Reviewing the government's cyber billion 

It is of course gratifying that the government is now following up the national cyber security strategy with investments in the coming budget. TechSverige has previously noted that this government has increased and high ambitions in information security policy. But how much does the new cyber billion actually contribute to this? 

The government will propose a "significant investment" in national cybersecurity in the budget bill for 2026. The investment amounts to a total of SEK 300 million in 2026, SEK 350 million in 2027 and SEK 400 million in 2028. The money is distributed between the National Cyber Security Centre (NCSC) under the Swedish Defence Radio Establishment (FRA) and municipalities and regions. The idea is that the initiative will meet "the complex challenges of the digital environment". In essence, of course, this is a good thing. Information and cyber security is expensive and many believe that too little has been invested in it so far in light of rapid digitalization.  

A closer look at what has been published reveals that the FRA is the big winner, receiving most of the investment, SEK 300 million over three years. Sweden's municipalities will receive SEK 200 million a year over the three years. That's not even a million kronor a year for each municipality. In total, there will be an average of just over SEK 2 million per municipality over the three years. Sweden's regions get to share SEK 150 million over three years and on average it will be about SEK 7.1 million per region. This probably does not live up to the strategy's demanding title "A new era of cybersecurity", at least not among municipalities and regions. 

Of course, even SEK 700,000 a year to comply with new rules in the NIS2 directive for a municipality is money too. At the same time, we should remember that the Swedish cybersecurity market will soon be worth over SEK 16 billion (Radar). It stands to reason that the deterrent effect against cybercriminals in this budget initiative has limitations anyway.  

So what should the government do? Sure, it could invest even more money. Of course, TechSverige advocates a market-led approach to cybersecurity - many companies can help improve security in municipalities and regions. However, there are areas where government has a particular responsibility.  

More needs to be done to curb cybercrime - hostage programs and denial-of-service attacks threaten vital operations. It is challenging, but law enforcement has an important role to play and the government needs to be engaged in international efforts. There is also a need for stricter legislation. In Sweden, we spend over 100 billion kronor a year on education and university research. Some of this could be used to address the skills shortage in the field of cybersecurity. More measures are also needed to increase the match between the skills in demand in the wake of digitization and how students now choose to educate themselves. Not least in information and cybersecurity. 

After all, the budget is welcome. It shows that the government is continuing to work according to the strategy and is once again a testament to the ambitions of this government. However, it is urgent that the government gives more thought to the role and responsibility of the state and the public sector in improving cybersecurity. You can't buy your way out of it. Especially not with budget amounts at this level.  

Fredrik Sand, industrial policy expert

Read more:
Press release: National investment in cyber security