Blog

The EU's NIS2 Directive came into force in January 2023, and member states have until October 17, 2024, to transpose it into national legislation. Yet, many organizations still fail to meet the requirements two years after the directive was approved. Figures suggest that as many as two-thirds (66 percent) of affected organizations will miss the October 17 deadline, despite nine out of ten reporting incidents that could have been prevented by measures mandated under NIS2. Looking at EU member states, only two out of 27—Croatia and Italy—have fully implemented the directive into their national legislation. Estonia and Portugal lag the furthest behind and have yet to begin the process. Given the scale of fines and sanctions that non-compliance entails, the sluggish response is somewhat surprising. In addition to significant fines for companies and organizations, individuals in leadership positions may also face personal sanctions. ### Development from NIS1 The first EU-wide cybersecurity legislation, introduced in 2018, was known as NIS1. Its purpose was to implement a common set of security standards across all member states. NIS2 is an evolution of the same framework and underlying ambition. The new regulations expand the scope, meaning more organizations are required to comply. Generally, NIS2 applies to organizations that provide critical services or fall under the sectors covered by NIS2's expanded scope, have more than 50 employees, or an annual turnover exceeding €10 million. Operators of critical infrastructure were subject to NIS1 and, by extension, are also covered by NIS2. Organizations in sectors such as digital services, space industry, postal services, network operators, chemical producers/distributors, and some manufacturers are now also covered by NIS2. Organizations are categorized as "essential" and "important," with all being deemed critical sectors, though some more than others. This classification determines the specific requirements organizations must meet. Each organization must determine whether it falls under NIS2, not only because of potential penalties but also because the regulations impose different requirements on various sectors. While NIS2 aims to elevate security standards across industries to a common level, compliance requirements are not uniform. ### What's New? In addition to expanding the number of organizations covered by the directive, four key areas with stricter requirements are introduced: risk management, corporate responsibility, mandatory incident reporting, and business continuity planning. - Risk Management: Organizations must take adequate measures to minimize threats to network and supply chain security, improve access controls (using multi-factor authentication), implement encryption, and have an incident response plan ready in the event of a serious attack. - Corporate Responsibility: Leaders in affected organizations must have a comprehensive understanding of the directive and be responsible for managing cybersecurity risks. - Mandatory Reporting: Incidents must be reported within 24 hours of detection to a database managed by ENISA, the EU's cybersecurity agency. - Business Continuity Planning: Organizations must ensure they can continue operations during a major cyberattack. ### Compliance Checklist Given the varying requirements between organizations, creating a universal checklist is challenging. However, below are the most fundamental steps: - Identify whether your organization falls under NIS2. - Understand the requirements and evaluate the current level of compliance. - Secure the budget for necessary changes. - Identify other EU cybersecurity laws applicable to your organization. - Conduct cybersecurity assessments to identify vulnerabilities and threats. - Assess third-party risks and establish appropriate risk management procedures. - Develop plans for incident response, business continuity, and cybersecurity. - Implement security measures like multi-factor authentication (MFA). - Ensure staff receives up-to-date cybersecurity training. ### Penalties and Challenges for Non-Compliance Organizations classified as "essential" risk fines of at least €10 million or 2 percent of their global annual turnover. Organizations classified as "important" face lower but still significant fines of at least €7 million or 1.4 percent of their global annual turnover. Non-compliance may also result in legal consequences for business leaders. For instance, Ireland's national implementation of NIS2 includes the risk of imprisonment. Despite the risks, many organizations remain unprepared. One might argue that national authorities should have provided better support and guidance, or that the requirements are unreasonably burdensome alongside other regulations. However, it is ultimately in the organizations' own interest to strengthen cybersecurity and protect critical services in an increasingly threatening cyber environment.

At Lantero, we’re closely monitoring the evolving landscape of the NIS2 directive and its upcoming impact on cybersecurity compliance in Sweden. As of October 18, 2024, the NIS2 directive was due to be implemented in national legislation. However, like many other EU countries, Sweden is still in the process of legislative adaptation. According to SOU 2024:18, a new cybersecurity law is set to replace the current NIS law and bring Sweden in line with NIS2 standards, but this won’t take effect until early 2025. November 7, 2024 The EU Commission will enact a regulation specifying NIS2's requirements for risk management and incident reporting, setting new standards for certain operators, including cloud service providers, DNS providers, and online marketplaces. For operators currently under the NIS law, this period represents a critical transitional phase. Compliance with NIS obligations remains mandatory, yet interpretations must now consider NIS2’s broader framework, especially around risk management and incident reporting as outlined in Article 21 of the directive. Who’s Affected? New group now included - NIS2 will widen the scope compared to NIS. Directly affected group will now also include providers in sectors such as DNS services, cloud services, and online marketplaces - The indirectly affected groups will be suppliers to the affected organizations. In practice this will mean that most organizations will need to take the new requirements into consideration to be able to compete long-term. Lantero’s LawLogic toolbox is here to support businesses as they navigate these complex changes. From guidance on best practices to streamlined reporting tools, we’re prepared to help ensure compliance and mitigate risks. With the new regulations, many are asking whether they are affected by the new rules, but the question that should be asked is rather how they are affected. It should be clear that one needs to take the regulations into consideration, and Lantero's tool aims to make the material clear and structured, so that the work can be formulated into concrete activities and initiated.

