Blog

At Lantero, we’re closely monitoring the evolving landscape of the NIS2 directive and its upcoming impact on cybersecurity compliance in Sweden. As of October 18, 2024, the NIS2 directive was due to be implemented in national legislation. However, like many other EU countries, Sweden is still in the process of legislative adaptation. According to SOU 2024:18, a new cybersecurity law is set to replace the current NIS law and bring Sweden in line with NIS2 standards, but this won’t take effect until early 2025. November 7, 2024 The EU Commission will enact a regulation specifying NIS2's requirements for risk management and incident reporting, setting new standards for certain operators, including cloud service providers, DNS providers, and online marketplaces. For operators currently under the NIS law, this period represents a critical transitional phase. Compliance with NIS obligations remains mandatory, yet interpretations must now consider NIS2’s broader framework, especially around risk management and incident reporting as outlined in Article 21 of the directive. Who’s Affected? New group now included - NIS2 will widen the scope compared to NIS. Directly affected group will now also include providers in sectors such as DNS services, cloud services, and online marketplaces - The indirectly affected groups will be suppliers to the affected organizations. In practice this will mean that most organizations will need to take the new requirements into consideration to be able to compete long-term. Lantero’s LawLogic toolbox is here to support businesses as they navigate these complex changes. From guidance on best practices to streamlined reporting tools, we’re prepared to help ensure compliance and mitigate risks. With the new regulations, many are asking whether they are affected by the new rules, but the question that should be asked is rather how they are affected. It should be clear that one needs to take the regulations into consideration, and Lantero's tool aims to make the material clear and structured, so that the work can be formulated into concrete activities and initiated.

The NIS2 Directive, which stands for Network and Information Security Directive, aims to strengthen cybersecurity and resilience against cyber threats within the EU. It is an update of the previous NIS Directive and introduces several new measures to increase requirements for companies and public institutions managing critical infrastructure or essential services. ### Impact on Businesses - Increased Costs: Companies will need to invest more in cybersecurity, including technology, training, and personnel, to meet the new requirements. - Greater Focus on Risk Management: Cybersecurity must be integrated into the company’s overall risk management process, and businesses must be prepared to quickly detect and handle cyberattacks. - Increased Pressure on Suppliers: Since companies are also responsible for their suppliers' security, this may put pressure on the entire supply chain to implement stricter security measures. At first glance, NIS2 may seem like a concern for a specific segment of businesses and public administration, but its most likely effect is that the entire society will elevate its level of cybersecurity. This is partly because affected organizations and companies need to monitor their suppliers, but also because the general "hygiene level" of security will rise, making it harder to justify security lapses. ### Expanded Scope Compared to the original NIS legislation, the scope of NIS2 will be expanded to cover more sectors. In addition to energy, transport, finance, and healthcare, it will now also include: - Postal services and waste management - Digital services (including cloud services, data centers) - Space sector Some smaller companies that were previously exempt may also be included depending on their size and importance to critical societal functions. ### Specific Requirements Security requirements will generally become stricter, with concrete demands in areas such as risk management, security monitoring, incident management, and regular vulnerability assessments. Furthermore, there is an ambition for better coordination at the societal level regarding the reporting of incidents. Companies are required to follow specific protocols for reporting incidents, including actions taken to handle them. Failure to report in time could result in significant fines. The fine levels may resemble those imposed under GDPR, and steps are also being taken to hold company management and board members personally accountable. In summary, sanction mechanisms are being established to force rapid and substantial efforts to raise the security standards of all affected companies and organizations. The idea of coordination also extends to information sharing, so that national cybersecurity authorities will improve their collaboration and coordination between countries and sectors. In summary, NIS2 is a natural continuation of NIS, with the same underlying spirit but significantly stricter application. For those who haven't paid attention to NIS before or started working on these issues, there is a significant amount of work ahead in the coming years.

Lantero is organizing a seminar for municipalities on whistleblowing and some common issues in handling whistleblowing cases. It will take place on November 6 from 15:00 to 16:30. For more than ten years, Lantero has worked with whistleblowing solutions and is now the largest provider in Sweden within the municipal sector. Lantero assists municipal clients with whistleblowing cases daily, giving us a unique opportunity to guide both in legal matters and in common practices among different types of municipalities. Some common questions that will be addressed during Lantero's seminar include: * Conflict of interest situations and how to handle them * How to approach confidentiality when a public document is requested * What applies regarding GDPR when a case is investigated outside the whistleblowing system and process * How to interpret the concept of "public interest" in the law concerning irregularities in municipal operations The target audience for this seminar is primarily case officers working with municipal whistleblowing services and municipal lawyers who are occasionally involved in case handling or assessment. However, it may also be relevant for a broader group interested in the general efforts to address various types of misconduct in municipalities and the public sector at large. Since the topic connects to broader issues about how municipalities and public services function, as well as fraud and welfare crimes, welfare coordinators or case officers dealing with more specific issues may also find it relevant to attend. This also means, for instance, that government or regional legal advisors could benefit from the discussions. The seminar will be conducted as a webinar, but it is also possible to attend in person at Lantero’s office at Drottninggatan 71c in Stockholm. – We often receive requests from our municipal clients for this type of activity, as case officers in municipal whistleblowing functions clearly want to exchange experiences with colleagues from other municipalities or external experts, says Andreas Wahlström, who is responsible for the seminar on Lantero's behalf. We will do our best to involve participants and create a dynamic discussion.

