1. Home
  2. /
  3. Kunskapsbank
  4. /
  5. Guide for the public sector: What is the minimum level according to the Cybersecurity Act and how do you get there?

Guide for the public sector: What is the minimum level according to the Cybersecurity Act and how do you get there?

The Cybersecurity Act makes NIS2 Swedish law and sets a clear minimum level of cybersecurity within the public sector. In this guide, we go through what the minimum level actually means. From management responsibility and basic technical protection to supplier requirements and OT security, and how municipalities and regions reach this step by step.

1. Management Responsibility According to NIS2: This Is Where Cybersecurity Work Begins

Security work does not start with purchasing technology. It begins with management decisions. According to NIS2, the management team is personally responsible for compliance. You should be able to answer the question: what are our biggest cyber risks and what are we doing about them?

Unfortunately, there is no such thing as 100% secure cyber protection. You will experience incidents. The difference lies in how well you handle them. The Cybersecurity Act provides you with a minimum standard to start from:

  • Incident Management: A living plan that is tested regularly, not a forgotten document.

  • Reporting. A clear routine for reporting to authorities according to the requirements of NIS2.

  • Roles. Define who does what when an incident occurs.

 

2. Technical Basic Protection: MFA, EDR and the Human Firewall

Structured processes are important, but of course there are technical measures that are non-negotiable in comprehensive basic protection:

  • MFA is the single most important measure and ensures that the person logging in is the right person.

  • Protection on Endpoints (EDR/XDR) detects and stops suspicious activity on, for example, computers and servers before it spreads.
  • Central Logging (SIEM) collects and analyses logs from your systems to detect and investigate attacks.
  • Vulnerability Management is a continuous process that locates and addresses vulnerabilities. This regular patching is fundamental to preventing vulnerabilities from being exploited.

 

The Human Firewall

But technical protections are still meaningless without conscious users. Attacks often start with an employee clicking on the wrong link. Supplement with continuous training and simulated attacks. And perhaps most importantly, strive for a culture where it is okay to ask questions. Employees who dare to question are your best protection.

But technical protection is still meaningless without conscious users

3. Supplier Requirements and OT Security in Public Sector

The next step is to review the supply chain. Many attacks occur via the supply chain. Set clear security requirements in procurements and actively follow up to ensure that critical suppliers meet them.

The public sector also has a unique risk where IT is connected with operational technology (OT) that controls water, ventilation, and energy. These are essential systems where intrusions have physical consequences. Ensure:

  • Network Segmentation. A digital firewall between IT and OT so that intrusions do not spread further.

  • Well-planned maintenance windows. Update systems without disrupting vital operations.

  • Redundancy. So critical functions continue even if a system is taken down.

 

4. Scenario Exercises: Test Your Cyber Defence Before You Need It

Cybersecurity is a cyclical process. In addition to ongoing monitoring, you need to practice scenarios that challenge the entire operation: a major cyberattack that disables several systems, loss of internet connection, or elevated national preparedness. Preferably practise together with other public actors and test if your plans hold before you really need them.

Read more in our report on digitalisation in the public sector

5 common questions and answers about what the Cybersecurity Act and NIS2 mean for the public sector

  • What does the Cybersecurity Act mean for municipalities and regions?
    The Cybersecurity Act is the Swedish implementation of the EU's NIS2 directive. It requires public organisations to have structured risk management, incident management, and reporting routines. The management team carries personal responsibility for compliance.
  • What is the minimum level of cybersecurity according to NIS2?
    The minimum level includes documented incident management that is regularly tested, clear reporting routines to authorities, defined roles during incidents, as well as technical basic protection in the form of MFA, endpoint protection, central logging, and continuous vulnerability management.
  • What technical measures are required for basic protection in the public sector?
    The most important measures are multi-factor authentication (MFA), endpoint protection (EDR/XDR) on computers and servers, central logging and analysis (SIEM), as well as continuous vulnerability management and patching. These are complemented by security training for employees.
  • How does the public sector protect operational technology controlling water and energy?
    Through strict network segmentation between IT and OT, well-planned service windows for updates that do not disrupt critical societal operations, and redundancy that ensures critical functions continue even if individual systems are taken down.
  • How often should the public sector practise cyber incidents?
    Cybersecurity is a cyclical process that requires regular practice. In addition to ongoing follow-up, the organisation should conduct scenario exercises for major attacks, internet outages, and heightened preparedness, preferably together with other public actors.
Get in touch and we'll tell you more about how you can strengthen your protection

