Blog

Implementing AI in an organization today is not merely a technical challenge, but very much a legal and security-oriented one. In a conversation between Lantero and expert Joakim Karlén (in Swedish), we highlight the complex issues that arise when Large Language Models (LLMs) encounter European legislation such as GDPR and the new AI Act. ### Innovation in the US, Regulation in the EU Technological development is largely driven by American companies, but for Swedish and European organizations, local legislation sets the boundaries. Joakim Karlén notes that the current dynamic is challenging because the pace of innovation is lightning-fast while regulation is brand new. There is still a lack of clear legal precedent and court rulings, which places high demands on an organization’s internal capacity for risk analysis. ### The Clash Between GDPR and AI Dynamics One of the most central questions is how AI systems—which are by nature dynamic and non-deterministic—can live up to GDPR’s requirements for accuracy. Traditional IT systems are static; you know what you input and what you will get as output. An LLM works differently. By simulating human behavior with a degree of randomness, the output is not always predictable. This creates fundamental uncertainty regarding individual rights and the accuracy of the processed data. ### From Chatbots to Autonomous Agents We are seeing a clear shift from simple chatbots to autonomous agents capable of performing tasks independently. This introduces new risk vectors. Joakim emphasizes that an organization deploying an AI system is considered a "deployer" under the AI Act and thus bears the legal responsibility. This becomes particularly critical when agents are given the mandate to act without human intervention. The risk of incorrect decisions or random behavior means that traceability—the ability to explain why a machine acted in a certain way—becomes both a technical and legal challenge. Not least when it comes to cybersecurity. ### Internal Risks and "Oversharing" While many focus on external hackers, one of the greatest risks is internal. The concept of "oversharing" describes when an AI agent, due to a lack of permission management or classification, gives employees access to sensitive information they are not authorized to see. Protecting the "machine" itself and its access to internal data sources is therefore just as important as protecting the raw data. ### Methodology Wins in the Long Run To succeed, Joakim suggests a methodical approach. Instead of simply "trial and error," organizations should begin with a holistic analysis based on the AI Act, GDPR, and cybersecurity legislation (NIS2). By understanding the purpose of the technology and maintaining control over the information structure, you can build correctly from the start.

Below is a lightly edited version of an interview (in Swedish) we conducted with Sara Johansson, who works with whistleblowing assessments at Lantero. We asked her what new case officers need to keep in mind when they start handling whistleblowing cases, what types of situations they may encounter, and which common pitfalls to watch out for. Interviewer: When someone steps into a role as a new case officer in a municipality and begins working with the whistleblowing function, what should they keep in mind or expect? Sara Johansson: You’ll need to find a way to separate the wheat from the chaff, because many of the reports you receive are not, in fact, whistleblowing cases. They may involve an employee having issues with their manager, comments on organisational efficiency, or opinions on how things are structured. These are typically not whistleblowing matters. Then there are cases where there is actually something to look into. In those situations, you need to determine whether the reporting individual belongs to the protected group under the legislation, and whether the report concerns a public-interest wrongdoing. This might involve signs of corruption, serious conflicts of interest, or questionable recruitment processes carried out without proper advertising. In some types of operations, there may also be risks to patient safety or collaboration difficulties in critical environments. The key is to identify and distinguish these cases from the rest. Interviewer: There is a lot of legislation underlying this work, and case officers need to apply it in their assessments. And in many organisations—especially smaller ones—actual cases are infrequent. How should one stay up to date on these issues? Sara Johansson: One challenge is that there are very few court decisions in this area, which means there's not much case law to rely on. My recommendation is therefore to read everything that is published: follow relevant accounts on LinkedIn—ours, for example—and stay updated on news reporting around the topic. At the same time, you need to keep in mind that there is a clear sequence for handling these cases: there must be a wrongdoing, and it must concern a group defined as the public. Interviewer: And if someone has questions? Sara Johansson: Then they contact Lantero. Interviewer: Do you have an example of a situation that may arise—something many case officers will encounter early on? Sara Johansson: Do you want an example of a case that isn’t a whistleblowing matter? Because most cases are not. Interviewer: Yes, describe that type of case. Sara Johansson: The most common goes something like: “You have to do something. We can’t take it anymore. Our manager has completely lost control.” Then follows a long description of everything that is not working. This is by far the most common scenario. Interviewer: And what is your advice to the client in that situation? Sara Johansson: My advice is to explain that this is not a serious wrongdoing under the law, but something that needs to be addressed through another process. Often, you raise it within the organisation as a tip—an indication that the organisation should take a closer look at how the work environment is functioning—rather than treating it as a whistleblowing case. Interviewer: If you have further thoughts or questions on this topic, you are very welcome to contact us. Otherwise, we wish you the best of luck—and thank you for watching.