The new EU regulations (NIS2) regarding security and preparedness in critical sectors will directly or indirectly affect most parts of society. For individual companies or organizations, it is important to determine if they are affected by the regulations – although a more reasonable question is probably how they are affected by NIS2. How the EU directive will be implemented in national legislation is still unclear, but with the overall guidelines of the directive and the expressed intentions, it is becoming quite clear how companies or organizations should approach and prepare for the new legislation. To assist in the initial assessment, Lantero provides short, overview analyses. In a 15-minute meeting, we go over whether you are clearly and directly affected by the regulations or if you are potentially or indirectly impacted. The goal of the meeting is to better understand how to approach the regulations so that you can take control of the process and allocate resources where they are most effective. Whether you view NIS2 as a compliance issue, a matter of security, or from a commercial perspective linked to customer demands, there is a reason to understand the regulations and have a clear strategy. Taking control of the issue reduces dependency on external consultants and ensures that actions are taken in the right order. Priorities can vary significantly depending on whether you take a compliance perspective or a security perspective, for example. But regardless of perspective, you need to understand where your organization stands in relation to various risks associated with network and information systems. And regardless of priorities, questions about everything from strategies and operational continuity to cryptography, personnel security, or incident management must be considered. Even organizations with a high level of security awareness have reason to review the whole picture and assess to what extent they are working in line with best practices or have made informed decisions based on actual circumstances. The first step is knowing in what way you are affected by the regulations.

As a continuation of the security requirements established in the NIS Directive, the follow-up NIS2 is now being introduced. In the new directive, the requirements are stricter, but most notably, supervisory authorities will be able to impose concrete sanctions on organizations that fail to comply. The directive will be implemented into national legislation during the fall. The main purpose is to raise the level of security within critical sectors of society. However, companies and organizations with an indirect connection to these sectors may also fall under the scope of affected activities. Lantero has developed some questions to help you determine if you need to comply with the regulations. If the answer to any of these questions is yes, you should take a closer look at the regulations and establish a plan or approach to the new rules. * Do we provide services or infrastructure in sectors such as energy, transport, banking, healthcare, water supply, or digital services? * Do we have customers in essential societal operations? (Even suppliers and third-party vendors may fall under NIS2.) * Do we manage critical infrastructure or digital services that impact national security or economic stability? (Organizations that affect national or societal security are generally included.) * Does our organization have more than 50 employees or an annual turnover exceeding 10 million euros? * Are we dependent on networks and information systems to provide our products or services? (NIS2 targets organizations whose operations rely on digital systems.) * Have we previously been subjected to cyberattacks or other security incidents that may have affected our operations or our customers' data integrity? (Companies that handle sensitive data and have been targeted by cyber threats may fall under NIS2.) Given that the directive also affects many subcontractors to the primarily affected organizations, it becomes a concern for many. It is still unclear how thoroughly the follow-up of subcontractors' NIS2 compliance will be conducted, but it is likely that it will be an advantage to demonstrate a structured approach and awareness of where one stands in relation to the framework. "We encounter many who feel that the regulations are too far-reaching and impose requirements on more organizations than necessary. At the same time, there is an opposing view among those who work closely with security issues or have been exposed to various types of attacks. They often feel that the framework is wise for most to adhere to," says Petter Tiger at Lantero.

