NIS2

Compliance Doesn't Reduce Risk. Governance Does.

The Cybersecurity Act is in effect. But compliance without governance is just paperwork. Here's why governance determines whether you meet the requirements.

Kim Borg
Kim Borg Founder & CEO
7 min read
  1. 24%
    of Swedish organizations had a cybersecurity strategy anchored in management at NIS2 enforcement
    MSB
  2. 68%
    of security incidents stem from non-compliance with existing policies
    Verizon DBIR 2025
  3. 15
    January 2026 Sweden's Cybersecurity Act (SFS 2025:1506) entered into force
    Riksdagen
CEO in conversation with board member about governance

I’ve had the same conversation with three different management teams in the past month. All have invested. All have tools. All have engaged consultants and started certification work. But none of them could answer a simple question: Where are our most serious weaknesses?

Sweden’s Cybersecurity Act (SFS 2025:1506) has been in effect since January 15, 2026. Many organizations aren’t ready. Not because they lack budget, not because they lack tools, but because governance never existed in practice.

My experience is clear: Compliance doesn’t reduce risk. Governance does. The organizations that meet the requirements are those where governance exists in how decisions are made, not in how documents are filed.

Three Investments That Don’t Help Without Governance

Organizations invest in three things that all look good on paper, but none of them create security without functioning governance.

Tools without compliance

SIEM, EDR, vulnerability scanning. The toolboxes keep growing. But 68% of security incidents stem from existing policies not being followed, not from missing tools. A tool nobody uses properly is just a cost. The question isn't "Have we bought the right tools?" but "Does anyone actually follow the security measures we have?"

Certifications without life

ISO 27001 certificates. SOC 2 reports. Impressive on paper. But if the management system lives in a folder that nobody opens between audits, it protects nothing. A certification proves you had governance at one point in time. It says nothing about today.

Consultants without knowledge transfer

External consultants who build the framework, write the policies, and then leave. The knowledge walks out the door with them. Six months later, nobody remembers why a control was implemented or how to maintain it. Consultants create value, but only if the knowledge stays.

What the Cybersecurity Act Actually Requires

The Cybersecurity Act is not a checklist. It requires governance: that processes are alive, that management is engaged, and that the organization can demonstrate its security work functions in practice.

The Cybersecurity Act requires governance, not just documents:

  1. Management responsibility (Article 20): The board must approve and oversee, not just sign
  2. Risk management (Article 21): Systematic and ongoing process, not a one-time assessment
  3. Effectiveness evaluation (Article 21.2g): Measuring whether measures actually work
  4. Training (Article 20.2): Management must understand the risks, not just have taken a course

Consequence: Supervisory authorities won’t just check if the documents exist. They will examine whether governance is alive.

We’ve previously written about what the Cybersecurity Act means in practice and about management’s specific responsibilities. This article addresses the underlying problem: why governance is missing despite having the tools and documents.

Why Governance Is Missing: Three Patterns

In my meetings with management teams, I see the same patterns repeated. The problem is rarely unwillingness. It’s that the organization has never built the structures needed.

  1. Security was never a leadership issue Historically, cybersecurity was IT's responsibility. It was technical. It was someone else's budget. The consequence: when the Cybersecurity Act demands leadership accountability, there's no ingrained behavior. Management has never had cybersecurity on the agenda in a meaningful way, and doesn't know where to start.
  2. Compliance became the goal, not the means Many organizations have optimized for passing the audit rather than reducing risk. The annual ISO review became a sprint to update documents, not an opportunity to improve security. The incentive structure rewarded clean reports, not honest assessments.
  3. Nobody owns the full picture IT owns the tools. Legal owns compliance. The CISO, if there is one, sits between them without mandate. Risk registers live in different systems. Nobody has a complete picture, and nobody is incentivized to create one.

The Fundamental Question: Do We Know Where Our Most Serious Weaknesses Are?

This is the question that determines everything. Not “Are we compliant?” but “Do we actually know where we’re weakest?”

