SFS 2025:1506 Is Now Swedish Law
The law entered into force on 15 January 2026. NIS2 is now Swedish statute and board members of every covered entity carry personal liability for compliance.
MDR · Sweden
Sweden's Fastest Managed Detection & Response
Managed Detection & Response Service in Sweden
Your SOC is in Sweden. Your analyst has a name and a direct number. Threats are contained in milliseconds by AI, confirmed by a human in a 3-minute median and not one log leaves the country.
Run a Free Domain Breach Scan
eBuilder Security · SOC Console
00:00:00
LIVE · 24/7/365
0
Threats contained
3min
Median response
0.4s
AI containment
Live threat feed
SOC ACTIVE
Sweden data residency
Trusted to Protect Swedish Organisations
40+ Swedish Kommuner, Regions &
40+ Swedish Kommuner, Regions &
EU-Regulated Enterprises
Including a strategic, multi-year engagement to strengthen cybersecurity resilience across Sweden's critical public sector.
3-minute median response
Full NIS2 Article 21 coverage
100% Sweden data residency
CrowdStrike Authorized Partner
Trusted by 40+ Swedish Kommuner, Regions and
EU-Regulated Enterprises Since 2003
Why MDR Now
Why Swedish Organisations Are Moving to MDR
Three regulatory deadlines, one supply-chain catastrophe and a staffing shortage that puts in-house 24/7 coverage out of reach for most organisations.
Miljödata Attack Reached 200 Municipalities
The Miljödata supply-chain attack compromised roughly 200 of Sweden's 290 municipalities. A single shared platform became a national-scale incident within hours. This is not a theoretical risk.
Tietoevry / Akira Ransomware
The Tietoevry incident showed how a Nordic IT supplier becomes critical infrastructure overnight. Detection latency, not perimeter strength, determined the outcome for every affected organisation.
Board Members Are Now Personally on the Hook
NIS2 Article 20 places personal liability on directors for inadequate cybersecurity risk management. Sign-off is no longer something the CISO handles alone.
Up to €10M or 2% of Global Turnover
Fines are not theoretical. Supervisory authorities across the EU have begun issuing them. For serious failings the ceiling is €10 million or 2% of global annual turnover, whichever is higher.
The 24h / 72h / 1-Month Cascade
MCF (formerly MSB) requires a 24-hour early warning, a 72-hour formal notification and a final report within one month of a confirmed incident. Without 24/7 detection, that clock starts in the wrong place.
Every Vendor Relationship Is Now in Scope
Supply-chain security is no longer best-effort. Every third-party vendor relationship has to be assessed, documented and kept current. Under NIS2 they are now part of your audit perimeter.
You Cannot Hire 12 Cleared Analysts
Sweden's security-skills shortage and Stockholm rates put an in-house 24/7 SOC out of reach for most organisations. MDR converts that capital build into a flat monthly operating line.
Compliance Mapping
What NIS2, GDPR and DORA Require in Practice
The obligations across Cybersäkerhetslagen (NIS2), GDPR and DORA that MDR satisfies directly, mapped to the specific controls auditors check.
NIS2 · Art. 21.2a
Continuous Monitoring
Active detection of anomalies, 24 hours a day, 7 days a week, across endpoints, identity, cloud and network. The requirement is not a policy. It is an operational capability that has to produce documented evidence.
MDR satisfies: eBuilder Security SOC delivers auditable, always-on monitoring with named analysts, producing timestamped logs ready for supervisory review.
NIS2 · Art. 21.2b
Incident Reporting to MCF
24-hour early warning, 72-hour formal notification and a complete report within one month. The clock starts at first detection, not when your IT team discovers it on Monday morning.
MDR satisfies: Every confirmed incident is timestamped from T+0. MCF-cascade-ready documentation is generated automatically for each confirmed event.
GDPR · Art. 33
Breach Notification to IMY
72-hour window to notify the Swedish data protection authority (IMY) where personal data is involved. Assembling that evidence under deadline pressure is where most organisations fail.
MDR satisfies: eBuilder Security produces IMY-formatted incident documentation automatically for every confirmed personal-data event, delivered to your DPO before the window closes.
