Compliance - Digital tools and personal support

At Lantero, we’re closely monitoring the evolving landscape of the NIS2 directive and its upcoming impact on cybersecurity compliance in Sweden. As of October 18, 2024, the NIS2 directive was due to be implemented in national legislation. However, like many other EU countries, Sweden is still in the process of legislative adaptation. According to SOU 2024:18, a new cybersecurity law is set to replace the current NIS law and bring Sweden in line with NIS2 standards, but this won’t take effect until early 2025. November 7, 2024 The EU Commission will enact a regulation specifying NIS2's requirements for risk management and incident reporting, setting new standards for certain operators, including cloud service providers, DNS providers, and online marketplaces. For operators currently under the NIS law, this period represents a critical transitional phase. Compliance with NIS obligations remains mandatory, yet interpretations must now consider NIS2’s broader framework, especially around risk management and incident reporting as outlined in Article 21 of the directive. Who’s Affected? New group now included - NIS2 will widen the scope compared to NIS. Directly affected group will now also include providers in sectors such as DNS services, cloud services, and online marketplaces - The indirectly affected groups will be suppliers to the affected organizations. In practice this will mean that most organizations will need to take the new requirements into consideration to be able to compete long-term. Lantero’s LawLogic toolbox is here to support businesses as they navigate these complex changes. From guidance on best practices to streamlined reporting tools, we’re prepared to help ensure compliance and mitigate risks. With the new regulations, many are asking whether they are affected by the new rules, but the question that should be asked is rather how they are affected. It should be clear that one needs to take the regulations into consideration, and Lantero's tool aims to make the material clear and structured, so that the work can be formulated into concrete activities and initiated.

The NIS2 Directive, which stands for Network and Information Security Directive, aims to strengthen cybersecurity and resilience against cyber threats within the EU. It is an update of the previous NIS Directive and introduces several new measures to increase requirements for companies and public institutions managing critical infrastructure or essential services. ### Impact on Businesses - Increased Costs: Companies will need to invest more in cybersecurity, including technology, training, and personnel, to meet the new requirements. - Greater Focus on Risk Management: Cybersecurity must be integrated into the company’s overall risk management process, and businesses must be prepared to quickly detect and handle cyberattacks. - Increased Pressure on Suppliers: Since companies are also responsible for their suppliers' security, this may put pressure on the entire supply chain to implement stricter security measures. At first glance, NIS2 may seem like a concern for a specific segment of businesses and public administration, but its most likely effect is that the entire society will elevate its level of cybersecurity. This is partly because affected organizations and companies need to monitor their suppliers, but also because the general "hygiene level" of security will rise, making it harder to justify security lapses. ### Expanded Scope Compared to the original NIS legislation, the scope of NIS2 will be expanded to cover more sectors. In addition to energy, transport, finance, and healthcare, it will now also include: - Postal services and waste management - Digital services (including cloud services, data centers) - Space sector Some smaller companies that were previously exempt may also be included depending on their size and importance to critical societal functions. ### Specific Requirements Security requirements will generally become stricter, with concrete demands in areas such as risk management, security monitoring, incident management, and regular vulnerability assessments. Furthermore, there is an ambition for better coordination at the societal level regarding the reporting of incidents. Companies are required to follow specific protocols for reporting incidents, including actions taken to handle them. Failure to report in time could result in significant fines. The fine levels may resemble those imposed under GDPR, and steps are also being taken to hold company management and board members personally accountable. In summary, sanction mechanisms are being established to force rapid and substantial efforts to raise the security standards of all affected companies and organizations. The idea of coordination also extends to information sharing, so that national cybersecurity authorities will improve their collaboration and coordination between countries and sectors. In summary, NIS2 is a natural continuation of NIS, with the same underlying spirit but significantly stricter application. For those who haven't paid attention to NIS before or started working on these issues, there is a significant amount of work ahead in the coming years.

Lantero is organizing a seminar for municipalities on whistleblowing and some common issues in handling whistleblowing cases. It will take place on November 6 from 15:00 to 16:30. For more than ten years, Lantero has worked with whistleblowing solutions and is now the largest provider in Sweden within the municipal sector. Lantero assists municipal clients with whistleblowing cases daily, giving us a unique opportunity to guide both in legal matters and in common practices among different types of municipalities. Some common questions that will be addressed during Lantero's seminar include: * Conflict of interest situations and how to handle them * How to approach confidentiality when a public document is requested * What applies regarding GDPR when a case is investigated outside the whistleblowing system and process * How to interpret the concept of "public interest" in the law concerning irregularities in municipal operations The target audience for this seminar is primarily case officers working with municipal whistleblowing services and municipal lawyers who are occasionally involved in case handling or assessment. However, it may also be relevant for a broader group interested in the general efforts to address various types of misconduct in municipalities and the public sector at large. Since the topic connects to broader issues about how municipalities and public services function, as well as fraud and welfare crimes, welfare coordinators or case officers dealing with more specific issues may also find it relevant to attend. This also means, for instance, that government or regional legal advisors could benefit from the discussions. The seminar will be conducted as a webinar, but it is also possible to attend in person at Lantero’s office at Drottninggatan 71c in Stockholm. – We often receive requests from our municipal clients for this type of activity, as case officers in municipal whistleblowing functions clearly want to exchange experiences with colleagues from other municipalities or external experts, says Andreas Wahlström, who is responsible for the seminar on Lantero's behalf. We will do our best to involve participants and create a dynamic discussion.