When a public authority receives a request to disclose documents, the same question often arises: how much may – or must – we redact in a whistleblowing case? Many case officers find this difficult, as whistleblowing cases involve sensitive information while the principle of public access imposes strict requirements to release documents. We interviewed Andreas Wahlström (in Swedish), who works with assessments and redaction of whistleblowing cases at Lantero. He explains both the legal requirements and the practical challenges faced by municipalities and government agencies. Andreas reminds us that public documents are, as a rule, public. This means that “anyone has the right to request a whistleblowing report.” But the obligation to disclose also comes with a significant responsibility to redact. This applies to both directly identifying information and indirect details that could reveal the whistleblower. Redaction is therefore a central part of managing whistleblowing cases. The legal basis primarily comes from two chapters in the Swedish Public Access to Information and Secrecy Act: OSL Chapter 32, Section 3 b and OSL Chapter 17, Section 3 b. These regulate the protection of reporting individuals – as well as other persons mentioned in the report. In practice, the guidance is clear: redact rather more than less. If there is any uncertainty, the case officer should act cautiously to protect everyone involved. For many case officers in municipalities and government agencies, redaction is still a manual process. Andreas notes that in the past six months, new tools have emerged that make the work both faster and safer. These tools propose what should be redacted, simplify the workflow, and help the case officer produce a document that can be safely disclosed. One such example is Lantero Redact, a tool developed to help public-sector organisations manage redaction in accordance with legal requirements. It provides concrete suggestions on what to redact, is easy to use, and ensures that the material is properly anonymised before disclosure. For those who want to dive deeper or need support in a specific case, Andreas and the team at Lantero are available to help. Redaction is not only a legal requirement – it is also a crucial part of maintaining trust in the whistleblowing function and protecting reporting individuals.

Lantero interviewed Therese Forsberg, an investigator at the Department of Administration in Uddevalla Municipality. Therese works with redaction of documents in response to requests for public records, and she has been using Lantero Redact over the past months — receiving AI-based support for assessment and redaction. Below is a slightly shortened version of the interview. (Video version is in Swedish) Interviewer: Uddevalla is a municipality with around 60,000 residents. When it comes to requests for public records, what kind of volumes are you dealing with? Interviewee: It varies. It depends on what’s happening in the organisation. When incidents occur that lead to deviations or Lex Sarah cases, the volume increases. We also have some media outlets that submit weekly requests for all incoming records from the past week. That’s the case for municipalities across Sweden — some outlets do this continuously. So the amount can fluctuate a lot, especially if serious cases have come in. Interviewer: To what extent is this possible to plan for? Interviewee: Some parts are always manageable, but it becomes difficult when large volumes come in — sometimes thousands of documents. We don’t have a dedicated person working on this full-time, so our department has to share the workload. How the process used to work Interviewer: What did the routines look like before? Interviewee: We did everything the old-fashioned way. We printed out the documents and redacted them manually using Tipp-Ex. Then we copied and scanned them before sending them off. Adobe has some tools, but they haven’t been reliable. You could sometimes lift off the redaction digitally, so we always had to print and scan everything anyway. It was time-consuming and difficult to manage when working remotely. How the work is done now Interviewer: What does the routine look like now? Interviewee: It’s much faster. With the redaction service, we can mark what we want to redact digitally and save it directly. We avoid all the printing and scanning, which saves a lot of time. I also feel that we have better oversight of the documents and the process. Interviewer: One idea with the AI support is that more people could participate in the work by accepting or rejecting suggested redactions. Have you started expanding that responsibility? Interviewee: Not yet. We’ve involved some colleagues, but they have the same level of knowledge as we do. So for now, the responsibility remains within our department. Model training and new updates Interviewer: You recently received an updated version of the service. Have you had a chance to test the new capabilities? Interviewee: Very briefly, but what I saw looked good. I need to test it more before I can say anything definite. Interviewer: Do you think the assessments look similar across different municipalities? Interviewee: Yes, I think so. We all work with the same types of documents and the same regulations. The goal is always to protect the individual and avoid revealing personal data. That should lead to similar approaches to what needs to be redacted. User experience of the service Interviewer: Any final reflections? Interviewee: The service has been easy to use. We’ve found it user-friendly and free from issues. It has worked throughout the entire test period, which has been very valuable since we’ve had unusually large volumes of cases recently.

