Navigate the regulatory landscape

A person holding a book and reading.
In a time of escalating cyber threats, Swedish companies face a complex maze of regulations and frameworks. From new EU requirements such as DORA, NIS2 and the AI Act, to established standards like ISO 27001 – how do organisations keep track of it all, and more importantly, how do they build real resilience without getting lost in paperwork? In this blog post, we untangle the connections, show who is affected, and provide you with the tools not only to navigate the regulatory landscape, but to thrive in it.

Tord Strømdal

Cybersecurity specialist

Regulations vs frameworks  what’s the difference? 

Let’s start by clarifying the difference between regulations and frameworks. Regulations define what must be achieved – for example in terms of reporting, governance and accountability. Frameworks, on the other hand, describe how this should be done, through specific methods, processes and controls. One of the most effective strategies is to build your organisation’s compliance programme around established frameworks such as ISO 27001 or the NIST Cybersecurity Framework (NIST CSF), and then map these against the legal requirements that apply, such as NIS2, DORA and the Swedish Protective Security Act, among others.

A table with different international frameworks and their date for when they begin being regulated.
A table with EU and Swedish regulations on information security and the date they begin.

Getting started – Step by step

  1. Identify the regulations that apply to your organisation: map the regulatory frameworks relevant to your operations based on your industry, markets, customer segments and potential role in critical infrastructure. Document the applicable requirements and ensure clear ownership and accountability for each regulation.
  2. Conduct a gap analysis between regulatory requirements and your current state: analyse the gap between regulatory requirements and your organisation’s current maturity level. Are you already ISO 27001 certified? Do you have an existing management system that could serve as a foundation? Review current processes, policies and controls before building anything new.
  3. Map controls to avoid duplication of work: many of the requirements in DORA overlap with those in NIS2 or ISO 27001. Ensure that you avoid duplicating efforts. If certain areas need to be expanded to meet a specific regulatory requirement, make sure you do not create a parallel structure of information or tools unnecessarily.
  4. Run the initiative as a prioritised project: adapting your organisation, processes, ICT services, structural capital, third-party contract management and technical tools requires dedicated resources. Appoint a project lead, secure funding and establish clear responsibilities and authority.
  5. Integrate cybersecurity into day-to-day operations: cybersecurity is not a one-off exercise. Embed regulatory requirements into your operational structure and everyday processes – such as onboarding, procurement, log analysis and background checks – to ensure compliance continues even after the project phase is completed.
alt=""

Want to know more? 

Not sure which requirements apply to your organisation or how to implement them in practice? Let’s figure it out together.

0 / 250
Fields marked with an asterisk (*) are required.
Privacy Policy
Previous