Critical Infrastructure in Sweden: MSB, Civil Defence Revival, and Vattenfall

Sweden did not rediscover civil defence in 2022. It rediscovered the fact that civil defence had been quietly dismantled and that the architecture which once carried the cold war into the Baltic basin had to be rebuilt under conditions for which no current Swedish manager had been trained.

The country that handed in its NATO accession papers in 2024 is not the same country that signed the application in 2022. Between those two moments lies a reconstruction effort that touches energy, transport, water, telecommunications and the institutional backbone that coordinates them. The Swedish Civil Contingencies Agency, MSB, sits at the centre of this reconstruction, and its mandate has expanded faster than any Nordic regulator in the past three decades. For operators of critical infrastructure inside Sweden, and for foreign operators whose assets cross Swedish soil, the question is no longer whether the regulatory baseline will rise. It already has. The question is whether the operational baseline has risen with it.

What MSB actually is, and what it has become

MSB, Myndigheten för samhällsskydd och beredskap, was created in 2009 out of the merger of three predecessor agencies. Its formal task is to coordinate civil protection and emergency preparedness across Swedish society. In practice, that means everything from forest fire response to cyber incident coordination to the legal framework around the so called total defence concept, the Swedish notion that defence is a shared task of the armed forces and civilian society.

For more than a decade after its founding, MSB operated as a competent but conventional emergency agency. It published guidance, ran exercises, maintained the national rescue services framework and coordinated with European partners under the Union Civil Protection Mechanism. Its profile inside Sweden was higher than the equivalent agencies in Germany or France, lower than the BSI in cyber matters, and broadly comparable to a hybrid of CISA and FEMA in scope. The agency was not central to industrial policy. It was central to crisis logistics.

That description no longer holds. Since 2022 MSB has absorbed responsibilities that were previously dispersed across the defence ministry, the energy authority and the national police. It now leads the national framework for sector responsibility under the new beredskapssektor structure, which divides Swedish society into ten sectors of preparedness, each with a designated lead agency. MSB is the integrator. It also operates CERT-SE, the national computer emergency response team, which means cyber incident coordination flows through the same institution that coordinates physical civil defence.

The consequence for operators is concrete. A water utility in Gothenburg, a substation operator in Skåne and a logistics hub on the E4 corridor are no longer dealing with separate regulators for physical protection, cyber resilience and crisis communication. They are dealing with one agency that has the legal authority to demand evidence across all three domains and the political backing to enforce it. The reference framework, openly aligned with NIST CSF 2.0 and ISO 27001, is no longer aspirational. It is the audit baseline. Operators who treat MSB as the gentle emergency agency it used to be are reading an outdated map.

What 2022 actually changed

The Russian invasion of Ukraine in February 2022 did three things to Sweden that no preceding event had managed. It collapsed the political consensus around non-alignment, it exposed the depth to which Swedish total defence had been hollowed out during the post cold war decades, and it forced an honest accounting of dependencies that had been assumed away. The NATO application followed in May 2022. The accession itself was completed in March 2024 after Hungarian ratification. Between those two dates the Swedish state did more on civil defence than in the preceding thirty years combined.

The numerical scale is significant but the structural shift is what operators need to internalise. Civil defence funding rose from roughly one billion Swedish kronor per year in the late 2010s to a multi-billion programme spanning shelter rehabilitation, food and fuel reserves, healthcare surge capacity and energy resilience. The compulsory civic duty framework was reactivated. Sixteen and seventeen year olds began receiving information packets about their obligations under the total defence concept. The famous booklet Om krisen eller kriget kommer, last distributed at scale in 2018, was reissued in late 2024 in an expanded version that explicitly addresses cyber threats, disinformation and the responsibilities of private operators.

The shift that matters most for the audit conversation is the legal one. The new preparedness ordinance, in force since October 2022, defines sector responsibilities with a precision that the old framework lacked. Operators in the ten designated sectors, energy, transport, food, healthcare, financial services, electronic communications, water, public order, social insurance and rescue services, now have explicit obligations to plan for, exercise against and report on a defined catalogue of contingencies. The catalogue is not exhaustive, which is deliberate. It is indicative, which means that the regulator can extend it without primary legislation.

For foreign operators with Swedish assets, this matters. Swedish subsidiaries of European utilities, Nordic logistics operators and telecommunications providers with infrastructure in Sweden are now under a sector responsibility regime that does not distinguish by ownership. The criterion is criticality, not nationality. A German operated transmission asset in southern Sweden falls under the same MSB led framework as a Swedish state owned one. The reference standards, IEC 62443 for industrial control systems, NIST 800-53 for federal style control catalogues adapted to civilian use, IEC 61850 for substation communication, are the same standards that operators in Germany under the BSI or in the United States under CISA already know. What changes is the integration. MSB connects them.

