What is digital due diligence?

Digital due diligence is a comprehensive assessment of a target company's technology infrastructure, cybersecurity posture, data privacy practices, and digital assets. Unlike traditional due diligence that requires full access to internal systems, our AI-powered approach analyzes publicly available information and proprietary data sources to deliver complete insights without disrupting the target company.

How does INNOVAIDEN work without target company access?

Our proprietary intelligence platform analyzes hundreds of public and proprietary data sources including technical infrastructure mapping, dark web monitoring, regulatory filings, code repositories, employee networks, and vendor relationships. Machine learning models identify patterns and risks that manual review can overlook at scale, delivering insights that often surface risks earlier than traditional access-based assessments.

How long does an assessment take?

Target Snapshots are delivered in under 3 hours for initial screening. Due Diligence Assessments take up to 48 hours for mid-level analysis. Comprehensive Digital DD is completed in 5-7 business days, significantly faster than traditional consulting timelines while reducing cost and disruption.

What industries do you serve?

We serve Private Equity firms, Law Firms, Technology Sellers preparing for exit, Early Stage Companies, Insurers and Brokers for cyber underwriting, and Limited Partners for portfolio monitoring. Our platform is optimized for technology-enabled companies across all sectors including SaaS, healthcare IT, fintech, manufacturing, and professional services.

How accurate is your AI-powered analysis?

Our platform shows strong alignment with traditional due diligence findings across prior engagements. The AI processes information at large scale across structured and unstructured sources, helping identify patterns that can be difficult to detect manually. Every AI finding is validated by our expert panel including former Fortune 1000 CISOs and PE operating partners.

What makes INNOVAIDEN different from traditional consulting?

Traditional consulting often requires weeks of work, extensive target access, and significant cost. INNOVAIDEN delivers initial results in days, requires no target system access, reduces cost and disruption, and maintains strict confidentiality. Our AI analyzes hundreds of data sources simultaneously, identifying patterns that manual analysis cannot match at scale.

Can I use INNOVAIDEN for portfolio monitoring after acquisition?

Yes. Many PE firms use our Target Snapshot product for quarterly or annual monitoring of portfolio companies through the hold period and exit preparation. This tracks risk evolution, demonstrates improving security posture to LPs, and documents improvements for buyer diligence during exit processes.

What's included in the deliverables?

Deliverables vary by product tier. All include executive summaries, risk quantification across 11 functional areas, technology stack mapping, competitive benchmarking, and red flag identification. Comprehensive DD adds 200+ page technical reports, 100-day value creation roadmaps, integration planning guides, and expert consultation sessions with our VP team.

Sweden's Cybersecurity Act (2025:1506): NIS2 Is Now Law

The Cybersecurity Act (Cybersäkerhetslag, SFS 2025:1506) entered into force on 15 January 2026, transposing the EU NIS2 Directive into Swedish law and superseding the previous Information Security Act framework (SFS 2018:1174). The law establishes entity-wide obligations across 18 designated sectors, with explicit management accountability requirements and fines reaching €10 million.

Key Takeaways

Sweden's Cybersecurity Act (SFS 2025:1506) entered into force on 15 January 2026, shifting from branch-level to entity-wide scope across 18 designated sectors
In-scope threshold: 50+ employees, or annual turnover and balance sheet total exceeding €10 million; trusted service providers and sole providers of essential services are covered regardless of size
Essential operators face fines up to €10M or 2% of global annual turnover; important operators face up to €7M or 1.4%
Explicit management accountability requirements: board members and CEOs must approve, supervise, and undergo specific cybersecurity training, with potential management sanctions under supervisory authority processes
ISO 27001:2022 certification covers a significant portion of the Act's control requirements, with key gaps in incident reporting, governance, and scope

What's New vs the Previous NIS Regime

For deal teams, compliance officers, and boards assessing exposure under the Cybersecurity Act, the relevant question is not what NIS2 says in Brussels, but what changed operationally in Sweden on 15 January 2026.

Branch-level scope replaced by entity-wide scope. The previous NIS Act applied only to the specific operational branch that triggered the regulation. The Cybersecurity Act applies to the entire legal entity. If any part of your operations falls within a designated sector, all network and information systems across the organization are in scope, including HR, finance, and internal IT.
OES/DSP categories replaced by essential and important entities. The previous classification of operators of essential services (OES) and digital service providers (DSP) is replaced by a two-tier classification. Essential operators face proactive supervision and higher penalty ceilings. Important operators face reactive supervision triggered by evidence of non-compliance.
Limited supervision replaced by active enforcement powers. Supervisory authorities now have explicit powers to conduct security audits, on-site inspections, and compliance checks without requiring a triggering incident. Essential entities can expect scheduled and unannounced reviews.
Implicit management oversight replaced by explicit accountability requirements. The previous framework contained no direct obligations for board-level involvement. The Cybersecurity Act creates explicit accountability: board members and CEOs must approve cybersecurity risk management measures, oversee implementation, and complete specific cybersecurity training. Failure creates a direct line to individual management sanctions.
Vague incident reporting replaced by structured timelines. The previous NIS regime required incident reporting without a defined multi-stage structure. The Cybersecurity Act mandates a 24-hour early warning, a 72-hour full notification, and a one-month final report, with specific content requirements at each stage.

