Article 21.2g Is Now Law
SFS 2025:1506 has applied since 15 January 2026. Security awareness training is one of the ten mandatory risk-management measures, not an optional extra.
Awareness · Sweden
Security Awareness Training & Phishing Simulation
Security Awareness Training and Phishing Simulation, Built for Swedish Teams
About 60% of breaches still involve a person, not a machine (Verizon DBIR 2025). Our training and phishing simulations teach your people to recognise an attack and report it, in Swedish, run by the same analysts who staff our SOC.
Complorer · Awareness Dashboard
LIVE
0%
Reporting rate
4.1%
Phish-prone
0%
Trained
Phish-prone rate · 12 months
86%
M1M3M6M9M12
TRAINING ACTIVE
Swedish SOC
Trusted to Protect Swedish Organisations
40+ Swedish Kommuner, Regions &
40+ Swedish Kommuner, Regions &
EU-Regulated Enterprises
A security awareness programme run by the same analysts behind our SOC, reflecting current MCF (formerly MSB) guidance.
NIS2 Article 21.2g aligned
Native Swedish-language content
100% Sweden data residency
Fully managed by eBuilder Security
Trusted by 40+ Swedish Kommuner, Regions and
EU-Regulated Enterprises Since 2003
Why Now
Why Swedish Organisations Are Training Their People in 2026
A new law, a run of recent Swedish incidents and AI-written lures have turned security awareness training into a legal requirement, not a nice-to-have.
The Board Is Personally on the Hook
NIS2 Article 20 makes the management body personally accountable for security measures, and obliges the board itself to be trained.
€10M or 2% of Turnover
Sanktionsavgifter reach €10M or 2% of global turnover for essential entities, and €7M or 1.4% for important ones.
≈200 of 290 Kommuner
One supplier ransomware attack reached around 200 of Sweden's 290 kommuner and regioner; data of more than 1.5 million Swedes was published. IMY opened a granskning.
Days of Downtime, ~€10M
Ransomware took down payroll, health-record and retail systems across Sweden for days. A single Nordic supplier had become critical infrastructure overnight.
~200 GB Threatened
The Akira group threatened to publish almost 200 GB of documents and HR files after exploiting an old VPN.
~60% Human Element
Roughly 60% of breaches still involve a person. Technology alone does not close that gap.
>80% AI-Assisted Phishing
By early 2025, AI-supported phishing made up more than 80% of observed social engineering. The lures keep getting better.
Definition
What Is Security Awareness Training?
Security awareness training teaches employees to recognise and resist cyber threats such as phishing, social engineering and unsafe handling of data. Delivered through short lessons and simulated phishing emails, it lowers human risk, supports compliance with NIS2 and GDPR, and turns staff into an active layer of defence.
eBuilder Security delivers this through Complorer, our managed security awareness training and phishing simulation service. Complorer is not just software you log in to and set up yourself. We configure it, run the phishing campaigns, schedule the training and prepare your reporting, so a small IT team or a busy compliance officer does not have to.
European & GDPR-Native
Built for EU data-protection rules and Swedish data residency, not retro-fitted from a US platform.
Schrems II safeFully Managed
eBuilder Security runs the programme for you with Complorer. You review the dashboard, not the admin panel.
Run for youSwedish & English Content
Training and simulations in both languages, so the message lands with every employee.
Swedish-firstFast to Launch
Configured and live in days, not months, with no internal IT project to run.
Live in days
Compliance Mapping
Meet Your Compliance Requirements with Ease
Security awareness training is a named obligation in several frameworks Swedish organisations answer to. Complorer maps your programme and reporting to each one.
NIS2 · Art. 21.2g
Security Awareness Training
In-scope essential and important entities must provide basic cyber hygiene and security awareness training to staff. It is one of the ten mandatory risk-management measures under Cybersäkerhetslagen.
Complorer delivers: role-based training and audit-ready records, with boards able to evidence their own oversight under Article 20.
GDPR · Art. 32 / 39
Staff Data-Protection Training
Organisations must ensure staff who handle personal data are trained on protecting it and on spotting a breach. In Sweden, IMY supervises this duty.