DORA · Art. 17
ICT Incident Management
For Swedish financial services entities subject to the Digital Operational Resilience Act, ICT incident classification, reporting to Finansinspektionen and operational-resilience documentation are all mandatory.
MDR satisfies: MDR incident records align with DORA classification thresholds and Finansinspektionen's reporting expectations out of the box.
NIS2 · Cybersäkerhetslagen
Everything Your Board Needs to Ask About NIS2
Sweden's Cybersäkerhetslagen brought NIS2 into national law on 15 January 2026. If your organisation operates in energy, transport, health, digital infrastructure or public administration, you are in scope and your board carries personal liability.
- Risk management & incident handling: Article 21(2)(a) and (b) require documented policies, active detection and 24-hour MSB/MCF reporting.
- Supply-chain security: Article 21(2)(d) requires every vendor relationship to be assessed, documented and kept current. They sit inside your audit perimeter.
- Board accountability: Under Article 20, board members carry personal liability. Fines reach €10 million or 2% of global annual turnover.
Our NIS2 gap checklist maps your current state against every Article 21 control. It is written in plain English, built for the Swedish regulatory context and takes around 20 minutes to complete.
Get Your Free NIS2 Gap Checklist
Delivered to your inbox instantly. No spam. EU data residency. Unsubscribe any time.
No spam. EU data residency. Unsubscribe any time.
3 min
Average time to contain a confirmed threat
3 days
To full 24/7 MDR coverage from contract
40+
Swedish organisations actively protected
24/7
SOC coverage, 365 days a year, in Sweden
EDR vs MDR vs In-House SOC vs MSSP
Most Swedish IT teams already run an EDR. EDR is the tool. MDR is the team and the outcome. Here is what each option actually delivers when Cybersäkerhetslagen audits arrive.
| EDR | MSSP | In-House SOC | MDR - eBuilder Security | |
|---|---|---|---|---|
| What you get | Endpoint detection tool only | Alert forwarding service | Your own analysts & tooling | Tool + 24/7 named team + outcomes |
| Who responds | You | You (after their ticket) | Your team | Named eBuilder Security analyst |
| 24/7 coverage | Tool only, no analyst | Variable by contract | Only if fully staffed | Yes, contractual SLA |
| Time to value | Weeks of tuning | 4–8 weeks | 6–18 months to build | 3 days to go live |
| NIS2 reporting help | Partial (data only) | Partial | Yes, if process is mature | MCF-cascade ready |
| Data stays in Sweden | Tool-dependent | Often offshore | Yes, if self-hosted | Guaranteed by contract |
How eBuilder Security MDR Works
From what's included to the 3-day deployment and the 3-minute response that makes the difference.
Everything Your Security Operations Need, with Nothing Extra to Buy
One monthly fee. No incident response surcharges. No hidden add-ons.
24/7 SOC Monitoring
Swedish analysts watching your environment continuously. Named people, not a ticket queue.
NIS2 Art. 21.2aProactive Threat Hunting
Hypothesis-driven weekly hunts mapped to MITRE ATT&CK and current Nordic TTPs.
ATT&CK alignedActive Incident Response
3-minute median response. Containment is included in every plan, covering isolation, credential rotation and firewall pushes.
SLA-backedIdentity Protection
Continuous watch over accounts, sessions and privileged access. Compromised credentials are rotated and risky logins blocked before they spread.
Entra ID & ADSIEM & SOAR Integration
All telemetry is correlated through CrowdStrike's Next-Gen SIEM into a single incident timeline. Prefer your own? Bring your SIEM, with Sentinel, Splunk, QRadar and 350+ CrowdStrike integrations supported.
Correlated, BYO SIEM supportedNIS2 & GDPR Reporting
MCF-cascade-ready records; IMY-formatted breach notifications produced automatically for every confirmed incident.
Auditor-readyExecutive Dashboard
Board-level reporting on coverage, incidents, posture and compliance status, monthly and on demand.
Monthly + on demandScales with You
14 to 10,000+ endpoints on one model, one named team and one flat per-endpoint rate. No renegotiation as you grow.