Lantero has conducted a review of how the municipal sector is working with whistleblowing/whistleblower systems and the types of solutions being used. Generally, there is awareness of the issue, and many municipalities are working methodically and seriously, while a surprisingly large portion still have questionable internal setups for whistleblowing. The largest provider in the sector is Lantero, serving nearly a quarter of Sweden's municipalities. Additionally, many municipalities are working with other reputable providers who offer a satisfactory level of expertise and case management support. Close to five percent of municipalities have established setups through a coordinated routine with other municipalities, which often results in a pragmatic and reasonable handling of confidentiality issues, but may raise more significant concerns about ensuring anonymity and may miss the opportunity for specialized support competence as part of the case management process. "What surprises us in our review of the whistleblowing issue within municipalities is how many still lack support from an independent party," says Andreas Wahlström, Partner Manager at Lantero, who conducted the review. "When serious cases arise, the value of that help usually becomes clear." Around one-fifth of all Swedish municipalities have set up various types of internal solutions. As the legislation in this area is structured, there is room for interpretation regarding what it means, for example, to guarantee independence, ensure anonymity/confidentiality, or report orally, but according to Andreas Wahlström, it is largely a matter of creating security and trust among employees. "If the IT department theoretically has access to information regarding a report, it creates credibility issues, even if there are strict rules for how IT department personnel may access and view the information. It’s worth asking what an organization should do to be able to say it guarantees confidentiality for the whistleblower." As anti-corruption efforts are strengthened within municipalities and whistleblower systems become a more natural part of the work against misconduct, it is likely that the remaining homemade solutions will soon be replaced.

Since it became mandatory for employers to have an internal whistleblower channel, the employers using Lantero’s whistleblower channel have received over 2,500 reports in total. Municipal operations have three times as many reports compared to private operations. The introduction of the whistleblower law has not been without challenges, but we can see that many employers have greatly benefited from their whistleblower processes. ### Thank you to all brave and wise individuals June 23 is The World Whistleblower Day. With all the thousands of cases that have come in, we at Lantero want to take the opportunity to acknowledge and thank all the brave individuals who have taken the time and energy to report suspected misconduct. We also want to thank all the wise employers who take whistleblowing seriously and understand the benefits of a well-functioning whistleblower process. ### Significant differences Lantero has customers from both public and private sectors. We can note that public operations (largely municipalities) receive three times more reports compared to private operations. The reasons for this can be several: - Municipalities operate in many different areas - Municipalities are typically relatively large employers - Municipalities are major purchasers of both goods and services - Several municipalities are exposed to organized crime But we also believe it may be due to many municipalities being very ambitious with their whistleblower channel. They have worked actively to make the channel known and encouraged its use when needed. Therefore, receiving many reports does not necessarily have to be a negative thing. It can be a sign that the employer is open to improving the operation. ### The new whistleblower law is not without challenges Compared to the previous whistleblower law, the new one is more comprehensive. This does not necessarily mean it is clearer. For example, the assessment of whether an incoming report falls under the whistleblower law or not should be based on several factors that are open to interpretation. What does it mean that a case has “public interest” to be investigated? If it cannot be conclusively determined that the whistleblower received the information in a “work-related context,” should it not be classified as a whistleblower case? If a case has public interest, but the whistleblower is not covered by the whistleblower law’s protection, what is the employer’s responsibility then? We believe that the key to answering these questions lies in the original purpose of the whistleblower law: To protect informants to encourage people to dare to report suspected irregularities. The law has not yet been extensively tested. This means there are still ambiguities. Another challenge is the requirement for independence in the handling of incoming cases. A requirement that we think is entirely reasonable and central to whistleblower legislation. However, we often see that employers struggle to meet this requirement. Particularly for smaller employers, it is difficult to solve this with internal resources. It is therefore crucial to have well-formulated, anchored, and communicated routines from the start on how this should be handled. If a conflict of interest arises in the handling of a case, it should be simple, obvious, and well-anchored to bring in an external resource. On an overall level, we can unfortunately state that our experience is that internal whistleblower channels have an important function to fulfill. A function that, in the short time since the new law became mandatory, has proven useful and valuable for many employers. Good luck to all brave individuals and wise employers! The World Whistleblower Day is for you.

In connection with the requirement for a whistleblowing channel for smaller companies in Sweden that came into effect at the end of 2023, we at Lantero experienced an intense period. We have welcomed many new companies and organizations as clients. Some of you are in close contact with us regarding cases or other advisory services, while we have much more sparse interaction with others. We are always available if you need assistance. We are now working on new services, primarily related to regulations, reporting, and case management processes. A particular focus is the fight against welfare crime and fraud, an area undergoing significant development, especially in the public sector. For many municipalities and authorities, welfare crime is a special focus as costs have recently increased rapidly, and the area has been identified as possibly the primary source of funding for organized crime. We have long had close cooperation with many municipalities in related areas and are collaborating particularly closely in this project with a handful of municipalities that are at the forefront of the fight against welfare crime. Together, we are developing effective tools for the overall effort and, from a national perspective, for sharing best practices in this area. If you are interested in participating in the development work in future phases, please feel free to contact us. The whistleblowing service is also being further developed based on our customer interactions. We are adding functionality and making the tool easier to use. For instance, we have established new possibilities to easily revert a case in the case management process. As part of Lantero's maintenance work, we will be performing a server migration on June 12th between 13:00 and 16:00 CET. During this time, the system will be unavailable for login, and whistleblowers will not be able to submit a report via the web form. We have chosen to carry out the upgrade during the time of day when new whistleblower cases are normally not reported in the system. We thank you in advance for your patience!

