A Governance Challenge at Its Core
When we think about disaster recovery, it’s essential to recognise that it’s primarily a governance issue — not just a technical hurdle. In Sweden, the Cybersecurity Act underscores this necessity, yet many organisations have yet to fully grasp its profound implications.
While many organisations confidently identify their vital systems and understand the repercussions of their failure, they often find themselves uncertain about how to regain control when identity systems, network infrastructure, or access pathways are compromised. Addressing these concerns is crucial and can lead to more robust and resilient strategies when it matters most.
Failures in disaster recovery often begin long before backups fail to restore. The underlying problem is typically a lack of planning for reinstating governance and regaining control. Organisations might have a clear understanding of the assets they value, yet they often fall short in mapping out the essential strategies needed to keep those assets operational.
A Vital but Overlooked Foundation
Enterprise IT infrastructure is often compared to public utilities — much like the implicit trust we place in a consistent water supply when we turn on the tap, or in our highways when we receive goods conveniently. Unfortunately, this same complacency extends to identity management, privileged access pathways, and network controls, which are often taken for granted as being reliable and well-maintained.
During a true disaster — especially one in which the control plane is lost or compromised — these assumptions can fail dramatically:
- If the identity system that grants access to an application suddenly disappears, that application cannot be restored
- If the network infrastructure essential for recovery is unavailable, the very act of running a restore job becomes impossible
- Without the necessary systems in place, the escalation of decision-making can become unreachable
This stark reality is not just an obscure possibility — it is a foreseeable mode of failure that must be addressed proactively.
Shared Responsibility, Unclear Ownership
At the core of this issue is a challenge related to ownership. Foundational recovery processes — essential actions needed before any other recovery can begin — involve multiple teams, each with its own priorities and reporting structures: identity, network, infrastructure, security, and operations.
The identity team manages identities, the network team manages networks, infrastructure manages servers. But there is often no single authority overseeing the order in which these components should be restored.
This dynamic mirrors the structural pitfalls that arise when responsibility is separated from the authority to make decisions, or when risk ownership is detached from those capable of prioritising resources.
The difficulty doesn’t stem from a lack of ability — it arises from the absence of a single mandate to guide comprehensive governance.
Understanding Sweden’s Cybersecurity Act
This governance challenge is particularly significant in Sweden and across Europe. The Swedish Cybersecurity Act (SFS 2025:1506), aligned with the NIS2 Directive, requires operators to implement appropriate and proportionate measures based on an all-hazards approach. Several key measures in this legislation stand out:
Measure 3: Business continuity and crisis management — not merely plans, but actionable capabilities that go beyond documentation.
Measure 9: Management of human resources security, access control policies, and asset management — defining who has access to which resources, under what conditions, and how this governance is enforced.
Measure 10: The implementation of multi-factor authentication, secure communication, and emergency communication systems — acknowledging that traditional channels may not be accessible during a crisis.
When we examine these measures collectively, it becomes clear that the law requires organisations not only to have a recovery plan, but to maintain one that remains effective even in the absence of conventional governance structures. This is where many organisations currently struggle.
RTOs and RPOs: Bridging Ambition and Reality
Organisations often tout well-defined recovery time objectives (RTOs) and acceptable data loss thresholds (RPOs) in their continuity plans, risk registers, and board presentations. However, these targets often exist as fragmented elements that have never been fully integrated or validated against one another.
| What’s presented | Reality |
|---|---|
| ”RTO: 4 hours” | Never tested in a real restoration |
| ”RPO: 24 hours” | Assumes identity systems are functional |
| ”Critical systems prioritised” | No defined order for foundational dependencies |
| ”Backups exist” | Recovery process requires systems that are also down |
Though depicted as solid commitments, these targets do not inherently translate to real capabilities — they merely represent intentions. Without foundational requirements for recovery, such as clearly understanding how to regain administrative control when identity systems are compromised or ensuring recovery processes do not depend on inoperative production environments, these recovery goals are little more than numbers attached to an untested chain of actions.
Promoting Governance over Technology
This issue is crucial for all professionals engaged with the NIS2 Directive and its national implementations, emphasising the importance of governance.
True governance is not merely captured in policy documents or frameworks. It resides in the operational decisions that determine whether an organisation can effectively recover in times of crisis.
By prioritising robust governance structures, we can foster resilience and agility, positioning ourselves for a confident recovery in any challenging scenario.
- Map your dependency chains Identify which systems must be running before others can be restored. Identity systems, network infrastructure, and access pathways typically come first.
- Establish a single mandate Appoint a function with the authority to govern the overall recovery sequence — across teams and domains.
- Validate your RTO and RPO targets Test them against real-world conditions, including scenarios where the control plane is lost.
- Plan for the loss of conventional governance Ensure your recovery plan works even when identity systems, networks, and decision pathways are unavailable through normal channels.
- Exercise regularly Conduct exercises that test not only technical recovery but also governance, decision-making, and communication during crisis.
From Reactive to Proactive
Let’s work together to transform our approach to disaster recovery. It’s not just about being reactive — it’s about proactively preparing for whatever lies ahead. Securapilot’s business continuity module helps organisations build the governance structure required, with support for dependency mapping, responsibility allocation, and regular validation of recovery capabilities.
Dive deeper with our guide to operational resilience and learn more about practical incident preparedness.
Frequently asked questions
Why is disaster recovery a governance issue?
Because failures rarely stem from backups not working. The underlying problem is typically a lack of planning for how governance and control should be re-established — who decides what, in which order, and with what authority.
What does Sweden's Cybersecurity Act say about disaster recovery?
SFS 2025:1506, aligned with the NIS2 Directive, requires appropriate and proportionate measures based on an all-hazards approach. This includes business continuity, crisis management, access control, and secure emergency communications.
What is the difference between RTO and RPO?
RTO (Recovery Time Objective) specifies how quickly operations should be restored. RPO (Recovery Point Objective) specifies how much data loss is tolerable. Both are meaningless if never validated against real-world conditions.
How do you start improving disaster recovery?
Start by mapping dependency chains: which systems must be running before others can be restored? Identify who owns each step and ensure there is a single mandate governing the overall recovery sequence.