Cybersecurity Act, from requirements to secure infrastructure in municipalities

The Cybersecurity Act, the Swedish implementation of the EU’s NIS2 directive. In effect since January 15th of this year, its purpose is to create a robust infrastructure and raise cybersecurity across the EU, where municipalities play an important role. Because when a municipality is affected by an incident, it is rarely just “IT” that is impacted. It can involve access to social services systems, school platforms, personal safety alarms, water and sewage, building automation, payroll processing, e-services, case management, and communication with residents. For a municipality, the purpose is to be able to continue delivering welfare and public services. Even when digital systems come under attack or are disrupted.

Yet many municipalities are still struggling with what the Cybersecurity Act actually means in practice. The requirements cover the areas of risk management, security measures, incident reporting, management accountability, and collaboration. These are also described in greater detail in the MFSA’s proposed regulations and general guidelines on security measures and training, which are currently out for consultation. Below we will describe the challenges and priorities for a municipality, technical solutions that can provide support in this regard, and discuss the complexity involved.

Municipal reality: why this is difficult

Municipalities have a particular complexity. One and the same municipality can encompass office IT, schools, libraries, emergency services, care services, social services, urban planning, water and sewage, property management, surveillance cameras, IoT, welfare technology, e-services, archives, procurement, finance, and HR. Often there are also municipal companies, joint committees, municipal associations, and external service providers.

This means that networks often have both old and new dependencies. Legacy operational systems, cloud services, VPN solutions, vendor accounts, school networks, guest networks, clients, servers, identities, firewall rules, and OT environments that have been built up over many years.

At the same time, the Cybersecurity Check 2025 shows that maturity levels need to be raised. According to the MFSA, over 300 organizations had submitted responses, and the results revealed serious shortcomings in systematic cybersecurity work across public administration. Half of the participating public organizations had fundamental deficiencies and showed no apparent improvement compared to the 2024 measurement.

We asked Åsa Schwarz, who encounters this situation on a daily basis. With over 25 years of experience in cybersecurity, she has a clear picture of where most organizations should start.

Åsa’s top 5 priorities

Priority 1 – Scope, governance & accountability

The municipality must know what falls within the scope of the Cybersecurity Act, who is responsible, and which operations are most critical. Create a map of the municipality, municipal companies, municipal associations, critical suppliers, and affected sectors.

Priority 2 – Don’t reinvent the wheel

Many municipalities have already made progress in their systematic cybersecurity work, often through established management systems and widely used standards such as ISO 27001. The starting point should therefore not be to build something entirely new, but rather to further develop and strengthen the work already in place. Here, one can also draw on the MFSA’s methodological guidance and tips for municipalities.

Priority 3 – Be prepared. Incidents will happen

Cyber incidents are not a question of if they occur, but when. Therefore, the municipality needs to be able to detect anomalies in time, limit the damage, and act according to a clear incident response process. Measures such as network segmentation, strong access control, logging, monitoring, secure backups, and procedures for reporting incidents can make the difference between a limited disruption and a municipality-wide crisis.

Priority 4 – Have control over your digital landscape

The municipality needs to have a clear picture of its own digital landscape: which systems exist, which operations they support, who has access to them, and what dependencies exist between users, suppliers, networks, and critical services.

Priority 5 – Leverage technology and reduce risk

Try to place as little responsibility on the human factor as possible. The principle of least privilege is one of the most effective measures for reducing risk. No user, no system, and no supplier should have more access than the assignment requires, while at the same time it is important to have access to the data one actually needs. Especially in these times when AI creates significant gains in quality and efficiency. For municipalities, this is about limiting the spread, reducing the attack surface, and ensuring that access is always justified, traceable, and possible to revoke.

How can we leverage technology?

What Åsa describes requires a systematic approach to cybersecurity in which the network plays an important role. It is not just about protecting individual systems, but about building an infrastructure that makes it possible to see what exists in the environment, control who gets access to what, limit the spread in the event of an incident, and act quickly when something deviates from the norm.

The cornerstone is Zero Trust: never automatically trust a user, a device, or a connection simply because it is on the municipality’s network. Access should be based on identity, role, device status, context, and actual need. This is not a technical solution but a model and a way of thinking.

Even though every municipality looks different, there are today well-proven network solutions that can put these principles into practice. With solutions from, for example, HPE Aruba Networking, municipalities can step by step build a safer, more controlled, and more resilient network environment.

Create visibility and control across the entire environment

To be able to protect the municipality’s digital landscape, you first need to be able to see it. This applies not only to central offices and data centers, but also to schools, libraries, care homes, technical operations, IoT devices, access points, switches, and connected clients.

Here, Aruba Central can contribute a unified view of the network and make it easier to monitor, configure, troubleshoot, and follow up on the environment across many different locations. For municipalities with many geographically dispersed operations, centralized control becomes an important foundation for both operations, security, and incident management.

Control who and what is allowed to connect

A central Zero Trust principle is that no user or device should be granted access simply because it is connected to the network. The municipality must know who is connecting, with which device, role, and level of access – never more than necessary.

With HPE Aruba Networking ClearPass Policy Manager, the municipality can implement network access control and role-based policies for, for example, employees, students, guests, suppliers, printers, cameras, IoT devices, and OT systems. This makes it possible to grant the right access to the right resource – but no more than necessary.

Limit freedom of movement within the network

Stopping all threats at the perimeter is not realistic. Most people working in security know this. The question is what happens once someone has managed to get in. By segmenting the network – dividing it into smaller, isolated parts – you limit how far an attacker can move. HPE Aruba Networking CX10000 is an example of how that type of segmentation can be implemented directly in the data center, in a way that does not require tearing up the entire existing infrastructure.

Good enough is not enough

Technology is rarely the problem. What makes the difference is whether you have the right expertise to put it together and manage it over time. A natural reaction is to seek a supplier that can do everything. One point of contact, one agreement, one overall responsibility. That is understandable, but it is rarely the best choice when requirements are high and the consequences of failure are significant. Breadth often takes precedence over depth, and over time you build up a dependency that is difficult to escape.

Aranya’s co-founder Christoffer Jacobsson has seen this pattern repeat itself time and again. He advocates selective multi-sourcing – not more suppliers everywhere, but the right specialist in the right place.

“The complexity doesn’t disappear just because you consolidate everything with one provider. It just becomes less visible – until it’s time to change something.”

In IT infrastructure, this is particularly evident. It is not enough to have someone who is moderately skilled in networking or security as part of a broader offering. What is actually needed is deep expertise. The organization that builds its ecosystem with the right specialists in the right place not only has better conditions for meeting requirements such as the Cybersecurity Act. It also has a stronger negotiating position, greater capacity for development, and an operation built to adapt to change.

Complex, but not unmanageable

The Cybersecurity Act sets high requirements – but they are possible to meet and the objective is a reasonable one. That the municipality should be able to continue delivering welfare and public services even when digital systems come under attack or are disrupted. With the right priorities, the right technology, and the right expertise by your side, it is entirely possible not only to meet the requirements of the law, but to actually build a more secure operation in the process.

Would you like to talk more about what this looks like for your specific organization? Reach out to us here and we will help you find the right way forward.