Guide for the public sector: What is the minimum level according to the Cybersecurity Act and how do you get there?

Download blog text

This is how Nordlo processes your personal data and uses cookie-like technology

We at Nordlo Group AB will process the information you provide to respond to your request and to provide marketing information. We also use the information to identify your interests to tailor our communication to suit you.

When we send you newsletters, we also use cookies and personal data to improve our e-mails. We do this by analyzing information about your IP-address and information about interactions with our newsletters.

By clicking “send”, you consent to our processing of your personal data for the above purposes. Giving your consent is always voluntary, and you can withdraw your consent at any time by contacting us at info@nordlo.com. You as well have several other rights, e.g. the right to obtain access to the personal data we are processing about you and the right to object to the tailoring of our communication.

Read more in our privacy policy and our cookie policy.

This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
Show link (Admin)*
En person i grå hoodie ler medan hen tittar på en mobiltelefon utomhus.

Subscribe to our newsletter!

Så behandlar Nordlo dina personuppgifter och använder cookieliknande teknik

Vi på Nordlo Group AB kommer att behandla den information du tillhandahåller för att svara på din förfrågan och för att tillhandahålla marknadsföringsinformation. Vi använder också informationen för att identifiera dina intressen för att anpassa vår kommunikation till dig.

När vi skickar nyhetsbrev använder vi även cookies och personuppgifter för att förbättra våra epostmeddelanden. Vi gör detta genom att analysera information om din IP-adress och information om interaktioner med våra nyhetsbrev.

Genom att klicka på "skicka" samtycker du till vår behandling av dina personuppgifter för ovanstående ändamål. Att ge ditt samtycke är alltid frivilligt, och du kan när som helst återkalla ditt samtycke genom att kontakta oss på info@nordlo.com. Du har även flera andra rättigheter, t.ex. rätten att få tillgång till de personuppgifter vi behandlar om dig och rätten att invända mot anpassningen av vår kommunikation.

Läs mer i vår integritetspolicy och vår cookiepolicy.

Related articles

Blog
Public sector
Cloud and infrastructure
Digital business development

AI in the public sector: How to get started safely and legally

Read more
Blog
Public sector
Security

Status report: Digitisation, threats and opportunities in the public sector

Read more
All knowledge posts

This website uses cookies and personal data

When you visit https://nordlo.com, we at Nordlo Group AB use cookies and your personal data. Some cookies and some processing of personal data are necessary, while you choose whether to consent to others. You make your choice below. Your consent is entirely voluntary.

You have certain rights, such as the right to withdraw your consent and the right to lodge a complaint with a supervisory authority. Read more in our cookie policy and our privacy policy.

Manage your cookie-settings

Cookies and personal data that we use for analysis

Check to consent to the use of Cookies and personal data that we use for analysis

To analyse how you use our website, we use cookies from Google and HubSpot's analytics service. We also process your personal data, e.g. your encrypted IP address, your geographical location and other information about how you use the website. 

Cookies and personal data that we use for marketing

Check to consent to the use of Cookies and personal data that we use for marketing

We use cookies and your personal data to display relevant marketing and to follow up on such marketing when you visit other websites or social media. We do this with the aid of Google, Facebook, HubSpot and LinkedIn. The personal data that we process for marketing purposes include your IP address, information about how you use the website and information that these services already have about you.  

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data