A new cybersecurity strategy is welcome – but it lacks an action plan for Swedish IT infrastructure

The Swedish government recently presented a new national cybersecurity strategy, an important and timely initiative in an era of increasing complexity and growing threats. The three proposed pillars include several key elements related to systematic approaches, skills development, and the ability to prevent and manage incidents. However, for these elements to be effective, a robust and resilient IT infrastructure is essential.

This aspect receives very little attention in the strategy. It briefly notes that organisations may become vulnerable if their IT providers fail to deliver services. While critical infrastructure is mentioned, the responsibility is largely placed on providers, referencing the new NIS2 legislation. At the same time, the strategy acknowledges the need for more resilient digital supply chains and reduced dependency on third countries.

Despite rising cyber threats, geopolitical protectionism, and legal uncertainty surrounding data transfer agreements, little progress has been made. It is therefore crucial to emphasise that digital infrastructure is just as critical to Sweden as physical infrastructure.

In short: the strategy must be complemented by a concrete action plan to secure a robust IT infrastructure, one that functions in times of peace, crisis, and even war.

In broader discussions about the needs of total defence, the focus is often on telecom infrastructure, roads, railways, and the power grid. But for nearly a decade, inquiry after inquiry has also highlighted the need for secure and resilient IT infrastructure.

These investigations have primarily focused on the needs of the public sector. But this is about more than municipalities, regions, and government agencies. A robust IT infrastructure is absolutely vital for Swedish businesses, whose competitiveness is at risk if they lack reliable digital alternatives when conditions change.

The government was recently criticised by the Swedish National Audit Office for ineffective governance in building up civil defence. IT infrastructure was barely mentioned. The report refers to the 2016 defence decision, which required municipalities, regions, and agencies to be able to communicate securely and handle sensitive information. That capability was supposed to be in place within four years. The issue resurfaced in 2019 in the government’s strategy for a sustainable, digital Sweden. Two years later, in 2021, the so-called IT Operations Inquiry advocated for a state-led solution to provide secure and cost-effective IT operations for the public sector.

Again, the focus was on the public sector. Not unimportant, but it’s clear, given Sweden’s and Europe’s slow adoption of AI and digitalisation, that the central government has failed to recognise the needs of domestic companies for digital sovereignty and redundancy. This is not just about energy-efficient server operations and green data centres. It’s about the ability to develop new solutions without disruption, regardless of external circumstances.

Today, neither the private nor public sector has received clear guidance from authorities on any of these points.

The issue is further complicated by the legal situation. Time and again, data transfer agreements between the EU and the US have been invalidated. This leaves Swedish companies in a legal grey zone, where the extensive powers of US authorities to access data conflict with GDPR.

Going forward, action is needed on several levels:

1.                            Swedish companies, municipalities, regions, and agencies need a much deeper understanding of their own IT infrastructure. You may know where your data is geographically stored, but do you know where the backups are, who monitors the environments, and which country’s laws apply (since legislation follows ownership)?

2.                            More organisations need to reassess their cloud strategies and build infrastructure that combines the benefits of public cloud solutions with the security and long-term stability of Swedish and European private clouds. Europe must actively work to offer competitive alternatives to the widely used foreign cloud services.

3.                            A national action plan is needed to ensure the development of a cost-effective, secure, and robust IT infrastructure in Sweden – one that enables Swedish-owned private actors to establish themselves and grow competitively.

A national cybersecurity strategy is a positive step in many ways. But the issue of IT infrastructure remains largely absent from public discourse, despite having long been a critical component in building a strong Swedish total defence.

Christina Backlund

CEO of Shibuya, a Swedish IT provider with data centres in Sweden since 1964.