Flat per-endpointFrom Deployment to Full Protection in 3 Days
01
Day 1
Deploy
CrowdStrike Falcon agents push to your fleet through the device management you already run. Identity and cloud connectors are authenticated. There is no new hardware and no rip-and-replace, with everything documented before any monitoring begins.
02
Day 2
Baseline & Tune
The platform learns the rhythm of your environment, SIEM integration completes and false positives are suppressed. Detection rules are tuned to your specific identity, network and cloud footprint so the SOC starts quiet on day three.
03
Day 3
Go Live: 24/7 Coverage
The Sweden-based SOC takes 24/7 ownership. Your named analyst is introduced with a direct number. Automated containment is armed, runbooks are agreed and the MCF incident-reporting cascade is wired and tested end to end.
04
Ongoing
Proactive Threat Hunting
Weekly MITRE ATT&CK-aligned threat hunts and current Nordic TTP tracking catch hands-on-keyboard intrusions that automated rules miss. Findings flow into board-ready reporting and recommendations feed your security roadmap.
05
On Threat
Respond & Contain
Automated containment isolates the affected endpoint and blocks lateral movement in milliseconds. Within three minutes a named analyst validates the incident and executes the pre-agreed runbook: credential rotation, firewall pushes, host isolation and identity revocation.
06
Post-Incident
Report & Debrief
Every confirmed incident generates the full MCF-cascade record, covering the 24h early warning, the 72h formal notification and the 1-month final report, plus a GDPR Article 33 packet for IMY where personal data is involved. A live debrief closes the loop.
The average attacker moves to lateral spread in 64 minutes. eBuilder Security responds in 3.
Once an attacker establishes initial access, the clock starts. Industry telemetry puts the median time to lateral movement at 64 minutes. If your detection-to-response window is longer than that, a single-host breach becomes an environment-wide incident. The point of MDR is to compress that window below the attacker's playbook speed.
eBuilder Security MDR
~ 3 minutes
MDR Industry Average
1 – 4 hours
Internal IT, After Hours
4+ hours
Live Incident Timeline
Illustrative sequence based on a production incident at a Swedish municipality.
T+0:00
Automated containment isolates the affected host; lateral pathways revoked at the endpoint in milliseconds.
T+0:38
Swedish SOC analyst validates the alert and rules out benign automation. Confirmed genuine threat.
T+1:12
Lateral movement attempt blocked; identity tokens for the affected user account revoked.
T+2:47
CTO notified by name and direct number. Incident state: CONTAINED.
T+4:00
NIS2 incident record created and timestamped from first detection. MCF cascade initiated.
+24 hrs
Full forensic report and MCF-cascade-ready documentation delivered. GDPR Article 33 packet prepared for IMY.
Service level targets
One incident, one cascade. The 3-minute median is the analyst's first response. The later targets cover the full incident.
Automated containment
Sub-second (0.4s), already live
Analyst acknowledgement and first response
3-minute median, MTTA under 5 min
Escalation to a senior (L2) analyst
MTTE under 30 min
Full containment and response actions complete
MTTR under 120 min
Your SOC team
A two-tier SOC, frontline and senior
Every alert is handled by a frontline analyst, then escalated to a senior analyst when the incident needs deeper work. Your named contact sits across both tiers.
Tier 1, frontline
Frontline analysts (L1)
- 24/7 monitoring
- Alert triage and validation
- Initial investigation
- Threat classification
- First-line response and escalation
- Customer notification
Tier 2, senior
Advanced analysts (L2)
- Escalated and major-incident investigation
- Threat hunting
- Deep forensics
- Endpoint containment and isolation
- Advanced remediation
- Threat-intelligence correlation
Verified Client Outcomes.
What MDR Coverage Delivers.
2m 47s
Mean Time to Contain
Ransomware Contained Before a Single File Was Encrypted
A Swedish municipality of 1,200 staff was targeted after hours. Automated containment isolated the infected host in under a second; the analyst confirmed and closed the incident within 3 minutes. No data was lost.
