Towards a More Resilient Public Sector

From crisis response to continuous risk governance

Effective governance and reliable public services are at the top of every public organisation’s agenda. Yet rapid digitalisation, new security requirements, and complex supplier networks have made operations increasingly vulnerable. At the same time, opportunities abound. Building a public sector that anticipates and manages risks — rather than simply reacting to them — is both necessary and achievable.

This article explores how governments, municipalities, and public agencies can strengthen their resilience through structured risk governance, smarter use of data, and genuine leadership engagement — all in line with the NIS 2 Directive and the forthcoming Cybersecurity Act.

A Shift in Mindset Is Needed

In many organisations, risk management is still viewed as a compliance exercise rather than a leadership tool. Policies and procedures exist, but they rarely shape decisions or drive priorities.

A resilient society demands more. It requires seeing risk as a strategic asset, not an administrative burden. When risk assessments are woven into governance, planning, and decision-making, organisations gain both agility and direction.

“A robust and resilient society presupposes that all sectors take greater responsibility for information security.”
(Prop. 2025/26:28, p. 35)

Three Levels of Risk Governance

Public sector organisations operate at different stages of maturity when it comes to managing risk.

  • At the reactive stage, responses come only after an incident has occurred. Risks are documented but rarely influence decisions.
  • At the controlled stage, risk processes exist — often within IT or quality functions — but they are fragmented and fail to provide a holistic view.
  • At the integrated stage, risk data informs strategic choices, resource allocation, and performance tracking. Risk becomes part of governance, not a separate discipline.

Progressing from reactive to integrated doesn’t require more documentation — it requires stronger links between data, accountability, and decision-making.

Building Governance from Decisions to Behaviour

Resilience is not built in policy documents; it is built through daily decisions. To succeed, organisations need structures that connect strategy, security, and operations.

Leadership must own the question of risk and security. Employees need simple, usable ways to identify and report risks. Follow-up should be ongoing, not annual.

When these elements align, leadership can begin to steer through risk rather than merely respond to it. That is the difference between control and adaptability — and it defines how well an organisation withstands and recovers from disruption.

Data Makes Risk Governance Practical

Public organisations already hold vast amounts of risk and security data — in procurement, project management, and incident reports. The problem is that this information is dispersed and rarely used as input for decision-making.

By consolidating and structuring data, it becomes possible to build a unified risk picture. This enables leaders to see trends, detect weak points, and act before risks escalate.

“Operators shall take appropriate and proportionate technical, operational and organisational measures to protect network and information systems against incidents.”
(Prop. 2025/26:28, p. 244–245)

This reminder makes one thing clear: cybersecurity is not a one-time exercise. It is an ongoing discipline that requires consistency, evaluation, and improvement over time.

Four Actions That Make a Difference

  1. First, ensure that risk and security have a standing place on the leadership agenda. Ownership drives focus.
  2. Second, consolidate risk data across departments to create a shared view — whether the risk sits in IT, operations, or the supply chain.
  3. Third, let risk insights influence governance. When risk data is part of budgeting, procurement, and prioritisation, decisions become faster and more grounded.
  4. Finally, create continuity. Risk governance is not a project; it is a rhythm.

Even small, consistent steps can quickly strengthen both trust and resilience.

Resilience as a Future Strategy

Digitalisation and security can no longer be treated as separate domains. Resilience is the ability to continue delivering public value, no matter the circumstances.

This is where NIS 2 becomes a tool rather than a burden — a framework that brings governance, accountability, and improvement closer together. The resilient organisation leads not through compliance, but through insight.

Also read:
Management review that drives business results — not just compliance
Understand how leadership can follow up, steer, and create the right conditions to manage broader organisational risks.

Other articles you may enjoy!