We interview Joakim Karlén about how to involve all employees in the work with information security and cyber hygiene. (Video version is in Swedish) Interviewer: Let’s start from the beginning – what does cyber hygiene actually mean? Joakim Karlén: – When you hear the word hygiene, you think about the things you should always do, like washing your hands. It’s actually the same in cybersecurity. Cyber hygiene is about ensuring that everyone knows and follows the basic routines needed to protect both themselves and the organisation. Small and large organisations – different conditions Interviewer: When working with smaller organisations, how does their work differ from that of larger ones? Joakim Karlén: – Larger organisations often have more structure and support, such as an IT department that drives the security work. In smaller organisations, individual responsibility becomes greater. Everyone needs to understand how their own actions affect security – because you can’t rely on the same support functions. Interviewer: What are the most common mistakes? Joakim Karlén: – The most common mistake is not having control over your digital assets. Many lack routines for how computers and mobile devices should be handled, or training in basic security practices. This means they miss simple but crucial safeguards. Creating engagement Interviewer: So how do you get employees to think actively about these issues? Joakim Karlén: – It starts with education. You need to explain why the rules exist and connect them to everyday work: What do you do in your daily routine, and what risks exist in those specific moments? Many don’t see cybersecurity as part of their job – but it is. Just as you wouldn’t run around the office with scissors, you shouldn’t handle your digital tools in a risky way. Cyber hygiene is about understanding the tools you use and how to handle them safely. Behaviour rather than technology Interviewer: So ultimately it’s about culture and behaviour? Joakim Karlén: – Exactly. Cyber hygiene is not just technology – it is above all behaviour and awareness. To support that culture, you need clear routines and checklists – for example, for how new employees are introduced to security practices. You can also practice incidents, such as through simulated attacks, so that everyone learns their role if something goes wrong. When you train for failure scenarios, people become more aware of their responsibilities – and more confident in how to act. Interviewer: Which threats should organisations focus on right now? Joakim Karlén: – We’re seeing that attacks are becoming more frequent and more automated. Many small organisations think “we’re not interesting” – but the attackers don’t know that. They attack anything that can be attacked. And with today’s AI tools, it’s possible to pretend to be someone else and carry out advanced social engineering attacks with far greater precision and volume than before. This means the risk of being deceived increases dramatically – especially if employees aren’t vigilant. Cyber hygiene is about doing the simple things right – every day. It requires structure, training, and engagement from everyone.

