It is a fair question. The law sets requirements across nine defined security areas, and it is easy to get lost in the regulatory text. This article goes through what the requirements actually mean operationally.
Nine requirement areas, three that often surprise
The Cybersecurity Act requires documented measures across nine areas:
- Incident management – processes for detecting, handling, and reporting incidents
- Continuity management – plans for maintaining operations during disruptions
- Supply chain security – risk assessment of suppliers and third parties
- Secure system development – security built into IT systems from the start
- Cryptography and encryption – documented strategies for encryption
- Personnel security – access management and training
- Access control – management of identities and assets
- Secure communications – protected internal and external communication
- Authentication – multi-factor authentication and similar controls
Most organisations already have processes that cover parts of this. The problem is rarely that nothing is in place. The problem is that it is not documented, traceable, or connected to a coherent system.
Three of the nine areas consistently come up in our client conversations as the most underestimated.
Management responsibility: not just an HR matter
A question that often comes up in our client conversations is what management responsibility actually means in practice.
Misconception: Management only needs to approve a policy, and then it is the IT department's responsibility.
Reality: The Cybersecurity Act requires management to actively participate in cybersecurity work, undergo training, and be held personally accountable for non-compliance. This is not a delegation — it is ownership.
This directly affects how a compliance system needs to be configured. Management needs access to status reports, deviation alerts, and documentation showing they are informed and active. Hy5 handles this through automated reporting flows to management level, so the right information reaches the right person without manual compilation.
The supply chain: a requirement that extends beyond your organisation
It is not enough to have your own house in order. The Cybersecurity Act requires you to assess and manage risks in your supplier and service chain.
This is where system design really matters. A supplier review conducted once and filed in a folder does not meet the requirement for ongoing risk management. The law presupposes continuous work, not a one-off project.
Organisations using Hy5 for this connect supplier assessments directly to their compliance workflow, with automatic reminders for reassessment and traceability for every action.
"Documented measures": what does it actually mean?
It is a term that recurs throughout the law and often causes confusion.
Misconception: It is sufficient to have a policy describing what the organisation intends to do.
Reality: The documentation needs to show that the measures are actually being carried out — not just that they are planned. The supervisory authority looks at evidence, not intentions.
This is one of the most important system questions for organisations beginning their NIS2 work. Without a system that continuously logs activities, tracks deviations, and generates audit documentation, you quickly end up in a situation where you know you are doing the right things — but cannot prove it.
Next steps
Understanding the nine requirement areas is the starting point. What determines whether compliance work holds up over time is how it is operationalised: who owns what, how deviations are tracked, how status is reported upwards and outwards.
What does your compliance work look like today?
Hy5 maps your organisation's measures against the nine requirement areas of the Cybersecurity Act and keeps documentation continuously updated. Used by Swedish organisations to operationalise NIS2 compliance without manual administration.
Hy5 kan drastiskt öka effektiviteten och precision för compliancearbete.
