The Gigabit infrastructure Act (GIA) is central to the European Union’s strategy for universal high-speed digital connectivity, as disparities in access – especially between urban and rural areas – persist. In the sparsely populated Nordic-Baltic region, the GIA holds particular promise: it can help close long-standing digital divides in rural, remote and cross-border communities, thereby unlocking regional development, economic revitalisation and digital inclusion.
While the GIA removes barriers and accelerates deployment, it does not require Member States to directly invest in broadband infrastructure. Instead, it obliges authorities to create a streamlined, transparent and coordinated regulatory environment that enables more efficient private-sector rollout. However, in a time of heightened geopolitical sensitivities and insecurities, the GIA’s ambitions for transparency, accelerated rollout and market-driven expansion must be reconciled with (cyber)security imperatives, such as those set out in the NIS2 Directive.
This brief explores how the countries of the Nordic-Baltic region can balance these objectives to deliver secure, future-proof and regionally inclusive connectivity.
Four policy actions
1. Align GIA implementation with regional governance and risk frameworks.
The GIA is not a purely technical infrastructure rollout tool – its ambitions are deeply embedded in national and regional risk management cultures and administrative capacities. This is of particular importance for rural areas and cross-border scenarios, where resource constraints and jurisdictional complexities are most pronounced. Policymakers should prioritise the harmonisation of GIA rollout with established frameworks to foster sustainable infrastructure development and effective risk mitigation.
2. Provide operational guidance on the GIA–NIS2 interplay for local authorities.
Legal uncertainties can be mitigated by offering actionable, operational-level tools. This includes not only clarifying where responsibilities sit under each directive but also providing concrete examples of how local authorities can integrate resilience requirements into connectivity planning. Showcasing good practice from early adopters, particularly in rural or cross-border areas facing similar resource and capacity constraints, can help authorities translate regulatory obligations into practical workflows.
3. Strengthen rural cybersecurity capacity through shared services and preparedness.
Rural or smaller stakeholders, such as municipalities, may be uncertain of their legal status or under-equipped to handle NIS2-level responsibilities. Addressing these vulnerabilities requires structured institutional support, including technical assistance programmes and cross-border knowledge-sharing hubs. These initiatives should focus on enhancing cybersecurity preparedness, clarifying legal responsibilities, and providing access to expert recourses.
4. Monitor and evaluate GIA–NIS2 interaction over time.
Regular impact assessments, performed by, for example, national and regional authorities, can evaluate how the GIA affects cybersecurity resilience over time, informing future updates and deployment strategies. Clear division of responsibilities (who gathers data, who validates compliance, who follows up on identified risks) helps ensure that evaluations are not only systematic but also actionable.
