Article 21.2g Is Now Law
SFS 2025:1506 has been in force since 15 January 2026. Security awareness training is one of ten mandatory risk-management measures — not a nice-to-have.
Awareness · Sweden
Security Awareness Training & Phishing Simulation
Security Awareness Training and Phishing Simulation, Built for Swedish Teams
Roughly 60% of breaches still involve a person, not just a machine (Verizon DBIR 2025). eBuilder's training and phishing simulation turn your staff into the layer that reports the attack — in Swedish, backed by the same analysts who run our SOC.
See How It Works
Trusted to Protect Swedish Organisations
40+ Swedish Kommuner, Regions &
40+ Swedish Kommuner, Regions &
EU-Regulated Enterprises
A security awareness programme run by the same analysts behind our SOC, reflecting current MCF (formerly MSB) guidance.
NIS2 Article 21.2g aligned
Native Swedish-language content
100% Sweden data residency
Fully managed by eBuilder
Trusted by 30+ Swedish Kommuner, Regions and
EU-Regulated Enterprises Since 2003
Why Now
Why Swedish Organisations Are Training Their People in 2026
A new law, a wall of recent Swedish incidents, and AI-built lures have made security awareness training mandatory and concrete — not a nice-to-have.
The Board Is Personally on the Hook
NIS2 Article 20 makes the management body personally accountable for security measures, and obliges the board itself to be trained.
€10M or 2% of Turnover
Sanktionsavgifter reach €10M or 2% of global turnover for essential entities, and €7M or 1.4% for important ones.
≈200 of 290 Kommuner
One supplier ransomware attack reached around 200 of Sweden's 290 kommuner and regioner; data of more than 1.5 million Swedes was published. IMY opened a granskning.
Days of Downtime, ~€10M
Ransomware took down payroll, health-record and retail systems across Sweden for days — a Nordic supplier becoming critical infrastructure overnight.
~200 GB Threatened
The Akira group threatened to publish almost 200 GB of documents and HR files after exploiting an old VPN.
~60% Human Element
Roughly 60% of breaches still involve a person. Technology alone does not close that gap.
>80% AI-Assisted Phishing
By early 2025, AI-supported phishing made up more than 80% of observed social engineering. The lures keep getting better.
Compliance Mapping
Meet Your Compliance Requirements With Ease
Security awareness training is a named obligation in several frameworks Swedish organisations answer to. Complorer maps your programme and reporting to each one.
NIS2 · Art. 21.2g
Security Awareness Training
In-scope essential and important entities must provide basic cyber hygiene and security awareness training to staff — it is one of ten mandatory risk-management measures under Cybersäkerhetslagen.
Complorer delivers: role-based training and audit-ready records, with boards able to evidence their own oversight under Article 20.
GDPR · Art. 32 / 39
Staff Data-Protection Training
Organisations must ensure staff handling personal data are trained on its protection and on breach awareness — a duty supervised by IMY.
Complorer delivers: data-handling and phishing modules, with completion logs ready as IMY-facing evidence.
ISO 27001 · Annex A 6.3
Ongoing Awareness & Education
Certification requires documented, ongoing information security awareness, education and training across the workforce.
Complorer delivers: the continuous programme and exportable evidence auditors ask for at surveillance and recertification.
DORA · Art. 13
ICT Security Awareness
Financial entities must run ICT security awareness programmes and training, supervised by Finansinspektionen.
Complorer delivers: sector-appropriate training and reporting for in-scope financial-sector firms.
Free Checklist · NIS2 Article 21.2g
The Security Awareness & Phishing Readiness Checklist
A one-page checklist mapping NIS2 Article 21.2g, GDPR and ISO 27001 training duties to what your organisation should have in place. Use it to find the gaps before an auditor does.
- Side-by-side duty map: NIS2 Article 21.2g, GDPR and ISO 27001 awareness-training obligations in one view, so nothing slips through.
- Cadence gap check: see where your current training and phishing-simulation frequency falls short of Article 21.2g.
- Audit-ready evidence list: a checklist you can hand straight to an auditor or your board, in plain Swedish mapped to Cybersäkerhetslagen.
Built for the Swedish regulatory context and free to download — a fast way to see exactly where your awareness programme stands today.
Get Your Free Readiness Checklist
Delivered to your inbox instantly. No spam. EU data residency. Unsubscribe any time.
No spam. EU data residency. Unsubscribe any time.