Complorer delivers: data-handling and phishing modules, with completion logs ready as IMY-facing evidence.
ISO 27001 · Annex A 6.3
Ongoing Awareness & Education
Certification requires documented, ongoing information security awareness, education and training across the workforce.
Complorer delivers: the continuous programme and exportable evidence auditors ask for at surveillance and recertification.
DORA · Art. 13
ICT Security Awareness
Financial entities must run ICT security awareness programmes and training, supervised by Finansinspektionen.
Complorer delivers: sector-appropriate training and reporting for in-scope financial-sector firms.
Free Checklist · NIS2 Article 21.2g
The Security Awareness & Phishing Readiness Checklist
A one-page checklist mapping NIS2 Article 21.2g, GDPR and ISO 27001 training duties to what your organisation should have in place. Use it to find the gaps before an auditor does.
- Side-by-side duty map: NIS2 Article 21.2g, GDPR and ISO 27001 awareness-training obligations in one view, so nothing slips through.
- Cadence gap check: see where your current training and phishing-simulation frequency falls short of Article 21.2g.
- Audit-ready evidence list: a checklist you can hand straight to an auditor or your board, in plain Swedish mapped to Cybersäkerhetslagen.
Built for the Swedish regulatory context and free to download. A quick way to see where your awareness programme stands today.
Get Your Free Readiness Checklist
Delivered to your inbox instantly. No spam. EU data residency. Unsubscribe any time.
No spam. EU data residency. Unsubscribe any time.
~60%
Of breaches involve the human element · Verizon DBIR 2025
86%
Drop in phish-prone rate after 12 months · KnowBe4 2025
>80%
Of social engineering is AI-assisted phishing · ENISA 2025
€20M
Potential maximum NIS2 & GDPR fines
Why European Organisations Choose Complorer
Most awareness platforms are US-built and self-managed. Complorer is European, compliance-native and run for you.
| Recommended Complorer by eBuilder Security | KnowBe4 | Proofpoint | |
|---|---|---|---|
| European / GDPR-native, EU data residency | US-headquartered; EU hosting option | US-headquartered; EU hosting option | |
| NIS2 Article 21.2g mapping built in | Generic NIS2 | Generic NIS2 | |
| Native Swedish-language content | Translated, not Swedish-first | Limited | |
| Fully managed (eBuilder Security runs it) | Self-managed | Self-managed | |
| Deployment | Days, fully managed | Self-serve setup | Self-serve setup |
| Fits SMB through enterprise | SMB to enterprise | Enterprise-leaning | |
| Pricing model | Per-employee subscription | Quote-based | Quote-based |
If you already have the time and in-house expertise to build content, run campaigns and produce audit evidence yourself, a self-managed platform can work. If you do not, a European, fully managed programme is almost always faster and cheaper than the internal time it replaces.
How Complorer Works
Phishing simulation, role-based training and audit-ready reporting. We set it up once and run it for you, and you are live in days, not months.
Everything Your Awareness Programme Needs, Fully Managed
Phishing simulation, training content and compliance reporting in one Swedish-run service.
Managed Phishing Simulation
Safe, realistic fake phishing emails on a role-based schedule. eBuilder Security builds, runs and tunes the campaigns for you.
Run for youRole-Based Microlearning
Short modules of three to seven minutes, tailored to finance, HR, developers and leadership, completed on any device.
Short modulesFail-and-Learn Flow
A click triggers a short teaching moment, never a reprimand, turning every mistake into immediate learning.
No-blameSwedish & English Content
Native Swedish-first content, not translations, kept current against the latest AI-driven lures.
Swedish-firstReal-Time Tracking
Individual and group completion tracked live, so you always know exactly where every team stands.
Live dashboardCompliance Exports
Audit-ready exports mapped to NIS2 Art. 21.2g, GDPR and ISO 27001. The evidence is one click away.
Auditor-readyBoard Summaries
Automated monthly summaries for the board, evidencing leadership oversight under NIS2 Article 20.