Vattenfall and what crown jewel really means

Vattenfall is the Swedish state owned energy utility. It operates roughly twenty per cent of Swedish electricity generation, owns transmission and distribution assets across the Nordic and German markets, and runs nuclear, hydro, wind and thermal capacity at scale. It is the single most significant industrial asset on the Swedish balance sheet, and it is the asset that Swedish strategists most frequently describe, off the record, as the crown jewel.

The crown jewel framing is not marketing. It is an accurate description of the consequence calculus. A multi day disruption to Vattenfall's Ringhals nuclear site, to the Forsmark complex or to the Lule River hydro cascade would not be a sector incident. It would be a national event with European spillover, because Swedish electricity flows into the Nordic synchronous area and from there into the continental European grid through fixed interconnectors. The Nordic balancing market depends on Swedish hydro flexibility. The German energy transition depends on Nordic imports during winter peaks. The cascade is not theoretical.

Vattenfall's own security architecture has matured significantly over the past five years, in part under direct pressure from MSB and from the Swedish security service Säpo. The company operates a layered model that combines physical protection at generation sites, OT segmentation aligned with IEC 62443, IT controls aligned with ISO 27001, and a corporate security function that reports at executive level. The nuclear sites operate under additional oversight from the Swedish Radiation Safety Authority. The hydro cascades in the north operate under specific protection regimes that take into account their geographical exposure and their importance to the Nordic grid frequency.

The question that any honest observer must ask is not whether Vattenfall is well protected. By Nordic standards, it is. The question is whether the dependencies that surround Vattenfall, the contractors, the maintenance subcontractors, the IT service providers, the logistics partners that move spare parts and fuel, are protected to the same standard. Supply chain compromise is the dominant vector in the threat catalogues that CISA, BSI and ENISA have published over the past three years. It is also the vector against which Swedish operators have historically been weakest, because the Swedish industrial culture trusts long term relationships more than it trusts formal control assurance. That culture is changing, slowly, under MSB pressure. It has not yet changed completely.

For operators in adjacent sectors, the lesson is uncomfortable. If the crown jewel is protected but its supply chain is not, the crown jewel is exposed through its supply chain. The audit perimeter cannot stop at the fence line.

The civil defence revival and what it demands from private operators

The Swedish civil defence revival is not a state project that private operators can observe from the sidelines. The total defence concept, totalförsvar, explicitly includes the civilian economy. Banks, telecommunications providers, food retailers, fuel distributors, pharmaceutical wholesalers and logistics operators are all expected to plan for a defined set of scenarios that includes prolonged crisis, hybrid attack and, in the worst case, armed conflict on Swedish territory.

The concrete demands that flow from this expectation include continuity of operations planning that extends beyond commercial business continuity, stockholding requirements for critical inputs, personnel planning that accounts for reservist mobilisation, cyber resilience aligned with NIS2 and the Swedish implementation thereof, and physical security at standards that exceed the commercial baseline most operators have historically maintained. The exercise programme that MSB runs, in cooperation with the armed forces, now regularly includes private sector participants. Operators who decline to participate without good reason are noted. The note becomes part of the regulatory file.

The reference frameworks for these demands are familiar to anyone who has worked in critical infrastructure protection in Europe or North America. NIST CSF 2.0 provides the cyber framework, IEC 62443 the industrial control baseline, ISO 27001 the management system, ISO 22301 the business continuity standard. ASIS International guidance is widely cited for physical protection. The novelty is not the standards. The novelty is the integration of these standards into a national framework that treats the operator as part of total defence, not as a commercial party with adjacent regulatory obligations. In the broader analysis developed in BOSWAU + KNAUER. From Building to Security Technology, this kind of integration is precisely what separates a posture from a portfolio of certificates.

What this means in practice for an operator with Swedish exposure is straightforward. The physical and cyber baselines that were defensible in 2019 are not defensible in 2025. The gap is not always large, but it is consistent. Site protection that relied on a fence, lighting and a watch contract is now expected to demonstrate intrusion detection, behavioural analytics on access patterns, integration with CCTV that produces evidentiary quality footage, and a response chain that survives both communications loss and personnel attrition. Cyber controls that relied on perimeter segmentation are now expected to demonstrate zero trust elements, OT visibility, anomaly detection at the protocol layer and incident response capability that has been exercised, not merely documented.

What investments are flowing and where the gaps remain

Public investment is the easiest part of the story to track. The Swedish defence budget rose to roughly two per cent of GDP in 2024 and the civil defence component within and adjacent to that budget rose proportionally. Shelter rehabilitation, food and fuel strategic reserves, healthcare surge capacity and energy resilience are the headline lines. Cyber capability at MSB, FRA, the signals intelligence agency, and Säpo has been reinforced. Personnel numbers across these agencies have grown faster than at any point since the early cold war.