72hrs
NIS2 Compliant from Zero
Article 21 Alignment Reached Ahead of the Audit Deadline
A 400-employee Swedish manufacturer reached NIS2 Article 21 alignment 68 hours after deployment, ahead of the auditor's site visit, with documented MCF-cascade procedures in place.
4yrs
Zero Breaches Under Coverage
Four Years of Continuous MDR Across a National Logistics Network
Four consecutive years of continuous MDR across a 14-site logistics network. Several attempted intrusions; zero confirmed breaches, zero customer-facing outages.
94%
Reduction in Alert Noise
Analyst Workload Cut by 94% in the First 30 Days
A regional Swedish energy utility cut analyst workload by 94% in the first 30 days. Automated tuning plus eBuilder Security triage filtered the volume so the in-house team focused on what mattered.
5days
DORA-Ready Posture
DORA-Aligned Before Quarter-End, in One Working Week
A Stockholm-based fintech with 220 staff completed scope mapping, classification thresholds and reporting workflow inside one working week, DORA-aligned before quarter-end.
Trusted by IT & Security Leaders Across Sweden & Europe
"
Through their range of security services and our decision to choose their MDR solution, eBuilder Security has significantly elevated our security posture. During the implementation phase, they were quick to assist and propose solutions to any challenges we encountered. The transition from project to production has been smooth, and their backend team quickly grasped our business needs. eBuilder Security is a valued partner for our future security efforts.
Gerth Ericsson
IT Manager, Vandewiele, Sweden
"
eBuilder Security helps us meet our IT and information security needs. We are very satisfied by their deep knowledge, comprehensive services, and dedication to strengthening our cybersecurity posture. From End Point Protection and advisory and auditing to penetration testing, eBuilder Security has been a reliable partner in safeguarding our organization.
Christian Sørensen
Internal Operations Director, Médecins Sans Frontières, Norway
"
The product increases knowledge and security awareness. It helps organizations develop a good information security culture. I am particularly pleased that it is an end-to-end solution where eBuilder Security takes care of the entire process from kick-off to reporting, while allowing for customization to suit the conditions unique to our business.
Per Eriksson
Information Security Strategist, Varbergs Kommun, Sweden
Built for Swedish Critical Infrastructure
MDR Buyer's Guide: Open in Your Browser
An interactive, browser-based guide that walks Swedish CISOs, finance leads and procurement teams through every decision in an MDR purchase. There is no download and no email-gated PDF. Work through it online and share a link with the buying committee.
- The seven questions every CISO should ask a prospective MDR vendor before procurement closes.
- Total cost of ownership: MDR vs in-house SOC vs MSSP, modelled for a Swedish mid-market organisation of 400 endpoints.
- NIS2 Article 21 control mapping: what MDR covers, what it does not and the adjacent services that close the rest.
- The shortlist scoring sheet covering SOC location, response SLA, automation maturity, integrations and reporting, ready to fill in as you go.
~ 2-min walkthrough · No email required
ebuildersecurity.com
Online Tool
Buyer's Guide
Choosing MDR for a Swedish Organisation
An interactive playbook for CISOs, CFOs and procurement leads
- 01 What MDR actually is and what it is not
- 02 NIS2 Article 21 control coverage
- 03 Total cost of ownership, modelled
- 04 The shortlist scoring sheet
- 05 Procurement routes for the public sector
- 06 Seven questions for every MDR vendor
ebuildersecurity.com/mdr-buyers-guide
Live
What MDR Costs and How We Price It
MDR is priced flat per endpoint, per month. No per-GB log charge, no SIEM ingest meter, no incident-response surcharge when something actually happens. The number you sign in month one is the number you pay in month thirty-six.
For context, a comparable in-house Swedish SOC with twelve analysts on shift, plus tooling, infrastructure and training, typically runs north of €2,000,000 per year before you have responded to a single incident. MDR converts that capital build into a known monthly operating line.
Request a Tailored MDR QuoteProposal delivered within 48 hours of a 30-minute briefing.