MonthlySet Up & Run by eBuilder Security
No IT project. We configure users, languages and your first campaigns, then run the programme on a schedule.
Fully managedOnboarding: Live in Days, Not Months
01
Step 1
Book a Demo
Start with a short demo or free assessment. We look at your size, sectors and current obligations, and agree what good looks like for your organisation.
02
Step 2
We Configure It
eBuilder Security sets up Complorer for you: users, languages, role-based paths and your first campaigns. There is no IT project to run and no platform for your team to learn.
03
Step 3
Launch Training & Simulations
Employees receive their first microlearning modules and safe phishing tests. The managed programme then runs on a schedule, with difficulty tuned over time.
04
Ongoing
Monitor the Dashboard
You review progress and receive automated monthly reports mapped to NIS2 Article 21.2g, GDPR and ISO 27001. The audit evidence is ready whenever a supervisor or your board asks.
Most programmes track completion. The metric that predicts resilience is reporting rate, and eBuilder Security targets 30%+ within twelve months.
Completion measures attendance, not behaviour. eBuilder Security tracks the numbers that actually move risk: reporting rate, time to report, click rate over time, and the ratio of reporters to clickers. A steady, progressively harder cadence builds the reporting habit that lets a SOC contain a real attack early.
eBuilder Security Target
30%+ reporting
Global Baseline
33.1% phish-prone
After 12 Months
4.1% phish-prone
The Fail-and-Learn Flow
What happens when a simulated phishing email reaches an employee.
Lands
A realistic Swedish phishing lure lands in the inbox: fake HR, payroll, BankID or a delivery notice.
Click
If a staff member clicks, they see a short, no-blame teaching page, not a reprimand.
Report
A trained colleague spots it and reports it through the one-click report button instead.
Triage
The reported email flows to the team; who reported, and how fast, is recorded.
Learn
Anyone who clicked is auto-assigned a 3-minute micro-module on that exact lure.
Evidence
Reporting rate, click rate and completion update live; audit-ready exports stay one click away.
Try It · 30 Seconds
Can You Spot the Phish?
A real-style payroll lure. Click anything that looks off, exactly what Complorer trains your people to do. Most people miss at least one.
Inbox
Simulated
Hi team,
Our payroll system has been updated. For your salary to be paid on the 25th, you must verify your bank details via this link: http://payroll-verify.secure-pay.net
If you do not confirm in time, your payment may be delayed or withheld.
Kind regards,
HR Team
Payroll_Details_2026.html
0/5
- Hover the email and click anything that looks off. Each catch explains itself.
Nice catch. All five spotted.
Most employees miss two or three on day one. Complorer turns spotting into a reflex across your whole team, in Swedish and on a schedule.
Who It's For
Built for the People Who Answer for Security
From the CISO who has to prove it works to the CEO with no security team, Complorer speaks to each role, with a next step that fits the job.
CISO & IT Security
“I need to prove our training actually works.”
Reporting-rate trends, click rate over time, role-based simulations and audit-ready evidence you can take to the board and to a NIS2 audit.
See the reporting
HR & Compliance
“I need the GDPR and NIS2 boxes ticked, with evidence.”
Easy administration and exportable completion records, mapped to the frameworks you answer to, without becoming a security expert.
See compliance mapping
CEO & Business Owner
“I have no security team. I need something that just works.”
A fully managed service that protects the organisation and scales with it, with no internal security headcount required.
Book a walkthroughTrusted by IT & Security Leaders Across Sweden & Europe
"
Through their range of security services and our decision to choose their MDR solution, eBuilder Security has significantly elevated our security posture. During the implementation phase, they were quick to assist and propose solutions to any challenges we encountered. The transition from project to production has been smooth, and their backend team quickly grasped our business needs. eBuilder Security is a valued partner for our future security efforts.
Gerth Ericsson
IT Manager, Vandewiele, Sweden
"
eBuilder Security helps us meet our IT and information security needs. We are very satisfied by their deep knowledge, comprehensive services, and dedication to strengthening our cybersecurity posture. From End Point Protection and advisory and auditing to penetration testing, eBuilder Security has been a reliable partner in safeguarding our organization.
