.svg)
.png)
We’ve updated Cyberday’s framework library with a fresh batch of compliance frameworks. This release focuses on helping organizations meet new national NIS2 requirements in Europe, as well as specific regulations for the public and energy sectors.
We are also excited to introduce support for Saudi Arabia’s first comprehensive data protection law and the latest version of the UK's Cyber Assessment Framework.
New NIS2-based national laws
As member states continue to transpose the EU NIS2 Directive into local law, we are actively adding these variations to Cyberday. This allows organizations to manage compliance using the exact legal text and requirements applicable to their country.
- Portugal: Lei de Cibersegurança. Following the authorization by Law no. 59/2025, this framework represents the upcoming national regime.
- Slovenia: Zakon o informacijski varnosti (ZInfV-1). The official transposition of NIS2, published in June 2025.
- Slovakia: Zákon o kybernetickej bezpečnosti. The amendment to Act No. 69/2018 Coll., effective from January 1, 2025.
- Åland: Landskapslag om cybersäkerhet och motståndskraft (ÅFS 2025:57). The specific implementation for the autonomous region of Åland, categorizing entities as "essential" and "important" similarly to the mainland Finnish act but with local supervisory details.
These additions bring our total count of supported NIS2 national variations to 29. You can automatically map your existing NIS2 work to these new national versions to see where you stand.
Compare how these variations overlap with the EU NIS2 directive using our Framework Comparison Tool.
New Global and Regional Frameworks
On top of the national NIS2 variations, we've also released 6 other new frameworks.
Personal Data Protection Law (Saudi Arabia)
The Personal Data Protection Law (PDPL) is Saudi Arabia’s first major legislation dedicated to the protection of personal data. Effective from March 2023, with a compliance deadline in September 2024, it regulates the processing of personal data for residents of the Kingdom. The framework includes requirements for consent, data localization, and the appointment of a Data Protection Officer (DPO), bearing similarities to the GDPR but with specific local nuances.
CAF 4.0 (United Kingdom)
The Cyber Assessment Framework (CAF) v4.0, developed by the National Cyber Security Centre (NCSC), is now available. This latest version shifts focus towards a "threat-informed" approach, emphasizing proactive threat hunting, behavioral analysis, and supply chain security. It is widely used by organizations responsible for the UK's Critical National Infrastructure (CNI) to demonstrate resilience.
Swedish MSB Regulations (MSBFS)
We have added the core information security regulations issued by the Swedish Civil Contingencies Agency (MSB). These are mandatory for Swedish government authorities ("statliga myndigheter") but serve as excellent reference standards for other organizations.
- MSBFS 2020:6: Regulations on information security management.
- MSBFS 2020:7: Regulations on specific security measures in information systems.
- MSBFS 2020:8: Regulations on IT incident reporting.
Resilience in the Energy Sector (Denmark)
Executive Order No. 260 (Bekendtgørelse om modstandsdygtighed og beredskab i energisektoren) implements the sector-specific parts of NIS2 for the Danish energy industry. It sets out detailed rules on organizational preparedness, physical security, and cybersecurity for companies essential to Denmark's energy supply.
How to enable the new frameworks
All new frameworks are immediately available in Cyberday. To add them to your account:
- Go to Frameworks in your dashboard.
- Click Edit frameworks.
- Search for the new framework (e.g., "Saudi Arabia" or "MSBFS") and enable it.
- The system will automatically map your existing policies and controls to the new requirements.
If you don't have a Cyberday account yet, start with the free trial.
