Services

Courses

Cases

Company

About Us

Knowledge Hub

Cybersecurity for Municipalities and the Public Sector

Q: Are municipalities covered by NIS2?

En sårbarhetsskanning är en bra komponent, men den räcker oftast inte ensam. NIS2 kräver att ni identifierar och hanterar risker i er infrastruktur och tillämpliga regulatoriska ramverk pekar mot att manuell verifiering behövs för att möta nivån av säkerhetsåtgärder. I praktiken kombineras de två.

Q: We already have an IT provider – do we still need a penetration test?

Minst månadsvis för externa system och vid varje större förändring för interna. Många företag kör kontinuerliga skanningar dygnet runt. Frekvensen ska matcha hur snabbt nya sårbarheter publiceras och hur stor er attackyta är.

Q: How much does a penetration test cost for a municipality?

Nej. Ett pentest görs vid en given tidpunkt och ger en ögonblicksbild. Mellan testen publiceras nya sårbarheter dagligen. Sårbarhetsskanning är det löpande skyddet som fångar upp nya risker innan nästa pentest.

Q: Can we run a penetration test if we use cloud services?

Ja, betydligt. Ett manuellt pentest kostar typiskt 50 000–250 000 kr per genomförande medan en årslicens för skanningsverktyg ligger från några tusen kronor per månad. Men pentestet hittar sårbarheter som ingen skanning klarar av.

June 1, 2026

min reading time

Andreas Gjelset

Co-founder, Cyloq

"Smiling woman in a navy blazer talking with colleagues in a bright, modern open-plan office."

Municipalities and public sector organizations handle critical societal functions and sensitive personal data, and are an increasingly attractive target for cybercriminals. Yet security work in the sector is often underprioritized, not because the will is lacking, but because budget constraints, limited expertise, and ageing systems get in the way.

Why are municipalities at risk?

In 2021, the Swedish municipality of Kalix was hit by a ransomware attack that took down large parts of its IT environment for weeks. In 2025, IT provider Miljödata was compromised in an attack that affected over 200 municipalities and regions, because they shared the same supplier. The public sector is an attractive target, and attacks are showing no sign of slowing down.

Municipalities make appealing targets for several reasons:
‍

Ageing infrastructure. Many municipalities run systems that are ten to fifteen years old, procured under a different threat landscape and difficult to replace without significant investment. Vulnerabilities that would have been patched in modern environments remain open.
‍

Limited budget and expertise. A mid-sized municipality cannot match the security budget of a bank. Security work is often carried out by a small number of people with broad IT responsibilities rather than dedicated security specialists.
‍

High dependence on IT. Citizen services, social care, schools, and healthcare all depend on functioning systems. The cost of downtime is enormous – which makes municipalities attractive targets for extortion.
‍

Large attack surface. Many external services, supplier integrations, and a large number of users with varying levels of digital literacy create a broad surface to attack.

Regulatory requirements for the public sector

Requirements around information security in the public sector have been tightening steadily and continue to increase.
‍

NIS2 extends the directive's scope compared to NIS1 and now covers public administration at central and regional level. Whether a specific municipality or authority falls within scope depends on the services it provides and whether it is classified as an essential entity. The Swedish Civil Contingencies Agency (MSB) provides guidance on the Swedish implementation.
‍

MSB's regulations on information security require systematic security work from government agencies, and indirectly affect municipalities that collaborate with or report to national bodies.
‍

The Security Protection Act is relevant for organizations handling security-classified information – something that applies to more municipal operations than many realize, particularly within crisis management and emergency services.
‍

Cloud services and data sovereignty present ongoing challenges for the public sector. Personal data and sensitive information cannot be stored or processed in violation of GDPR, and the choice of cloud provider requires a legal assessment. This directly affects which systems and services municipalities can use.

