Reading the report from Radar, Northwave and OneMore Secure, I'm struck by a phrase that's as technical as it is revealing:"Supply chain security… collapses to 2.5, making it one of the lowest performing controls across the board."It's more than just a number. It's a description of a crack in the ice. A crack that doesn't appear where we're looking, but where we hadn't thought to look. And that crack has been growing for some time.
It's almost eerie how well this aligns with what ENISA describes in its Threat Landscape report: attackers increasingly target suppliers because it offers "high systemic impact with minimal effort." IBM's X-Force analysis from 2025 shows that 82 percent of breaches are now "malware-free," meaning attackers no longer break in; they slip through cracks that already exist. The same report states the breach dwell time is now 29 minutes. This is no longer a battle of technology. It's a race against time.
What really stops me, however, isn't the figures themselves, but the contrast. Sweden is one of the most digitalised countries in the world. We are early adopters of AI, IoT, automation, and cloud services. We build advanced systems connecting everything from ports to hospitals to industrial production. We are like a vast ice field linked by thin, elegant structures, yet a crack in just one place can cause the whole surface to tremble.
And yet it's precisely in these connections where our maturity is at its lowest. It's not a technical paradox. It's a cultural one. We have built a society that trusts the ice to hold. But we haven't built a society that talks about what happens when it doesn't.
This is where I begin to wonder if we need to rethink everything. I often say that as digital individuals and organisations, we don't need more regulations, more checklists, or frameworks no one has time to implement. Certifications that mean nothing, but something more fundamental. We need a new narrative about what digital resilience really is.
When the EU's NIS2 directive talks about "supply chain governance" and "management accountability," what they're really trying to get us to understand is this: security is no longer an internal matter. It's a shared infrastructure. Just like the power grid. Just like the roads. Just like the water from the tap. It's not about protecting each organisation individually. It's about protecting the entire ice field. In this, no one is unimportant, no organisation contributes to societal security directly or indirectly. Therefore, I consider the debate about whether NIS2/CSL affects you to be irrelevant. HOW am I affected is a more constructive question, answered by WHAT do I need to do.
And perhaps this is where Sweden has a unique opportunity. We are a small but important country. We're used to collaboration. We have short decision paths. We have a public sector that can unite, and a private sector that can act quickly. We have a culture where people can actually sit at the same table and discuss problems that concern everyone. It's a strength not reflected in technical metrics but crucial when landscapes change. After all, we are the country of Minecraft, Spotify, ABBA, Björn Borg, strawberries, semi-skimmed milk, and much more.
Imagine if we could harness this immense innovative power to build something unique. Not a new authority, not another layer of rules, no more networks that are really just clubs for mutual admiration among dinosaurs, but a network of genuine collective capability to listen for cracks in the ice and then communicate them clearly. To share information before it becomes dangerous. To act before someone falls through. To see cybersecurity not as a cost, but as a prerequisite for the entire ice field to hold.
It may be a naive thought. Or perhaps it's exactly the kind of thinking needed as the world changes faster than our institutions can keep up. Because if research is clear about anything, from ENISA to the EU Commission's analyses of NIS2 implementation, it's that the countries that succeed are those that understand digital resilience isn't a technical issue. It's a societal one. THEN these networks can't be just rulers, politicians, officials, and specially selected businesses from industry. This network must reflect a cross-section of the real digital Sweden.
And that's precisely where I believe we must start. By daring to say the ice is moving to everyone affected. Inform that cracks exist, how they move and behave. That we can no longer pretend each organisation stands on its own platform or can manage alone. That we are interconnected, for better or worse. Create real herd immunity against digital dangers, threats, and plug vulnerabilities based on shared experience.
Because in the end, it's not the strongest organisation that survives. It's the society that learns to listen to the whispers before the storm arrives that will enable everyone to survive.
Reference list
Radar, Northwave & OneMore Secure.(2026).Threat Intelligence Update Q1 – Cyber Risk Navigator: Building Operational Resilience.(Primary source for figures on supply chain maturity, AI-driven attacks and NIS2 preparedness.)
ENISA – European Union Agency for Cybersecurity.(2024).ENISA Threat Landscape 2024.(Basis for discussion on attacker methods, supply chain attacks and systemic risks.)
ENISA – European Union Agency for Cybersecurity.(2023).Supply Chain Cybersecurity Good Practices.(Foundation for analysis of structural weaknesses in supply chains and system effects.)
IBM Security X-Force.(2025).Threat Intelligence Index 2025.(Source for figures on malware-free breaches, identity-based attacks and breach dwell times.)
EU Commission.(2023–2025).NIS2 Implementation Reports & Member State Preparedness Assessments.(Basis for discussion on NIS2 maturity, governance requirements and member state challenges.)
EU Commission.(2022).Directive (EU) 2022/2555 – NIS2 Directive.(Primary legal source for requirements on supply chain governance, management accountability and risk-based measures.)
Microsoft Digital Defense Report.(2023–2025). (Used as background for discussion on AI-driven attacks, identity misuse and global threat landscape.)
World Economic Forum.(2024).Global Cybersecurity Outlook.(Basis for discussion on geopolitics, systemic risks and organisational maturity.)
OECD.(2023).Digital Security Risk Management for Economic and Social Prosperity.(Theoretical foundation linking digital resilience and competitiveness.)
MSB / Swedish Civil Contingencies Agency.(2023–2025).National situation reports and analyses of cyber threats.(Used as Swedish context for public sector maturity and system dependencies.)
Swedish Security Service.(2024).Annual Report – Cyber Threats to Sweden.(Basis for discussion on state actors and system impact.)
Gartner Research.(2024).Identity Threat Detection & Response Trends.