Flat per-endpoint pricing
What's Included in Every Plan
Per-endpoint, per-month fee
Flat
Per-GB log ingest charge
None
Incident response surcharges
None
Named SOC analyst access
Included
NIS2 & GDPR compliance reporting
Included
Executive dashboard & board reporting
Included
Contract term
12 / 24 / 36 months
Final terms in proposal. Initial assessment carries no commitment.
Questions Asked Before Signing an MDR Contract
Pre-empting the procurement back-and-forth. These are the questions that come up in every evaluation call, answered plainly.
What does eBuilder Security's MDR service include?
eBuilder Security's MDR includes 24/7 SOC monitoring from Sweden, autonomous threat containment, MITRE ATT&CK threat hunting, active incident response (endpoint isolation, credential rotation, lateral-movement blocking), SIEM and SOAR integration, NIS2 and GDPR incident documentation and board-ready reporting. Incident response is part of the service, not a surcharge.
What is the difference between MDR, EDR, an MSSP and an in-house SOC?
EDR is software that detects threats on endpoints. An MSSP forwards alerts but leaves the response to you. An in-house SOC gives full control but takes 12–18 months to build. MDR is a managed service that detects, investigates and contains threats for you, with a named analyst and contractual 24/7 coverage.
What is not included in the MDR service?
eBuilder Security's MDR covers detection, response and the compliance documentation around incidents. It does not include penetration testing, security awareness training or CISO advisory. Those are separate eBuilder Security services that complement MDR and, together, cover the full scope of NIS2 Article 21.
How is eBuilder Security MDR different from Truesec or Arctic Wolf?
eBuilder Security differs on four points: a verified 3-minute response with a real Swedish municipal case behind it; a Sweden-operated SOC with a named analyst who knows your environment; automated containment that acts before human escalation; and NIS2 and GDPR documentation included in the base service. eBuilder Security also starts at 14 endpoints.
Is there a minimum company size and how large can it scale?
eBuilder Security's MDR scales from 14 endpoints to more than 10,000, with the same 3-minute response regardless of size. There is no renegotiation as you grow and no minimum commitment for the initial free security review or briefing, which makes enterprise-grade MDR accessible to Swedish mid-market organisations and kommuner.
What does the 3-minute response time actually mean in practice?
It means that from the moment a threat is confirmed genuine, not merely detected, a named eBuilder Security analyst has taken active containment action within three minutes. Automated containment isolates endpoints in milliseconds first; the analyst then validates, escalates and runs your organisation-specific runbook. eBuilder Security's median across incidents is under three minutes.
What happens when a threat is detected at 3 AM or outside office hours?
Nothing waits until morning. eBuilder Security's Sweden-based SOC runs 24/7, 365 days a year. Automated containment stops clear-cut threats in milliseconds. A named analyst confirms the incident and executes containment, then notifies your CTO with a full summary, often before anyone on your team is awake.
What containment actions does the SOC take during an incident?
eBuilder Security's SOC executes pre-agreed runbook actions: isolating affected endpoints, blocking lateral movement across hosts, rotating compromised credentials and pushing firewall rules, all without waiting for your team. Every action is forensically logged and the incident generates timestamped documentation ready for NIS2 early-warning and GDPR notification.
Which EDR does eBuilder Security MDR use?
eBuilder Security's MDR is built on CrowdStrike Falcon as the primary platform, with Cybereason available for multi-platform environments, deployed through the device management you already run. CrowdStrike threat intelligence tracks more than 230 named adversary groups globally and eBuilder Security's SOC layers Swedish and Nordic threat trends on top, so detection reflects the threats actually targeting Swedish organisations.
We already run CrowdStrike Falcon or Microsoft Defender. Can eBuilder Security use it?
Yes. An existing CrowdStrike or Microsoft Defender deployment speeds onboarding because eBuilder Security connects to your existing telemetry instead of deploying new sensors. Integration with Microsoft Defender for Endpoint, Sentinel and Entra ID is standard and go-live is typically under 24 hours rather than the usual three days.
How does automated containment work alongside the human SOC?
eBuilder Security's MDR uses an automated detection-and-response layer that contains fast-moving threats in milliseconds, blocking lateral movement and credential stuffing before they escalate. A human analyst then validates and runs the response. Automation handles machine-speed attacks while the named analyst handles judgement, so nothing waits on a queue.