The most common security gaps we see

When testing municipalities and public sector organizations, we consistently see the same patterns:
‍

Outdated Active Directory environments. AD is the backbone of most municipal IT environments, and older configurations frequently contain built-in weaknesses. Protocols such as NTLM and Kerberoastable accounts give attackers the means to escalate privileges quickly once they are in.
‍

Weak network segmentation. Business-critical systems and administrative networks are too often interconnected. An attacker who gains access to one system can move freely to the next without encountering any barriers.
‍

Exposed RDP. Remote Desktop Protocol pointing directly to the internet – sometimes without MFA – is one of the most common entry points we see. It is low-hanging fruit for an attacker.
‍

Inadequate backup strategy. Backups exist, but they are rarely tested, not always isolated from the production environment, and sometimes accessible via the same accounts as the rest of the systems. In a ransomware attack, that means the backups get encrypted too.

Priority actions

Significantly raising the security baseline does not always require large investments. Here is a prioritized list based on what delivers the most impact:

‍

MFA on all external access.
Email, VPN, RDP, and administrative portals should require multi-factor authentication without exception. It is the single most effective measure against account compromise.
‍
Active Directory hardening.
Review privileged accounts, disable legacy protocols, remove unnecessary permissions, and ensure that admin accounts are not used for everyday tasks. An AD review quickly reveals how exposed the environment is.
‍
Network segmentation.
Separate business-critical systems from administrative networks and user devices. An attacker who gets into one segment should not be able to move freely through the rest of the environment.
‍
A tested backup strategy.
Ensure backups are isolated from the production environment, tested regularly, and restorable within an acceptable timeframe. A backup that has never been tested is a backup you cannot rely on.
‍
Incident response exercises.
Have a documented incident response plan and test it. A plan that has never been run through rarely holds up when something actually happens.

Procuring security services in the public sector

The public sector is subject to public procurement legislation, which affects how security services can be purchased.
‍

Framework agreements:
Are the most common way for municipalities to procure IT and security services. In Sweden, framework agreements administered through bodies such as Kammarkollegiet and Adda allow municipalities to access services without running a full procurement process.
‍
Direct procurement:
Is possible for engagements below the threshold value, which provides more flexibility for well-defined assignments such as a single penetration test or security review. ‍

Cyloq works with public sector organizations and understands the requirements that come with public procurement – documentation, confidentiality, reporting, and the processes needed for the collaboration to work within a public sector framework. Sundbybergs stad is one example of a municipal partnership that has grown into a multi-year agreement for ongoing penetration testing and vulnerability scanning.

Take action

Book a meeting – we understand the public sector

Cyloq has experience of security testing in municipal and public sector environments – with the requirements around confidentiality, documentation, and process that come with it.

Need a team that shows up when something happens? Cyloq's incident response agreement gives you access to offensive security specialists around the clock – already familiar with your environment before anything goes wrong. Read more about our incident response services or book a meeting.

FAQ

Frequently asked questions

Are municipalities covered by NIS2?

Partially. NIS2 extends coverage to public administration classified as essential at central or regional level. Whether a specific municipality falls within scope depends on the services it provides and its critical functions. The Swedish implementation addresses this specifically, and MSB provides guidance.

We already have an IT provider – do we still need a penetration test?

Yes. Operations and security are different things. An IT operations provider is responsible for keeping services running, not necessarily for ensuring they are secure against offensive attacks. Independent security testing gives an honest picture and identifies weaknesses that your own team may overlook.

‍

How much does a penetration test cost for a municipality?

It depends on scope – which systems are being tested, the size of the environment, and the depth of testing required. Use Cyloq's pricing calculator for an estimate based on your specific situation, or contact us directly and we will put together a proposal.

Can we run a penetration test if we use cloud services?

Yes, but it requires adaptation. Public cloud services such as Azure and AWS mean the test needs to be designed in line with the provider's rules. Cyloq has experience with this and follows the respective testing policies of Microsoft, Google, and Amazon.