.png)
We’ve expanded Cyberday’s framework library again to help organizations manage compliance with a wider set of cybersecurity and critical infrastructure laws. This update includes new global, regional, and national frameworks.
These additions make it easier for organizations operating across multiple countries to centralize compliance work and automatically map overlapping requirements.
New general frameworks
CER Directive
The Directive (EU) 2022/2557 on the resilience of critical entities (CER) complements the NIS2 Directive by focusing on physical and organizational resilience. It applies to operators of essential services like energy, transport, and healthcare, requiring them to assess risks and implement resilience measures. The CER Directive entered into force in 2023, and Member States must transpose it into national law by October 2024.
China Cybersecurity Act
China’s Cybersecurity Law sets the foundation for network security, critical infrastructure protection, and data localization obligations for companies operating in China. Together with the Data Security Law and Personal Information Protection Law (PIPL), it forms a key part of China’s digital governance framework.
NEN 7510 (Netherlands)
NEN 7510 is the Dutch standard for information security in healthcare. It is closely aligned with ISO 27001 and ISO 27002 but includes additional requirements specific to health organizations and patient data. The standard helps healthcare entities demonstrate proper protection of medical information and compliance with the Dutch Data Protection Act.
Säkerhetsskyddslagen (Sweden)
Sweden’s Security Protection Act (2018:585) regulates how organizations handle information and operations critical to national security. It covers areas like access control, personnel vetting, and security incident management. The law applies both to public bodies and private companies working with sensitive government contracts.
Read more: What is Säkerhetsskyddslagen?
Sikkerhetsloven (Norway)
Norway’s Security Act (Sikkerhetsloven) establishes requirements for protecting national security interests, including physical and digital assets. It has been updated in recent years to include stronger provisions for information and system security, and it aligns closely with the upcoming Norwegian implementation of NIS2.
Cybersecurity Ordinance (Switzerland)
The Cybersecurity Ordinance (CySO) entered into force in 2024 and implements the revised Swiss Information Security Act. It sets out reporting obligations for cyber incidents in critical sectors and defines responsibilities for the National Cyber Security Centre (NCSC).
New NIS2-based national laws
Following the EU’s NIS2 Directive, Member States are finalizing their national implementations. Cyberday now includes early or final versions of the following frameworks:
- Estonia: Küberturvalisuse seadus
- Poland: Ustawa o krajowym systemie cyberbezpieczeństwa
- Czech Republic: Zákon o kybernetické bezpečnosti (small and large variations)
- Norway: Lov om digital sikkerhet
- Denmark: Cybersikkerhedsloven
With this update, Cyberday now supports 23 local variations of the NIS2 directive. These frameworks follow the NIS2 baseline but add national adaptations, sector-specific requirements, and local supervisory structures. Including them in Cyberday allows organizations to prepare in advance and ensure compliance with local transpositions as they come into effect.
See how these variations follow the EU NIS2 directive with the Framework Comparison Tool.
How to enable the new frameworks
All new frameworks are available in the Frameworks section in Cyberday. To add one:
- Open your workspace and go to Frameworks → Edit frameworks
- Select the framework(s) relevant to your organization
- Review mapped controls and implement any new required tasks
You’ll automatically get the latest updates and mapping improvements as these laws progress.