From Branch-Level to Entity-Wide Scope

The previous NIS Act covered 7 sectors and applied only to the specific operational branch within an organization that triggered the regulation. The Cybersecurity Act inverts that logic entirely. If any part of your operations falls within a designated sector, the entire entity must comply, including HR systems, finance platforms, and internal IT infrastructure alongside the operational systems directly linked to the regulated service.

Entity-wide scope is the single biggest structural change. A drinking water producer must now ensure its payroll, finance, and internal IT systems meet the same security standards as its operational water production systems. Network and information systems are interconnected across business functions, and the law reflects that reality.

Sweden chose a decentralized supervisory model. Oversight is expected to be distributed across sector-specific regulators (PTS for digital infrastructure and electronic communications, Finansinspektionen for banking and financial market infrastructure, Transportstyrelsen for transport, Energimyndigheten for energy, IVO and Socialstyrelsen for healthcare), coordinated nationally by MCF (formerly MSB). Your supervisory relationship depends on what your organization does.

18 Sectors: Who Is In Scope

The Act designates sectors across two annexes. Highly Critical Sectors (Annex I) cover energy, transport, banking, financial markets, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Other Critical Sectors (Annex II) cover postal and courier services, waste management, chemicals, food production, manufacturing, digital providers, and research.

State authorities, regions, and municipalities are in scope. Organizations are classified as either essential or important operators, a classification that affects supervision intensity and penalty ceilings. Essential operators face proactive supervision, including security audits at any time. Important operators face reactive supervision triggered by evidence of non-compliance.

Ten Minimum Obligations and Incident Reporting

The Act mandates proportionate measures across ten minimum security areas, based on an all-hazards risk assessment: risk analysis strategies, incident handling, business continuity, supply chain security, secure system development and maintenance, effectiveness testing, cyber hygiene and training, cryptography and encryption, personnel security and access control, and secure authentication and communication.

Incident reporting follows a mandatory multi-stage timeline. An early warning must reach MCF or the relevant supervisory authority within 24 hours of identifying a significant incident, including whether the incident is suspected to be unlawful or malicious. A full incident notification with initial severity and impact assessment is due within 72 hours. Trust service providers face a shortened 24-hour deadline for this stage. A comprehensive final report covering root cause analysis, mitigation measures, and cross-border impact is due within one month.

What Existing Frameworks Cover and What They Miss

Organizations already certified against ISO 27001:2022 are not starting from zero. ISO 27001:2022 covers a significant portion of the Act's control requirements, with targeted gaps in incident reporting, governance, and scope. DORA-compliant financial entities have additional coverage across overlapping requirements, though neither certification eliminates the need for a structured gap assessment.

The gaps for ISO 27001-certified organizations are targeted and known. ISO does not mandate the 24h/72h/1-month incident reporting structure to supervisory authorities. This obligation is entirely new. It does not require board-level cybersecurity training as a sanctionable obligation. And its ISMS boundary is typically narrower than the entity-wide scope the Act requires, which extends to HR, finance, and administrative systems beyond the security perimeter.

For DORA-regulated financial entities, the relationship is explicit in the Act: DORA prevails in areas of direct overlap. NIS2 adds obligations where DORA is silent, specifically personnel security measures (Article 21 I) and MFA and encryption policy documentation (Article 21 J). Financial entities must also register separately with MCF and their sector-specific Swedish authority under NIS2, independent of their DORA obligations.

Organizations with no existing framework face the full compliance build across all ten requirement areas.

What This Means in Practice

Four immediate actions apply to all in-scope entities: confirm applicability against sector and size thresholds, self-identify and register with MCF, classify the entity as essential or important, and conduct a gap assessment against the ten minimum requirement areas.

If ISO 27001 is in place, the remediation priorities are incident reporting workflow (24h/72h/1-month with assigned roles), board training documentation, and scope extension to HR, finance, and administrative systems beyond the existing ISMS boundary. If DORA compliance is in place, the gaps are narrower but specific: HR security, MFA and encryption policies, entity-wide scope, and MCF registration.

The full Intelligence Brief, covering the complete framework coverage matrix, supervisory authority mapping by sector, and maturity-level action plans, is available below.