The most important question a board can ask isn’t “Are we compliant?” but “Do we know where our most serious weaknesses are?” If the answer is no, or silence, you have a governance problem, regardless of how many tools you’ve bought.

I see it often in my meetings with management teams who believe they’re ready because they’ve bought a platform or engaged a partner. But nobody has asked the fundamental question.

Five signs that governance is missing:

  • Management can’t name the three biggest risks without asking IT
  • The risk register was last updated before the previous audit
  • The incident process has never been tested in a real scenario
  • The security policy was approved, but nobody knows who owns the follow-up
  • “We have it documented” is the standard answer, but nobody can show it’s being followed

From Compliance to Governance: Five Steps

Moving from document-based compliance to living governance isn’t an overnight project. But it starts with simple, concrete steps.

  1. Conduct an honest GAP analysis Not just against the requirements, but against reality. Don't just measure whether documents exist, but whether processes are actually followed. Talk to employees, not just those in charge. Our GAP analysis guide shows you step-by-step how to do this.
  2. Anchor with management using risk, not rulebooks Present results in business terms. Not "we meet 64% of NIS2" but "we have three weaknesses that could each cost us X." Management acts on risk and consequence, not on percentages.
  3. Assign an owner for every risk area No risk without an owner. No measure without a responsible person. No deadline without follow-up. Governance requires accountability to be personal and traceable, not collective and vague.
  4. Build governance into existing decision processes Make cybersecurity a standing item on the management team's agenda. Not as a separate "security meeting" but integrated into business decisions: new suppliers, system changes, organizational changes.
  5. Measure and follow up continuously Governance that isn't measured is wishful thinking. Define KPIs. Report to management quarterly. Use deviations as learning opportunities, not as failures.

Compliance as a Lifestyle, Not a Project

Organizations that treat the Cybersecurity Act as a project to “finish” will be back at square one when the next regulation arrives. Organizations that build governance into their operations will find that new requirements become incremental, not revolutionary.

The Compliance Project vs. The Governance Model:

  • The Compliance Project: Starts with new legislation. Ends at the audit. Owned by a project manager. Measured in percent fulfilled. Next regulation = new restart.
  • The Governance Model: Lives all the time. Owned by management. Measured in risk reduced. New regulation becomes an iteration, not a crisis.

The organizations I meet that are actually ready are never the ones with the most tools or the most certifications. They’re the ones where the board can answer the question: Where are we weakest, and what are we doing about it?

How does it look in your organization? Does governance live in the decisions or in the documents?

How Securapilot Can Help

  • GAP analysis against reality: Map not just documentation but actual compliance
  • Risk management with owners: Every risk has an owner, every measure has a deadline
  • Management dashboard: Real-time overview for board and management in business terms
  • Continuous follow-up: Automatic reminders and status updates
  • Traceability: Complete audit trail for supervisory authorities

Book a demo and see how governance can become reality in your organization.

Frequently asked questions

What's the difference between compliance and governance?

Compliance means meeting formal requirements: ticking off controls, writing policies, passing audits. Governance means security actually guides everyday decisions: someone owns risks, deviations are followed up, and management makes informed decisions based on the real risk picture.

Can you be NIS2-compliant without real governance?

Formally perhaps, but not in practice. NIS2 and the Cybersecurity Act require management to actively approve, oversee, and take responsibility. Having the documents isn't enough. Supervisory authorities will examine whether processes actually work.

How do we know if our governance works?

Ask three questions: Do we know where our most serious weaknesses are? Does management make decisions based on current risk? Are security measures followed up regularly? If the answer to any of these is no, you have a governance gap.

What's the first step from compliance to governance?

Start with an honest GAP analysis that doesn't just map documentation but measures whether processes are actually followed. Anchor the results with management and create an action plan with clear owners.

#governance#Cybersecurity Act#NIS2#compliance#risk management#leadership

More articles

We use anonymous statistics without cookies to improve the website. Read more