A recently published Swedish government document urges businesses to get resilient. It’s no humdrum promotion of corporate best practice, writes Nicholas Dynon, but rather a call to urgent action in the face of Russian aggression.
In late 2025, Sweden quietly crossed a psychological threshold. For the first time in generations, Stockholm formally addressed its business community with a blunt message: armed conflict is no longer a remote possibility, and companies must be ready to operate through crisis – and even war.
The result is Preparedness for businesses – In case of crisis or war, a government-issued guidance document aimed at strengthening national resilience by embedding preparedness across the private sector.
The initiative comes 18 months after the Scandinavian state took the unprecedented step of joining NATO, a move marking an abrupt end to its centuries long history of military non-alignment. The invasion of Ukraine by Russia had effectively led Swedish officials to abandon neutrality and search for security in numbers.
“Armed conflicts are taking place close to us, and Sweden is affected,” states a prologue to the document.
Read it in the magazine…
“In the event of a crisis, or in the worst case, a war, Swedish companies play a decisive role in ensuring that our society continues to function. As a business owner, you contribute by maintaining your operations as far as possible.”
Written for Swedish businesses, the framework has clear relevance for security professionals, infrastructure operators, and risk leaders anywhere who are grappling with an increasingly unstable global environment
Prepared for War, Resilient in Crisis
The Swedish approach rests on a simple yet powerful premise: if a society is prepared for war, it will be capable of handling any lesser crisis. Pandemic disruption, cyberattack, natural disaster, supply chain shock, and information warfare are all treated as part of a single continuum of risk.
Businesses are explicitly recognised as critical enablers of national survival. Financial systems, logistics, food production, energy, communications, manufacturing, and health services are not adjacent to defence, they are part of the defence ecosystem.
This framing elevates private enterprise from “stakeholder” to active participant in total defence, a concept that integrates military and civil preparedness into one coordinated national effort.
A more complex threat environment
Central to the guidance is the assumption that future crises will be multi-layered and hybrid in nature, think polycrisis or threat convergence. Sweden’s planning model anticipates:
- Long-duration power outages (weeks or months)
- Failure of electronic payments and communications
- Severe fuel and energy shortages
- Disruption to air, rail, road, and maritime transport
- Workforce availability constraints
- Cyberattacks combined with disinformation campaigns
- Pressure on international trade and just-in-time supply chains
Rather than treating these as distinct potentialities, Swedish businesses are instructed to assume they will occur simultaneously.
This complex threat picture mirrors trends already familiar to security professionals closer to home – particularly those responsible for critical infrastructure, retail resilience, ports, aviation, energy, and digital systems – and particularly those of us versed in the ‘all hazards, all threats’ approach.
Critical Infrastructure: Beyond the obvious
The document defines critical infrastructure broadly. Much like the Australian government has done in recent years via its Security of Critical Infrastructure Act, the document extends beyond traditional utilities to include:
- Food production and distribution
- Electronic communications
- Postal and logistics services
- Fuel and energy supply
- Construction materials and industrial manufacturing
- Health and social care services
- Data and information systems
Importantly, the guidance emphasises that many businesses do not realise they are critical until they fail. Interdependencies – suppliers, subcontractors, data providers, transport partners – are treated as risk multipliers.
For businesses, this reinforces the importance of looking beyond organisational boundaries and assessing how failure propagates across systems, between organisations, and throughout supply chains.
Continuity as a core capability
Business Continuity Management (BCM) is positioned within the guidance not as an exercise in compliance documentation, but rather as an operational survival skill. It urges Swedish businesses to:
- Map essential functions that must continue at all cost
- Identify critical dependencies such as staff, electricity, IT systems, transport, and suppliers
- Analyse supply chain vulnerabilities, including international dependencies
- Develop fallback arrangements, including stockpiling, backup power, and alternative production methods
- Ensure key expertise is not concentrated in single individuals
The pragmatic approach emphasises that continuity planning must assume limited information, degraded communications, and prolonged disruption.
Workforce reality in crisis and war
Staffing is treated as one of the most fragile components of resilience. The guidance assumes that during major crises or war:
- Some staff will be unable to travel
- Others may be reassigned to civil or military defence roles
- Anxiety, misinformation, and family pressures will affect attendance
- Normal HR assumptions will fail
Businesses are encouraged to identify (i) roles that must be physically present, (ii) functions that can be performed remotely, (iii) tasks that can be simplified or paused, and (iv) options for cross-training and role substitution.
In Sweden, it points out, employment contracts remain valid even in wartime, and businesses are expected to plan on that basis.
Crisis management a must
Plans are only useful if exercised, and companies are advised to establish crisis organisations with clear roles covering leadership, communications, situational awareness, personnel, operations, logistics, and security.
Hard-copy contact lists, alternative communication channels, and physical meeting points are strongly recommended – an implicit acknowledgement that digital systems may not be available when needed most.
All staff should have basic competence in first aid, fire safety, evacuation procedures, and situational awareness.
Cybersecurity and psychological defence
Cybersecurity is treated as inseparable from national defence. The guidance stresses:
- Risk-based cybersecurity management
- Multi-factor authentication and strict access controls
- Regular, offline data backups
- Supplier trust and equipment integrity
- Clear response procedures for cyber incidents, including mandatory reporting
Equally significant is an emphasis on psychological defence. Disinformation, propaganda, and malign influence are recognised as strategic weapons designed to erode trust, amplify fear, and disrupt decision-making. To strengthen psychological defence, the document urges businesses to:
- Train staff in source verification
- Avoid amplifying unverified information
- Maintain trusted communication channels with employees, customers, and partners
- Seek confirmed information from authorities during crises
Contribution, not just survival
Perhaps the most distinctive element of the Swedish framework is its expectation that businesses adapt to support societal needs, including doing such things as:
- Repurposing production lines
- Supporting logistics or storage
- Sharing information with authorities
- Participating in coordinated public-private response mechanisms
It notes that some obligations may arise through pre-existing agreements with government agencies, particularly in procurement, and the logistics, transport, and energy sectors.
Relevant takeaways?
While New Zealand’s strategic context clearly differs from that of northern Europe, the Swedish model raises some worthwhile questions:
- Are our businesses prepared for prolonged disruption?
- Do businesses’ continuity plans assume functioning infrastructure?
- Is cybersecurity treated as a strategic risk or an IT issue?
- Are workforce dependencies realistically assessed?
- How would businesses respond to a coordinated cyber, supply chain, and information attack?
Sweden’s message is clear: resilience cannot be outsourced to government. It must be built, practised, and owned by every organisation that underpins society… it is, ultimately, a whole-of-society responsibility.
Be the first to comment