Swedish organisations are currently navigating three overlapping compliance frameworks — GDPR has been in force since 2018, NIS2 came into effect in October 2024, and ISO 27001 remains the de facto standard for information security management. When everything is a priority, nothing gets done. Here is how we recommend sequencing the work.
Start with your actual risk, not the framework
The most common mistake is treating compliance as a checkbox exercise. Frameworks describe controls; they do not tell you which risks matter most for your specific organisation, data, and threat landscape. Before you open the ISO 27001 annex or start reading NIS2 articles, map your critical assets and your realistic threat actors.
For most Swedish mid-market organisations, the highest-probability risks are: phishing leading to credential compromise, ransomware via unpatched systems or exposed RDP, and supply chain compromise through third-party software or services. Start there.
GDPR: from project to programme
Most organisations treated GDPR as a one-time project in 2018. Six years later, the data landscape has changed completely — new SaaS tools, AI processing, expanded data sharing. Your GDPR compliance needs a regular review cycle, not a one-off implementation. We typically see gaps in: data retention (data kept far longer than necessary), third-country transfers (still using US-hosted tools without adequate safeguards), and DPIA coverage (new AI tools processing personal data without a data protection impact assessment).
NIS2: who it catches and what it requires
NIS2 has a wider scope than many organisations realise. If you operate in an essential or important sector — and the list is long — you are in scope. The key requirements that trip organisations up: incident reporting timelines (24 hours for initial notification), supply chain security obligations, and management accountability (board-level responsibility for cybersecurity).
ISO 27001: when certification makes sense
ISO 27001 certification is increasingly a commercial requirement, not just a best practice. If you are selling to enterprise clients or public sector in Europe, expect to be asked for it. The certification process typically takes 9–18 months. We help organisations scope it correctly (common mistake: scoping too broadly), build the ISMS, and prepare for the audit.
If you are trying to work out where to focus your security and compliance effort, we offer a half-day assessment that maps your current posture against all three frameworks and produces a prioritised action plan.
No comments yet