Christian Sørensen
Internal Operations Director, Médecins Sans Frontières, Norway
"
The product increases knowledge and security awareness. It helps organizations develop a good information security culture. I am particularly pleased that it is an end-to-end solution where eBuilder Security takes care of the entire process from kick-off to reporting, while allowing for customization to suit the conditions unique to our business.
Per Eriksson
Information Security Strategist, Varbergs Kommun, Sweden
Built for Swedish Critical Infrastructure
Simple, Predictable Pricing
Complorer is a managed subscription priced per employee, billed predictably, with setup and ongoing management included. You are buying an outcome, fewer successful attacks and clean audit evidence, not another tool for your team to run.
Building the same capability in-house means licensing a platform, learning it, writing content, running campaigns and producing reports. For most Swedish SMBs and mid-market organisations, a managed service is faster and cheaper than the internal time it replaces.
Get a Tailored QuoteProposal delivered within 48 hours of a 30-minute briefing.
Per-employee subscription
What's Included in Every Plan
Setup & configuration by eBuilder Security
Included
Managed phishing campaigns
Included
Role-based training content
Included
Swedish & English content
Included
Real-time tracking & monthly reports
Included
Compliance exports (NIS2 / GDPR / ISO)
Included
Billing
Per employee
Commitment to assess
None
Final pricing in proposal. Initial assessment carries no commitment.
Questions Buyers Ask
The questions that come up in every evaluation, on the law, on GDPR, on frequency and on procurement, answered plainly.
Does NIS2 / Cybersäkerhetslagen require security awareness training?
Yes. Article 21.2g of NIS2, transposed into Sweden's Cybersäkerhetslagen (SFS 2025:1506), lists basic cyber hygiene and security awareness training as one of ten mandatory risk-management measures. Article 20 adds a separate duty to train the management body. Both have applied since the law took force on 15 January 2026.
Is phishing simulation legal under GDPR?
Yes, when done correctly. Phishing simulation is lawful under legitimate interest (Article 6.1.f GDPR) if you publish a policy, forewarn staff that simulations happen, limit retention of individual results, and never use a single click as grounds for discipline. eBuilder Security builds the programme to meet these conditions from the start.
How often should we run phishing simulations?
Run simulations at least quarterly for all staff, and monthly for higher-risk roles such as finance, IT administration, leadership and HR, alongside continuous microlearning. Frequency matters more than volume: a steady, progressively harder cadence builds reporting habits, while one annual test mainly measures a single day.
What is a normal phishing click rate?
The global baseline phish-prone rate is 33.1%, falling to 4.1% after twelve months of training, an 86% reduction (KnowBe4 Phishing by Industry Benchmarking Report, 2025). New programmes commonly start in the 20% to 35% range. Use your own baseline as the comparison point, not a single industry average.
What is a good reporting rate?
Reporting rate is the share of staff who actively report a simulated phishing email, and it is the metric that predicts real-world resilience. Proofpoint customers average around 18.65%, with financial services near 32% and education near 8%. eBuilder Security aims to get your reporting rate above 30% within twelve months.
Does the board need separate training?
Yes. NIS2 Article 20, transposed into Cybersäkerhetslagen, makes the management body personally accountable for security measures and obliges it to undergo training. eBuilder Security offers a fixed-scope board session mapped to Article 20, with an utbildningsbevis you can keep as evidence of oversight.
Which EDR does eBuilder Security MDR use?
eBuilder Security's MDR is built on CrowdStrike Falcon as the primary platform, with Cybereason available for multi-platform environments, deployed through the device management you already run. CrowdStrike threat intelligence tracks more than 230 named adversary groups globally, and our SOC layers Swedish and Nordic threat trends on top, so detection reflects the threats actually targeting Swedish organisations.
We already run CrowdStrike Falcon or Microsoft Defender. Can eBuilder Security use it?
