Are You Personally Responsible For Cyber Security?
New Regulations In Sweden Hold Executives Accountable
Trust Under Fire
By: Marc de Jong Luneau, Strategic Cyber Security Advisor & General Manager Nordics, Northwave Cyber Security
In my role as a strategic advisor at Northwave Cyber Security, I’ve stood alongside executive teams during some of the most critical moments of their careers, navigating them through a crippling cyberattack. These experiences have taught me that maintaining digital trustworthiness a personal obligation for those at the top.
The Legal Shift: Accountability Has a Name Now
Sweden is in the process of implementing the EU’s NIS2 Directive through its forthcoming Cybersecurity Act, set to take effect in 2025. This new framework dramatically raises the bar for organisations and their leadership.
Under NIS2, senior management is personally responsible for ensuring the implementation of cyber security risk management, incident reporting, and business continuity measures. Regulatory enforcement in Sweden is being built around this leadership obligation.
Non-compliance could lead to fines, injunctions, and, in some cases, individual liability—including potential disqualification from executive duties. Meanwhile, the Digital Operational Resilience Act (DORA) has been applied across the Swedish financial sector from 17 January 2025, further reinforcing the principle that operational resilience is a board-level issue, not a technical one. The Financial Supervisory Authority (Finansinspektionen, or FI) has initiated a comprehensive analysis to assess how financial institutions are implementing DORA. This evaluation, announced in June 2025, involves three phases throughout the year and includes 50 entities such as banks, insurers, payment institutions, and trading platforms.
The common thread is this: executives are no longer only accountable for outcomes; they are now accountable for managing preparation.
Trust and Continuity: The Twin Pillars at Risk
What’s at stake in a crisis isn’t just data or downtime. It’s the two core pillars of your market position:
Business Continuity: your ability to maintain operations when your digital backbone is under pressure.
Trustworthiness: your ability to assure partners, customers, and regulators that you’re a safe and resilient part of their ecosystem.
In regulated sectors—especially manufacturing, pharmaceuticals, green energy, and Medtech—these values are now prerequisites for market access. With NIS2 extending due diligence obligations up and down the supply chain, your resilience is now part of your partners’ compliance risk.
How Do Organisations (Really) Achieve Cyber Readiness?
Working with leadership teams across Europe, and now increasingly in Sweden, I’ve seen the difference between theoretical readiness and operational reality. The companies that handle crises best do a few things differently:
- Executive leaders take point in strategy, preparations, exercises and continuously stress the importance of resilience as a key ingredient to achieving the organisation’s mission.
- They integrate business continuity and cyber security into a single, rehearsed response strategy
- Post-incident and exercise reviews are used for continuous, measurable improvements.
- The entire organisation embraces that legal compliance is the floor, not the ceiling. They understand that compliance follows solid security.
Most importantly, cyber crisis ready organisations treat trust and resilience as executive competencies, not delegated checklists.
A Final Thought for Swedish Leaders
The regulations are clear: cyber resilience is no longer optional and no longer anonymous. The decisions made at the top will shape how your organisation weathers the next digital crisis and whether others will trust you again afterwards.
If you’re preparing for NIS2 or DORA, or simply asking what “good” looks like in crisis readiness, simply reach out to me and our Swedish team for a free consultation. We are always open to share what we’ve seen and how Northwave supports leadership teams before, during, and after the breach.
We are here for you