The EU's NIS2 Directive came into force in January 2023, and member states have until October 17, 2024, to transpose it into national legislation. Yet, many organizations still fail to meet the requirements two years after the directive was approved. Figures suggest that as many as two-thirds (66 percent) of affected organizations will miss the October 17 deadline, despite nine out of ten reporting incidents that could have been prevented by measures mandated under NIS2. Looking at EU member states, only two out of 27—Croatia and Italy—have fully implemented the directive into their national legislation. Estonia and Portugal lag the furthest behind and have yet to begin the process. Given the scale of fines and sanctions that non-compliance entails, the sluggish response is somewhat surprising. In addition to significant fines for companies and organizations, individuals in leadership positions may also face personal sanctions. ### Development from NIS1 The first EU-wide cybersecurity legislation, introduced in 2018, was known as NIS1. Its purpose was to implement a common set of security standards across all member states. NIS2 is an evolution of the same framework and underlying ambition. The new regulations expand the scope, meaning more organizations are required to comply. Generally, NIS2 applies to organizations that provide critical services or fall under the sectors covered by NIS2's expanded scope, have more than 50 employees, or an annual turnover exceeding €10 million. Operators of critical infrastructure were subject to NIS1 and, by extension, are also covered by NIS2. Organizations in sectors such as digital services, space industry, postal services, network operators, chemical producers/distributors, and some manufacturers are now also covered by NIS2. Organizations are categorized as "essential" and "important," with all being deemed critical sectors, though some more than others. This classification determines the specific requirements organizations must meet. Each organization must determine whether it falls under NIS2, not only because of potential penalties but also because the regulations impose different requirements on various sectors. While NIS2 aims to elevate security standards across industries to a common level, compliance requirements are not uniform. ### What's New? In addition to expanding the number of organizations covered by the directive, four key areas with stricter requirements are introduced: risk management, corporate responsibility, mandatory incident reporting, and business continuity planning. - Risk Management: Organizations must take adequate measures to minimize threats to network and supply chain security, improve access controls (using multi-factor authentication), implement encryption, and have an incident response plan ready in the event of a serious attack. - Corporate Responsibility: Leaders in affected organizations must have a comprehensive understanding of the directive and be responsible for managing cybersecurity risks. - Mandatory Reporting: Incidents must be reported within 24 hours of detection to a database managed by ENISA, the EU's cybersecurity agency. - Business Continuity Planning: Organizations must ensure they can continue operations during a major cyberattack. ### Compliance Checklist Given the varying requirements between organizations, creating a universal checklist is challenging. However, below are the most fundamental steps: - Identify whether your organization falls under NIS2. - Understand the requirements and evaluate the current level of compliance. - Secure the budget for necessary changes. - Identify other EU cybersecurity laws applicable to your organization. - Conduct cybersecurity assessments to identify vulnerabilities and threats. - Assess third-party risks and establish appropriate risk management procedures. - Develop plans for incident response, business continuity, and cybersecurity. - Implement security measures like multi-factor authentication (MFA). - Ensure staff receives up-to-date cybersecurity training. ### Penalties and Challenges for Non-Compliance Organizations classified as "essential" risk fines of at least €10 million or 2 percent of their global annual turnover. Organizations classified as "important" face lower but still significant fines of at least €7 million or 1.4 percent of their global annual turnover. Non-compliance may also result in legal consequences for business leaders. For instance, Ireland's national implementation of NIS2 includes the risk of imprisonment. Despite the risks, many organizations remain unprepared. One might argue that national authorities should have provided better support and guidance, or that the requirements are unreasonably burdensome alongside other regulations. However, it is ultimately in the organizations' own interest to strengthen cybersecurity and protect critical services in an increasingly threatening cyber environment.

At Lantero, we’re closely monitoring the evolving landscape of the NIS2 directive and its upcoming impact on cybersecurity compliance in Sweden. As of October 18, 2024, the NIS2 directive was due to be implemented in national legislation. However, like many other EU countries, Sweden is still in the process of legislative adaptation. According to SOU 2024:18, a new cybersecurity law is set to replace the current NIS law and bring Sweden in line with NIS2 standards, but this won’t take effect until early 2025. November 7, 2024 The EU Commission will enact a regulation specifying NIS2's requirements for risk management and incident reporting, setting new standards for certain operators, including cloud service providers, DNS providers, and online marketplaces. For operators currently under the NIS law, this period represents a critical transitional phase. Compliance with NIS obligations remains mandatory, yet interpretations must now consider NIS2’s broader framework, especially around risk management and incident reporting as outlined in Article 21 of the directive. Who’s Affected? New group now included - NIS2 will widen the scope compared to NIS. Directly affected group will now also include providers in sectors such as DNS services, cloud services, and online marketplaces - The indirectly affected groups will be suppliers to the affected organizations. In practice this will mean that most organizations will need to take the new requirements into consideration to be able to compete long-term. Lantero’s LawLogic toolbox is here to support businesses as they navigate these complex changes. From guidance on best practices to streamlined reporting tools, we’re prepared to help ensure compliance and mitigate risks. With the new regulations, many are asking whether they are affected by the new rules, but the question that should be asked is rather how they are affected. It should be clear that one needs to take the regulations into consideration, and Lantero's tool aims to make the material clear and structured, so that the work can be formulated into concrete activities and initiated.