Does eBuilder Security MDR satisfy the Cybersäkerhetslagen / NIS2 monitoring requirement on its own?
eBuilder Security's MDR directly satisfies the core NIS2 Article 21 obligations: continuous monitoring, incident detection and handling, plus the documentation tied to MCF reporting. It does not by itself cover supply-chain security, business continuity or awareness training. eBuilder Security's advisory and Complorer training services complete the remaining Article 21 scope.
Where is my data stored and who can access it?
All telemetry, logs and incident records are stored and processed inside Sweden. eBuilder Security operates under Swedish jurisdiction with an ISO 27001-certified SOC, handles data in line with GDPR and Schrems II and transfers nothing to non-adequate third countries. Access is limited to your named analyst team and senior SOC management.
How does eBuilder Security MDR help with NIS2 incident reporting to MCF?
Every confirmed incident is timestamped from first detection, so eBuilder Security can produce the NIS2 reporting chain on time: a 24-hour early warning, a 72-hour formal notification and a one-month final report to MCF and your sector authority. The documentation is generated automatically, formatted for submission.
Does eBuilder Security MDR support DORA for financial services?
Yes. For Swedish financial entities in scope of DORA, eBuilder Security's MDR incident records align with the ICT incident-management and classification requirements of DORA Article 17 and Finansinspektionen's expectations. MDR covers the detection and reporting elements, while eBuilder Security advisory maps the wider DORA operational-resilience obligations.
How long does it take to deploy eBuilder Security MDR and go live?
eBuilder Security's MDR reaches full 24/7 coverage in three days: CrowdStrike Falcon agents deploy on day one; SIEM integration and environment baselining on day two; continuous monitoring goes live on day three. If you already run Falcon, go-live is typically under 24 hours because eBuilder Security connects to your existing telemetry.
Do we need to install new hardware or replace our existing tools?
No. eBuilder Security's MDR requires no new hardware and no rip-and-replace. Agents deploy through the device management you already use and the service integrates with your existing SIEM, firewall, identity and email tools, more than 350 integrations in all, so your current stack is enhanced rather than torn out.
Can a Swedish kommun procure eBuilder Security MDR under LOU?
Yes. A kommun can procure eBuilder Security's MDR through an existing framework agreement (ramavtal) where eBuilder Security is listed, through a direct procurement advertised in TED above the EU threshold, or through a direktupphandling under the threshold. eBuilder Security has supported kommun procurements and can advise on the right route for your situation.
How do we get a price and how long does a contract run?
Pricing is a flat monthly fee per protected endpoint, scoped to your environment, with no per-gigabyte log charge and no surprise incident-response invoice. eBuilder Security delivers a scoped proposal within 48 hours of a 30-minute briefing. Contracts typically run 12 or 24 months and the initial assessment carries no commitment.
Your Next Cyber Incident Is Already Being Planned. We Respond in 3 Minutes.
Book a 30-minute walkthrough with a Sweden-based analyst. We'll review your current posture, map gaps to NIS2 and show you live SOC in action. No pitch deck. No commitment.
Book a 30-Minute MDR Briefing
No commitment
Sweden-based analyst
Stronger Together: Pair MDR with These Services
MDR is your detection and response backbone. These complementary services close the gaps before, beside and above it.
AI Detection & Response
Safe AI adoption for businesses
Monitor prompts, agents, models and sensitive data in real time to reduce AI-driven risk, prevent data exposure and block threats in real time.
Penetration Testing
Offensive Security
Find what MDR needs to defend. Expert-led testing across web, cloud, API, network and Active Directory with actionable remediation guidance.
Security Awareness
& Phishing Simulation
MDR catches threats while Awareness Training reduces them. Nano lessons and realistic phishing simulations that strengthen your human layer of defence.
CISO as a Service
Strategic Advisory
MDR gives you visibility while vCISO gives you strategy. Board-level governance, compliance leadership and vendor risk management without a full-time hire.