One of the most important security measures an organization can take is to regularly exercise its preparedness plans. According to the CIO Analytics survey, Sweden lags behind other North European countries in this area. Drills are least common in municipalities, highlighting a clear need for more efforts within the local government sector.
CIO Analytics is an annual survey of IT decision-makers across the Nordics and the Baltics. In 2026, 1,478 IT leaders answered questions about topics ranging from AI adoption to resource challenges and security preparedness. On the latter point, Sweden stands out — and not in a positive way.
“Only 15 percent of Swedish organizations regularly exercise their preparedness plans. That is significantly lower than in neighboring countries, where about one in four conducts continuous exercises. This is notable given that we more often report having experienced attacks that affected operations,” says Carl-Johan Ekelund, Head of Security at Atea Sweden.
The survey shows that the private sector runs preparedness training more frequently: roughly one in five private companies train continuously. Public sector organizations, and municipalities in particular, practice less often for several reasons. It can stem from security not receiving sufficient attention from municipal leadership, perceptions that exercises take too much time or cost too much, or a naive underestimation of the potential impact of an attack.
“That may seem surprising given the high-profile attacks on municipalities and municipal services in the past year. To make preparedness work effectively, it must be a shared responsibility between IT, operations and executive management,” says Carl-Johan Ekelund.
To help municipalities and other organizations improve their preparedness, Atea Sweden offers practical training in a mobile “Escape Room” during its IT summit Atea Bootcamp and later in the autumn in Stockholm. Inside the exercise, participants experience a simulated live attack, reflect on how they react under pressure, and practice responding to an incident together with other organizations. All available sessions at Atea Bootcamp were booked within the first hour, indicating strong interest in practical preparedness training.
“Initiatives like these show a strong willingness to improve readiness. At the same time, conditions and resources vary greatly between, for example, a small and a large municipality. The private sector can take a larger role by offering flexible security solutions and supporting municipalities. We also have several municipalities collaborating under the ‘Safer Together’ initiative, enabling shared development and pooled investments,” says Carl-Johan Ekelund.
What this means for Swedish organizations
Swedish organizations need to strengthen practical cyber preparedness through regular exercises, clearly defined responsibilities and better collaboration between IT, business units and executive leadership. When cyberattacks disrupt operations, data or business continuity, a written plan alone is not enough. Plans must be tested in realistic scenarios to ensure teams can respond effectively under pressure.
What this means for MSPs in the Nordics
For MSPs, MSSPs and Nordic IT partners, the findings represent a clear opportunity to offer flexible services in cyber preparedness, incident exercises, security consulting, continuity planning and ongoing training. Municipalities and smaller organizations, in particular, may need external support from private providers to build more resilient security capabilities.
Risks and opportunities
The risk is that Swedish organizations underestimate the consequences of cyberattacks and lack hands-on experience when incidents occur. The opportunity lies in rising interest for preparedness training, collaborative security initiatives and more structured incident management — all of which can materially improve resilience.
Article scope
This article covers Atea Sweden, CIO Analytics 2026, cyber preparedness, cybersecurity, incident response, Swedish municipalities, the public and private sectors, the Nordics and the Baltics. It focuses on why Swedish organizations exercise least in the region and why practical training is critical for handling cyber incidents.
SEO keywords
cyber preparedness, cyberattacks, cybersecurity, Atea, Atea Sweden, CIO Analytics, Swedish municipalities, public sector, private sector, incident response, security exercises, preparedness plans, cyber resilience, IT security, Northern Europe, Nordics, Baltics, Atea Bootcamp, Escape Room, Safer Together, municipal cybersecurity, security training, MSP, MSSP, Nordic MSP, IT partner, security partner, cyber threats, operational impact, digital resilience
Relevant audiences
The article is relevant for security vendors, MSPs, MSSPs, municipalities, government agencies, public sector organizations and private companies working with cybersecurity, incident response, risk management, preparedness and business continuity.