The NIS2 Directive, which stands for Network and Information Security Directive, aims to strengthen cybersecurity and resilience against cyber threats within the EU. It is an update of the previous NIS Directive and introduces several new measures to increase requirements for companies and public institutions managing critical infrastructure or essential services. ### Impact on Businesses - Increased Costs: Companies will need to invest more in cybersecurity, including technology, training, and personnel, to meet the new requirements. - Greater Focus on Risk Management: Cybersecurity must be integrated into the company’s overall risk management process, and businesses must be prepared to quickly detect and handle cyberattacks. - Increased Pressure on Suppliers: Since companies are also responsible for their suppliers' security, this may put pressure on the entire supply chain to implement stricter security measures. At first glance, NIS2 may seem like a concern for a specific segment of businesses and public administration, but its most likely effect is that the entire society will elevate its level of cybersecurity. This is partly because affected organizations and companies need to monitor their suppliers, but also because the general "hygiene level" of security will rise, making it harder to justify security lapses. ### Expanded Scope Compared to the original NIS legislation, the scope of NIS2 will be expanded to cover more sectors. In addition to energy, transport, finance, and healthcare, it will now also include: - Postal services and waste management - Digital services (including cloud services, data centers) - Space sector Some smaller companies that were previously exempt may also be included depending on their size and importance to critical societal functions. ### Specific Requirements Security requirements will generally become stricter, with concrete demands in areas such as risk management, security monitoring, incident management, and regular vulnerability assessments. Furthermore, there is an ambition for better coordination at the societal level regarding the reporting of incidents. Companies are required to follow specific protocols for reporting incidents, including actions taken to handle them. Failure to report in time could result in significant fines. The fine levels may resemble those imposed under GDPR, and steps are also being taken to hold company management and board members personally accountable. In summary, sanction mechanisms are being established to force rapid and substantial efforts to raise the security standards of all affected companies and organizations. The idea of coordination also extends to information sharing, so that national cybersecurity authorities will improve their collaboration and coordination between countries and sectors. In summary, NIS2 is a natural continuation of NIS, with the same underlying spirit but significantly stricter application. For those who haven't paid attention to NIS before or started working on these issues, there is a significant amount of work ahead in the coming years.

Lantero is organizing a seminar for municipalities on whistleblowing and some common issues in handling whistleblowing cases. It will take place on November 6 from 15:00 to 16:30. For more than ten years, Lantero has worked with whistleblowing solutions and is now the largest provider in Sweden within the municipal sector. Lantero assists municipal clients with whistleblowing cases daily, giving us a unique opportunity to guide both in legal matters and in common practices among different types of municipalities. Some common questions that will be addressed during Lantero's seminar include: * Conflict of interest situations and how to handle them * How to approach confidentiality when a public document is requested * What applies regarding GDPR when a case is investigated outside the whistleblowing system and process * How to interpret the concept of "public interest" in the law concerning irregularities in municipal operations The target audience for this seminar is primarily case officers working with municipal whistleblowing services and municipal lawyers who are occasionally involved in case handling or assessment. However, it may also be relevant for a broader group interested in the general efforts to address various types of misconduct in municipalities and the public sector at large. Since the topic connects to broader issues about how municipalities and public services function, as well as fraud and welfare crimes, welfare coordinators or case officers dealing with more specific issues may also find it relevant to attend. This also means, for instance, that government or regional legal advisors could benefit from the discussions. The seminar will be conducted as a webinar, but it is also possible to attend in person at Lantero’s office at Drottninggatan 71c in Stockholm. – We often receive requests from our municipal clients for this type of activity, as case officers in municipal whistleblowing functions clearly want to exchange experiences with colleagues from other municipalities or external experts, says Andreas Wahlström, who is responsible for the seminar on Lantero's behalf. We will do our best to involve participants and create a dynamic discussion.

The new EU regulations (NIS2) regarding security and preparedness in critical sectors will directly or indirectly affect most parts of society. For individual companies or organizations, it is important to determine if they are affected by the regulations – although a more reasonable question is probably how they are affected by NIS2. How the EU directive will be implemented in national legislation is still unclear, but with the overall guidelines of the directive and the expressed intentions, it is becoming quite clear how companies or organizations should approach and prepare for the new legislation. To assist in the initial assessment, Lantero provides short, overview analyses. In a 15-minute meeting, we go over whether you are clearly and directly affected by the regulations or if you are potentially or indirectly impacted. The goal of the meeting is to better understand how to approach the regulations so that you can take control of the process and allocate resources where they are most effective. Whether you view NIS2 as a compliance issue, a matter of security, or from a commercial perspective linked to customer demands, there is a reason to understand the regulations and have a clear strategy. Taking control of the issue reduces dependency on external consultants and ensures that actions are taken in the right order. Priorities can vary significantly depending on whether you take a compliance perspective or a security perspective, for example. But regardless of perspective, you need to understand where your organization stands in relation to various risks associated with network and information systems. And regardless of priorities, questions about everything from strategies and operational continuity to cryptography, personnel security, or incident management must be considered. Even organizations with a high level of security awareness have reason to review the whole picture and assess to what extent they are working in line with best practices or have made informed decisions based on actual circumstances. The first step is knowing in what way you are affected by the regulations.