 

This often results in operational inefficiencies such as inconsistent regulatory timelines, overlapping standards, increased reporting duties, and growing pressure from customers, investors, and regulators. 

GLT4-1
Why-NW

Managing the Matrix

Sweden’s international profile as a tech-forward, export-driven economy means that: 

  • Cyber security breaches have an amplified impact across supply chains. Boards are under constant pressure to demonstrate ESG and cyber maturity simultaneously. 
  • Finansinspektionen demands sector-specific cyber plans—with teeth. 
  • Companies expanding into international markets face conflicting regulations. 

This is why leading some Swedish companies have been establishing cyber governance groups that include CIOs, CFOs, CCOs, and board-level risk committees. These units align risk tolerance, oversee legal and technical interfaces, smartly harmonise overlapping requirements and prepare for regulatory inspections. In other words, they are pro-actively managing the matrix

However, many mid-size and large Swedish firms still struggle with organising the right operations due to limited expertise and a structural lack of competent resources. Meanwhile, fragmented ownership of cyber GRC across legal, tech, and compliance units slows response times and increases board-level risk. These companies are caught between innovation and regulation.  

To remain competitive while staying compliant, I recommend that you consider a shift from reactive compliance to pro-active integrated intelligent cyber governance. Your goal would be to move GRC from a compliance obligation to a cultural norm, that is part of your business thinking.  

I believe that Swedish enterprises have a cultural advantage here. We are known for flat hierarchies and strong functional integration. This forms a clear asset in pro-actively embedding cyber GRC into all our key processes and adopt harmonised control models to integrate cyber security and governance, risk and compliance operations. 

What Happens When The Matrix is Mismanaged?

Examples from Sweden reveal the high stakes: 

  • A fintech company under Finansinspektionen’s supervision missed DORA readiness milestones due to overlapping ISO27001 and GDPR audits, forcing a market pause. 
  • A Swedish industrial manufacturer expanding in the EU faced NIS2 compliance delays due to unclear incident response protocols, resulting in lost contracts. 
  • A MedTech exporter misaligned its CRA and GDPR controls, triggering regulatory intervention in both Sweden and Germany. 

Issues like these carry significant financial impact. They can damage trust with stakeholders and clients and consume boardroom attention that would have otherwise driven strategic growth.  

Stars

Taking Responsibility For Cyber Resilience 

We see companies that embed GRC into the core of governance and operations are positioning themselves better. In other words, the business opportunity here is to: 

  • Continue to protect your license to operate 
  • Ensure your trustworthiness with partners, regulators, and clients 
  • Strengthen your resilience to hybrid threats and rising regulatory pressure 

In my view, successfully managing the matrix can be a defining characteristic of a successful digital business. I am confident that it will also offer you peace of mind in the context of the responsibility you have as an accountable leader.  

If cyber security governance still lives in separate silos in your organisation, now is the time to act. Managing the GRC matrix is no longer a compliance task—it’s a leadership responsibility. One that determines your readiness, resilience, and reputation. 

I challenge you to review your current setup with fresh eyes if you're serious about staying ahead. And if you'd like a sparring partner to stress-test your strategy, I’m ready to help.

We are here for you

 

.