Digital robustness: from policy to practice - key takeaways from Almedalen 2025

Almedalsveckan (23-27 June 2025) is a mainstay for Swedish high-level policy discussion,  bringing together thousands of experts, politicians and visitors to discuss relevant policy issues. Most seminars are open to anyone, but there are also closed door seminars and round table discussions with invited guests.

NIS2: policy vs operations

Netnod participated in several seminars, ranging from NIS2 / “Cybersecurity law” and cybersecurity to #ChatControl and Robust communications. Netnod’s CSO, Patrik Fältström, noted that policy frameworks like NIS2 are only useful if grounded in operational realities:

NIS2 is very important (the "HOW"), but the needs of the business (the "WHAT") are more important (in my opinion), because the "HOW" isn't worth much if the "WHAT" isn't well-defined.

That's why it's more important for an IT department to learn the core of business operations than for the management to learn IT.

Patrik Fältström, CSO, Netnod

In other words, IT systems which are support systems should not dictate what the organisation does, rather the organisation should dictate the IT-requirements. For example, the primary business of hospitals is helping people and saving lives. This should dictate the requirements for their IT-systems; the IT-systems should not dictate how hospitals save lives.

Netnod contributes to critical policy and governance discussions related to cybersecurity. You can read more about our official response to NIS2 here and here. 

Patrik Fältström, CSO, Netnod, with representatives from RISE Cybernode, Mastercard Norra Europa, Centerpartiet and Omegapoint in an Almedalen panel discussing security and public-private collaboration
 

Opposing architectures: availability and confidentiality

Netnod also participated in several seminars hosted by The Production Office, including one where we had the opportunity to highlight the important difference between availability and confidentiality requirements and structures. 

Confidentiality requirements, on the one hand, usually go along with the information. That is, the requirements follow the information to the receiving party.

Availability requirements, on the other hand, go against the flow of information towards its source. This involves a different set of actors than those you often negotiate confidentiality requirements with. 

In general, most organisations are much better at handling confidentiality requirements, due to frameworks such as GDPR which focus on confidentiality. Availability of service or information is often left out in the cold.

Fredrik Lindeberg, PhD, Security Expert, Netnod

It is important to see how opposing architectures are involved here: confidentiality requires the compartmentalisation of information and systems, while availability relies on system redundancy and diversity. For a deeper dive into the issues involved here, see our previous blog series on security by diversity and our response to a consultation on the Swedish implementation of CER. 

The cooperation challenge and the all-hazards approach

The all-hazards approach is core to the NIS2-framework, and in several NIS2-related seminars the all-hazards approach was discussed.

We see two main issues with the all-hazards approach; firstly, the high level of competence required for proper risk management under an all-hazards approach as organisations themselves need to figure out and prioritise among threats and risks, and secondly that actors will use different risks and threats prioritised by different processes for their risk management processes; this will make it much harder for actors to cooperate and prepare together.

Fredrik Lindeberg, PhD, Security Expert, Netnod

In particular the second point is problematic: if actors do not agree on risks and threats it is almost impossible to prepare, practice and make contingency plans together. 

See the Netnod response to NIS2 here for additional insight on the topic.

Defending end-to-end encryption

Netnod also participated in a seminar on #ChatControl and the larger issue of breaking end-to-end-encryption, an issue which Netnod has engaged with strongly in our public statements and responses to formal consultations. 

It should be mentioned that if #ChatControl, or any of the related legislative proposals, would be enforced, incidents like Salt Typhoon would likely result in the leak of all stored communication.

See our recent blog on end-to-end encryption and Internet architecture and our formal responses to the Swedish Data Storage Act here and here. 

Digital robustness: from policy to practice

Whether it’s building robust infrastructure, contributing to security regulation, or defending core Internet principles, Netnod doesn’t just talk—we act. Our team combines deep technical and security knowledge with long-standing policy experience to help policy-makers and digital organisations transform policy into real-world resilience.