~60%
Of breaches involve the human element · Verizon DBIR 2025
86%
Drop in phish-prone rate after 12 months · KnowBe4 2025
>80%
Of social engineering is AI-assisted phishing · ENISA 2025
€20M
Potential maximum NIS2 & GDPR fines
Why European Organisations Choose Complorer
Most awareness platforms are US-built and self-managed. Complorer is European, compliance-native and run for you. KnowBe4 and Proofpoint are named for comparison — verify each claim against their current documentation before publishing.
| Recommended Complorer by eBuilder | KnowBe4 | Proofpoint | |
|---|---|---|---|
| European / GDPR-native, EU data residency | US-headquartered; EU hosting option | US-headquartered; EU hosting option | |
| NIS2 Article 21.2g mapping built in | Generic NIS2 | Generic NIS2 | |
| Native Swedish-language content | Translated, not Swedish-first | Limited | |
| Fully managed (eBuilder runs it) | Self-managed | Self-managed | |
| Deployment | Days, fully managed | Self-serve setup | Self-serve setup |
| Fits SMB through enterprise | SMB to enterprise | Enterprise-leaning | |
| Pricing model | Per-employee subscription | Quote-based | Quote-based |
If you already have the time and in-house expertise to build content, run campaigns and produce audit evidence yourself, a self-managed platform can work. If you do not, a European, fully managed programme is almost always faster and cheaper than the internal time it replaces.
How Complorer Works
Phishing simulation, role-based training and audit-ready reporting — set up once by eBuilder and run for you, with you live in days, not months.
Everything your awareness programme needs — fully managed
Phishing simulation, training content and compliance reporting in one Swedish-run service.
Managed Phishing Simulation
Safe, realistic fake phishing emails on a role-based schedule. eBuilder builds, runs and tunes the campaigns for you.
Run for youRole-Based Microlearning
Short 3–7 minute modules tailored to finance, HR, developers and leadership — completed on any device.
3–7 min modulesFail-and-Learn Flow
A click triggers a short teaching moment, never a reprimand — turning every mistake into immediate learning.
No-blameSwedish & English Content
Native Swedish-first content, not translations — kept current against the latest AI-driven lures.
Swedish-firstReal-Time Tracking
Individual and group completion tracked live, so you always know exactly where every team stands.
Live dashboardCompliance Exports
Audit-ready exports mapped to NIS2 Art. 21.2g, GDPR and ISO 27001 — the evidence is one click away.
Auditor-readyBoard Summaries
Automated monthly summaries for the board, evidencing leadership oversight under NIS2 Article 20.
MonthlySet Up & Run by eBuilder
No IT project. We configure users, languages and your first campaigns, then run the programme on a schedule.
Fully managedLive in days, not months — fully managed onboarding
01
Step 1
Book a Demo
Start with a short demo or free assessment. We look at your size, sectors and current obligations, and agree what good looks like for your organisation.
02
Step 2
We Configure It
eBuilder sets up Complorer for you — users, languages, role-based paths and your first campaigns. No IT project required, no platform for your team to learn.
03
Step 3
Launch Training & Simulations
Employees receive their first microlearning modules and safe phishing tests. The managed programme then runs on a schedule, with difficulty tuned over time.
04
Ongoing
Monitor the Dashboard
You review progress and receive automated monthly reports mapped to NIS2 Article 21.2g, GDPR and ISO 27001 — audit evidence ready whenever a supervisor or your board asks.
Most programmes track completion. The metric that predicts resilience is reporting rate — and eBuilder targets 30%+ within twelve months.
Completion measures attendance, not behaviour. eBuilder tracks the numbers that actually move risk: reporting rate, time to report, click rate over time, and the ratio of reporters to clickers. A steady, progressively harder cadence builds the reporting habit that lets a SOC contain a real attack early.
eBuilder Target
30%+ reporting
Global Baseline
33.1% phish-prone
After 12 Months
4.1% phish-prone
The Fail-and-Learn Flow
What happens when a simulated phishing email reaches an employee.
Lands
A realistic Swedish phishing lure — fake HR, payroll, BankID or delivery — arrives in the inbox.
Click
If a staff member clicks, they see a short, no-blame teaching page — not a reprimand.
Report
A trained colleague spots it and reports it through the one-click report button instead.
Triage
The reported email flows to the team; who reported, and how fast, is recorded.