Yes. An existing CrowdStrike or Microsoft Defender deployment speeds onboarding because eBuilder Security connects to your existing telemetry instead of deploying new sensors. Integration with Microsoft Defender for Endpoint, Sentinel and Entra ID is standard, and go-live is typically under 24 hours rather than the usual three days.
What is AIDR, and how does it work with the human SOC?
AIDR is eBuilder Security's AI detection-and-response layer that contains fast-moving threats autonomously in milliseconds, blocking lateral movement, credential stuffing and prompt injection before they escalate. A human analyst then validates and runs the response. AIDR handles machine-speed attacks while the named analyst handles judgement, so nothing waits on a queue.
Does eBuilder Security MDR satisfy the Cybersäkerhetslagen / NIS2 monitoring requirement on its own?
eBuilder Security's MDR directly satisfies the core NIS2 Article 21 obligations: continuous monitoring, incident detection and handling, and the documentation tied to MCF reporting. On its own it does not cover supply-chain security, business continuity or awareness training. Our advisory and Complorer training services complete the remaining Article 21 scope.
How does the training integrate with our MDR or SOC?
Reported emails can flow into eBuilder Security's SOC, where they are triaged alongside real alerts. A staff member who clicks can be auto-isolated by eBuilder Security's AI detection and response, and simulation data enriches the risk scoring your incident response already uses. Training stops being a silo.
Can we use real brands like Microsoft or Skatteverket in simulations?
Not their logos without permission, which raises trademark issues. eBuilder Security uses generic look-alikes and your own internal senders to build realistic Swedish scenarios, such as fake HR, payroll, BankID and delivery messages. That keeps simulations legally clean while still mimicking the lures Swedish staff actually receive.
How do we show a supervisor we meet Article 21.2g?
Keep the evidence a supervisor will ask for: course material, a dated attendance list, campaign results, your simulation policy, the management body's training record, and your role-based tracks. eBuilder Security produces these as standard output, so reporting to MCF, PTS or Finansinspektionen is a download, not a scramble.
Can we buy this through Adda or Kammarkollegiet?
Indirectly. The routes for public-sector buyers are Adda IT-konsulttjänster 2021 and Kammarkollegiet's IT-konsulttjänster för IT-säkerhet. eBuilder Security can be procured via underleverantör clauses, or for values under the direktupphandlingsgräns of 700 000 SEK exkl. moms, through direktupphandling.
How quickly will we see results?
Most programmes see meaningful change inside a quarter. KnowBe4 data shows a 40% drop in phish-prone rate after three months and 86% after twelve. The first signal to watch is the reporting rate climbing. That means staff are not just avoiding the bait, they are actively flagging it for your team.
Is phishing simulation effective against AI-generated attacks?
Yes, if scenarios are updated continuously. ENISA's Threat Landscape 2025 reports that AI-supported phishing made up more than 80% of observed social engineering by early 2025. eBuilder Security refreshes Swedish-language lures to match current AI-driven techniques, so staff train against the attacks they will actually face, not last year's templates.
Turn Your Staff into Your Reporting Layer.
Book a 30-minute walkthrough with a Sweden-based analyst. We'll map your training and phishing-simulation cadence to NIS2 Article 21.2g and show you exactly where you stand. No pitch deck. No commitment.
Book a Walkthrough
No commitment
Sweden-based analyst
Security Awareness Is Just the Start
Training is your human layer. These complementary eBuilder Security services close the gaps around it: detection, testing and strategy.
AI Detection & Response
Safe AI adoption for businesses
Monitor prompts, agents, models and sensitive data in real time to reduce AI-driven risk, prevent data exposure and block threats in real time.
Penetration Testing
Offensive Security
Find the vulnerabilities attackers would, before they do. Expert-led testing across web, cloud, API, network and Active Directory with actionable remediation guidance.
Managed Detection & Response
24/7 SOC, Sweden
When training is not enough, eBuilder Security's MDR watches and responds to threats around the clock, with a named Swedish analyst, not a ticket queue.
CISO as a Service
Strategic Advisory
Board-level governance, compliance leadership and vendor risk management. Strategic CISO-as-a-service without a full-time hire.