Private investment is harder to track because it is dispersed across hundreds of operators and reported under commercial confidentiality. The pattern that emerges from sector conversations is consistent. Energy operators are spending materially more on physical protection at substations, hydro sites and storage facilities. Telecommunications operators are hardening exchange sites and reviewing dependency on foreign equipment vendors. Financial sector operators are investing in operational resilience capability that goes beyond the standard ECB and Finansinspektionen requirements. Water utilities, historically underfunded across Europe and Sweden is not an exception, are catching up under direct MSB pressure but remain the sector with the largest gap between aspiration and capability.

The gaps that remain are predictable. Supply chain assurance is uneven, with large operators well advanced and mid sized operators visibly behind. OT cyber visibility in older industrial estates is partial at best, because retrofitting visibility into control systems designed before the threat catalogue existed is technically difficult and operationally disruptive. Physical security at smaller sites, distribution substations, water boost stations, telecommunications cabinets, is often still at the level that was considered adequate a decade ago, which is to say a fence, a padlock and a quarterly inspection. The integration of physical and cyber response remains immature in most operators, because the two functions historically reported into different parts of the organisation and have not yet been merged into a single resilience function.

The investment that produces the highest return per kronor spent, in the experience of operators who have moved early, is not the most expensive sensor or the most sophisticated analytics platform. It is the structured assessment that identifies where the actual exposure sits and the disciplined programme that closes the highest exposure gaps first. The temptation to buy capability before defining the gap is the most common failure mode in this market, and it is the mode that produces audit findings two years later, when the regulator asks why the spend did not move the risk needle.

What holds

Sweden has rebuilt the institutional architecture of civil defence faster than any comparable European country in the past three decades, and MSB sits at the centre of that architecture with a mandate that now extends across physical, cyber and continuity domains. The reference standards are the standards that operators in Germany, the Netherlands and the United States already know. The integration is what has changed, and the integration is what raises the audit baseline.

Vattenfall is well protected by Nordic standards, but the crown jewel framing is misleading if it obscures the question of supply chain exposure and adjacent sector dependency. The investment flows are real and material, but they are uneven across operators and sectors, and the gaps that remain are predictable. Operators who treat the new framework as a compliance exercise will produce certificates. Operators who treat it as an operational problem will produce resilience.

For an operator with Swedish exposure who has not recently tested the posture against the post 2022 baseline, the structured ninety day pilot described as Path III in BOSWAU + KNAUER. From Building to Security Technology is the format that produces evidence rather than slides. For operators who want a faster reading, the three to five day audit on Path II delivers a defined report against the MSB aligned framework. For those who want to begin with a confidential conversation before committing to either, Path I exists for that purpose. The conversation is sixty minutes. The audit is days. The pilot is ninety days. The decision to act, or to defer it until the next incident makes the decision for you, is the only variable that remains in the operator's hand.

Frequently asked questions

What is MSB?

MSB, the Swedish Civil Contingencies Agency, is the central authority for civil protection and emergency preparedness in Sweden. It coordinates physical civil defence, runs CERT-SE for cyber incident response, and integrates the ten preparedness sectors that now structure Swedish total defence. Since 2022 its mandate has expanded substantially, and it now operates as the integrating regulator across physical, cyber and continuity domains for critical infrastructure operators. Its reference standards align with NIST CSF 2.0, ISO 27001 and IEC 62443, and its authority extends to foreign operators with Swedish assets.

How did 2022 change things?

The Russian invasion of Ukraine collapsed the Swedish consensus around non-alignment, triggered NATO accession completed in March 2024, and forced a reconstruction of civil defence that had been dismantled during the post cold war decades. Funding rose from roughly one billion kronor annually to multi-billion programmes. The preparedness ordinance of October 2022 redefined sector responsibilities with new precision. Compulsory civic duty was reactivated. The total defence concept now explicitly includes private operators, who face expanded obligations for continuity planning, stockholding, cyber resilience and physical protection.

Who is Vattenfall?

Vattenfall is the Swedish state owned energy utility, operating roughly twenty per cent of Swedish electricity generation and significant transmission and distribution assets across the Nordic and German markets. Its portfolio includes nuclear capacity at Ringhals and Forsmark, hydro cascades on the northern rivers, wind and thermal generation. It is the most strategically significant industrial asset in Sweden. Its security architecture is mature by Nordic standards, combining physical protection, OT segmentation aligned with IEC 62443, and corporate security at executive level. The principal residual exposure sits in the supply chain rather than in the core assets.

What investments are flowing?

Public investment has risen substantially since 2022, with the defence budget reaching roughly two per cent of GDP and proportional growth in civil defence lines covering shelter rehabilitation, strategic reserves, healthcare surge capacity and energy resilience. Personnel at MSB, FRA and Säpo has grown materially. Private investment is dispersed but consistent in pattern: energy and telecommunications operators are hardening physical sites, financial sector operators are extending operational resilience capability, and water utilities are catching up under direct MSB pressure. Gaps remain in supply chain assurance, OT visibility and the integration of physical and cyber response.