Learn
Anyone who clicked is auto-assigned a 3-minute micro-module on that exact lure.
Evidence
Reporting rate, click rate and completion update live; audit-ready exports stay one click away.
Trusted by IT & Security Leaders Across Sweden & Europe
"
Through their range of security services and our decision to choose their MDR solution, eBuilder Security has significantly elevated our security posture. During the implementation phase, they were quick to assist and propose solutions to any challenges we encountered. The transition from project to production has been smooth, and their backend team quickly grasped our business needs. eBuilder Security is a valued partner for our future security efforts.
Gerth Ericsson
IT Manager, Vandewiele, Sweden
"
eBuilder Security helps us meet our IT and information security needs. We are very satisfied by their deep knowledge, comprehensive services, and dedication to strengthening our cybersecurity posture. From End Point Protection and advisory and auditing to penetration testing, eBuilder Security has been a reliable partner in safeguarding our organization.
Christian Sørensen
Internal Operations Director, Médecins Sans Frontières, Norway
"
The product increases knowledge and security awareness. It helps organizations develop a good information security culture. I am particularly pleased that it is an end-to-end solution where eBuilder Security takes care of the entire process from kick-off to reporting, while allowing for customization to suit the conditions unique to our business.
Per Eriksson
Information Security Strategist, Varbergs Kommun, Sweden
Built for Swedish Critical Infrastructure
All IndustriesSimple, Predictable Pricing
Complorer is a managed subscription priced per employee, billed predictably, with setup and ongoing management included. You're buying an outcome — fewer successful attacks and clean audit evidence — not another tool for your team to run.
Building the same capability in-house means licensing a platform, learning it, writing content, running campaigns and producing reports. For most Swedish SMBs and mid-market organisations, a managed service is faster and cheaper than the internal time it replaces.
Get a Tailored QuoteProposal delivered within 48 hours of a 30-minute briefing.
Per-employee subscription
What's included in every plan
Setup & configuration by eBuilder
Included
Managed phishing campaigns
Included
Role-based training content
Included
Swedish & English content
Included
Real-time tracking & monthly reports
Included
Compliance exports (NIS2 / GDPR / ISO)
Included
Billing
Per employee
Commitment to assess
None
Final pricing in proposal. Initial assessment carries no commitment.
Questions Buyers Ask
The questions that come up in every evaluation — on the law, on GDPR, on frequency and on procurement — answered plainly.
Does NIS2 / Cybersäkerhetslagen require security awareness training?
Yes. Article 21.2g of NIS2, transposed into Sweden's Cybersäkerhetslagen (SFS 2025:1506), lists basic cyber hygiene and security awareness training as one of ten mandatory risk-management measures. Article 20 adds a separate duty to train the management body. Both have applied since the law took force on 15 January 2026.
Is phishing simulation legal under GDPR?
Yes, when done correctly. Phishing simulation is lawful under legitimate interest (Article 6.1.f GDPR) if you publish a policy, forewarn staff that simulations happen, limit retention of individual results, and never use a single click as grounds for discipline. eBuilder builds the programme to meet these conditions from the start.
How often should we run phishing simulations?
Run simulations at least quarterly for all staff, and monthly for higher-risk roles such as finance, IT administration, leadership and HR, alongside continuous microlearning. Frequency matters more than volume: a steady, progressively harder cadence builds reporting habits, while one annual test mainly measures a single day.
What is a normal phishing click rate?
The global baseline phish-prone rate is 33.1%, falling to 4.1% after twelve months of training — an 86% reduction (KnowBe4 Phishing by Industry Benchmarking Report, 2025). New programmes commonly start in the 20% to 35% range. Use your own baseline as the comparison point, not a single industry average.
What is a good reporting rate?
Reporting rate is the share of staff who actively report a simulated phishing email, and it is the metric that predicts real-world resilience. Proofpoint customers average around 18.65%, with financial services near 32% and education near 8%. eBuilder aims to get your reporting rate above 30% within twelve months.
Does the board need separate training?
Yes. NIS2 Article 20, transposed into Cybersäkerhetslagen, makes the management body personally accountable for security measures and obliges it to undergo training. eBuilder offers a fixed-scope board session mapped to Article 20, with an utbildningsbevis you can keep as evidence of oversight.