Lantero will perform a server migration on June 12th between 13:00 and 16:00. This will result in a service interruption during which the service will not be available. We have chosen to schedule the interruption during the day because we prioritize availability for whistleblowers and know from experience that more cases are reported outside of office hours. We constantly strive to maintain the best, safest, and most stable service possible and appreciate your patience with this temporary service disruption. Please do not hesitate to contact us with any questions or feedback!

In an article in the newspaper Tidningen Näringslivet, Olle Lundin, a professor of administrative law and an expert on corruption, describes how corruption in Swedish municipalities and authorities is worsening. Given Sweden's historical position as one of the world's least corrupt countries, the development is very disappointing. The trend was confirmed, among other things, in connection with Transparency International's latest index on perceived corruption, where Sweden recorded its worst ranking since the measurement began in 1995. Additionally, it's one of the five EU countries with the worst performance in the index. In the news reporting, we see plenty of examples of clear violations and often a dubious attitude towards improper benefits or gifts. However, it is difficult to draw far-reaching conclusions from individual cases. Corruption is generally difficult to measure, but the trend in perceived corruption must be considered as clear evidence of actual underlying corruption. Olle Lundin argues that the reasonable reaction to a request for a bribe should be to call the police, but his conclusion based on recent legal cases is that reality is far from that. Swedish Industry recently published a report highlighting several deficiencies in public procurement. Together with the company Tendium, they have identified patterns such as a troublingly high percentage of recurring procurement winners. A whopping 65.2 percent of all procurements turned out to have recurring or partially recurring winners. The report author, Ellen Hausel Heldahl, describes that the figure indicates that authorities satisfied with an existing supplier in some cases may be influenced by the inconvenience of changing suppliers, but it could also be a more direct issue of competition being sidelined or reflecting some form of corruption, often friendship corruption. She states that Swedish Industry's surveys suggest that procurements are often perceived as targeted towards a specific supplier in advance and that in such cases, it may be decided even before any bids are submitted. Olle Lundin is not surprised by the picture painted, but shares the view of a high percentage of pre-determined procurements. He describes a trend where procurements are very specific and can hardly be fulfilled by anyone other than the local supplier. Both Lundin and Hausel Heldahl see increased transparency as an obvious part of the solution and a prerequisite for scrutinizing transactions or accessing obstruction from officials. Lundin would like to see the Parliamentary Ombudsman sanctioning authorities more often for deficiencies regarding the principle of public access to information. From Swedish Industry, several proposals have been presented to address deficiencies in, among other things, procurement. Among the proposals are: 1. Higher requirements for direct procurements: Introduce provisions for reprisals against procuring organizations that do not follow guidelines for direct procurement according to the Public Procurement Act 19 a chapter 15 §. 2. Increase transparency: Instruct the Procurement Agency to annually collect and publish the procurement values from all procuring organizations, including direct procurements. 3. Requirements for procurement analyses: Task the National Financial Management Authority with analyzing the conditions for mandatory use of spend analysis/procurement analysis in the financial systems of authorities and publicly owned companies with a purchasing volume of more than 150 million SEK. 4. Make e-commerce mandatory: Develop a legislative proposal for the introduction of an e-commerce law for all procuring organizations, including publicly owned companies. 5. Strengthen the rules on conflicts of interest: Develop a legislative proposal for the implementation of the provisions on conflicts of interest in the Swedish procurement laws. 6. Clarify volume rules: Reintroduce the aggregation rule that previously existed in the Public Procurement Act, the Procurement Act for the Defence and Security Sector, and the Procurement Act for the Utilities Sector, regarding "goods and services of the same kind during one fiscal year." 7. Review the direct procurement thresholds: Instruct the Competition Authority to analyze the effects of the raised direct procurement thresholds. The analysis should include the impact on efficient financial management, competition, and risks of corruption. 8. Strengthen municipal auditing: Appoint a commission to propose a strengthened municipal audit, with the aim of abolishing the current system of lay auditors appointed by the municipal council and instead design a system based on the Companies Act as a model. The commission should also propose a clearer budget process and stricter accounting requirements for municipalities. 9. Enact legislation on preclusion in public procurement: There is a need for legislative changes that clarify the requirement for damages and issues of preclusion in Swedish law. The current status where companies that feel that the procurements favor a specific supplier do not have an opportunity to have it tried in court.