Which EDR does eBuilder MDR use?
eBuilder's MDR is built on CrowdStrike Falcon or Cybereason, deployed through the device management you already run. CrowdStrike threat intelligence tracks more than 230 named adversary groups globally, and eBuilder's SOC layers Swedish and Nordic threat trends on top — so detection reflects the threats actually targeting Swedish organisations.
We already run CrowdStrike Falcon or Microsoft Defender. Can eBuilder use it?
Yes. An existing CrowdStrike or Microsoft Defender deployment speeds onboarding because eBuilder connects to your existing telemetry instead of deploying new sensors. Integration with Microsoft Defender for Endpoint, Sentinel, and Entra ID is standard — and go-live is typically under 24 hours rather than the usual three days.
What is AIDR, and how does it work with the human SOC?
AIDR is eBuilder's AI detection-and-response layer that contains fast-moving threats autonomously in milliseconds — blocking lateral movement, credential stuffing, and prompt injection before they escalate. A human analyst then validates and runs the response. AIDR handles machine-speed attacks; the named analyst handles judgement — so nothing waits on a queue.
Does eBuilder MDR satisfy the Cybersäkerhetslagen / NIS2 monitoring requirement on its own?
eBuilder's MDR directly satisfies the core NIS2 Article 21 obligations: continuous monitoring, incident detection and handling, and the documentation tied to MCF reporting. It does not alone cover supply-chain security, business continuity, or awareness training — eBuilder's advisory and Complorer training services complete the remaining Article 21 scope.
How does the training integrate with our MDR or SOC?
Reported emails can flow into eBuilder's SOC, where they are triaged alongside real alerts. A staff member who clicks can be auto-isolated by eBuilder's AI detection and response, and simulation data enriches the risk scoring your incident response already uses. Training stops being a silo.
Can we use real brands like Microsoft or Skatteverket in simulations?
Not their logos without permission, which raises trademark issues. eBuilder uses generic look-alikes and your own internal senders to build realistic Swedish scenarios — fake HR, payroll, BankID and delivery messages — keeping simulations legally clean while still mimicking the lures Swedish staff actually receive.
How do we show a supervisor we meet Article 21.2g?
Keep the evidence a supervisor will ask for: course material, a dated attendance list, campaign results, your simulation policy, the management body's training record, and your role-based tracks. eBuilder produces these as standard output, so reporting to MCF, PTS or Finansinspektionen is a download, not a scramble.
Can we buy this through Adda or Kammarkollegiet?
Indirectly. The routes for public-sector buyers are Adda IT-konsulttjänster 2021 and Kammarkollegiet's IT-konsulttjänster för IT-säkerhet. eBuilder can be procured via underleverantör clauses, or for values under the direktupphandlingsgräns of 700 000 SEK exkl. moms, through direktupphandling.
How quickly will we see results?
Most programmes see meaningful change inside a quarter. KnowBe4 data shows a 40% drop in phish-prone rate after three months and 86% after twelve. The first signal to watch is reporting rate climbing — that means staff are not just avoiding the bait, they are actively flagging it for your team.
Is phishing simulation effective against AI-generated attacks?
Yes, if scenarios are updated continuously. ENISA's Threat Landscape 2025 reports that AI-supported phishing made up more than 80% of observed social engineering by early 2025. eBuilder refreshes Swedish-language lures to match current AI-driven techniques, so staff train against the attacks they will actually face — not last year's templates.
Turn Your Staff Into Your Reporting Layer.
Book a 30-minute walkthrough with a Sweden-based analyst. We'll map your training and phishing-simulation cadence to NIS2 Article 21.2g and show you exactly where you stand. No pitch deck. No commitment.
Book a Walkthrough
No commitment
Sweden-based analyst
Security Awareness Is Just the Start
Training is your human layer. These complementary eBuilder services close the gaps around it — detection, testing and strategy.
AI Detection & Response
Safe AI adoption for businesses
Monitor prompts, agents, models and sensitive data in real time to reduce AI-driven risk, prevent data exposure and block threats in real time.
Penetration Testing
Offensive Security
Find the vulnerabilities attackers would, before they do. Expert-led testing across web, cloud, API, network and Active Directory with actionable remediation guidance.
Managed Detection & Response
24/7 SOC, Sweden
When training is not enough, eBuilder's MDR watches and responds to threats around the clock — with a named Swedish analyst, not a ticket queue.
CISO as a Service
Strategic Advisory
Board-level governance, compliance leadership and vendor risk management — strategic CISO-as-a-service without a full-time hire.