The NIS2 Directive, which stands for Network and Information Security Directive, aims to strengthen cybersecurity and resilience against cyber threats within the EU. It is an update of the previous NIS Directive and introduces several new measures to increase requirements for companies and public institutions managing critical infrastructure or essential services. ### Impact on Businesses - Increased Costs: Companies will need to invest more in cybersecurity, including technology, training, and personnel, to meet the new requirements. - Greater Focus on Risk Management: Cybersecurity must be integrated into the company’s overall risk management process, and businesses must be prepared to quickly detect and handle cyberattacks. - Increased Pressure on Suppliers: Since companies are also responsible for their suppliers' security, this may put pressure on the entire supply chain to implement stricter security measures. At first glance, NIS2 may seem like a concern for a specific segment of businesses and public administration, but its most likely effect is that the entire society will elevate its level of cybersecurity. This is partly because affected organizations and companies need to monitor their suppliers, but also because the general "hygiene level" of security will rise, making it harder to justify security lapses. ### Expanded Scope Compared to the original NIS legislation, the scope of NIS2 will be expanded to cover more sectors. In addition to energy, transport, finance, and healthcare, it will now also include: - Postal services and waste management - Digital services (including cloud services, data centers) - Space sector Some smaller companies that were previously exempt may also be included depending on their size and importance to critical societal functions. ### Specific Requirements Security requirements will generally become stricter, with concrete demands in areas such as risk management, security monitoring, incident management, and regular vulnerability assessments. Furthermore, there is an ambition for better coordination at the societal level regarding the reporting of incidents. Companies are required to follow specific protocols for reporting incidents, including actions taken to handle them. Failure to report in time could result in significant fines. The fine levels may resemble those imposed under GDPR, and steps are also being taken to hold company management and board members personally accountable. In summary, sanction mechanisms are being established to force rapid and substantial efforts to raise the security standards of all affected companies and organizations. The idea of coordination also extends to information sharing, so that national cybersecurity authorities will improve their collaboration and coordination between countries and sectors. In summary, NIS2 is a natural continuation of NIS, with the same underlying spirit but significantly stricter application. For those who haven't paid attention to NIS before or started working on these issues, there is a significant amount of work ahead in the coming years.

Lantero is organizing a seminar for municipalities on whistleblowing and some common issues in handling whistleblowing cases. It will take place on November 6 from 15:00 to 16:30. For more than ten years, Lantero has worked with whistleblowing solutions and is now the largest provider in Sweden within the municipal sector. Lantero assists municipal clients with whistleblowing cases daily, giving us a unique opportunity to guide both in legal matters and in common practices among different types of municipalities. Some common questions that will be addressed during Lantero's seminar include: * Conflict of interest situations and how to handle them * How to approach confidentiality when a public document is requested * What applies regarding GDPR when a case is investigated outside the whistleblowing system and process * How to interpret the concept of "public interest" in the law concerning irregularities in municipal operations The target audience for this seminar is primarily case officers working with municipal whistleblowing services and municipal lawyers who are occasionally involved in case handling or assessment. However, it may also be relevant for a broader group interested in the general efforts to address various types of misconduct in municipalities and the public sector at large. Since the topic connects to broader issues about how municipalities and public services function, as well as fraud and welfare crimes, welfare coordinators or case officers dealing with more specific issues may also find it relevant to attend. This also means, for instance, that government or regional legal advisors could benefit from the discussions. The seminar will be conducted as a webinar, but it is also possible to attend in person at Lantero’s office at Drottninggatan 71c in Stockholm. – We often receive requests from our municipal clients for this type of activity, as case officers in municipal whistleblowing functions clearly want to exchange experiences with colleagues from other municipalities or external experts, says Andreas Wahlström, who is responsible for the seminar on Lantero's behalf. We will do our best to involve participants and create a dynamic discussion.

The new EU regulations (NIS2) regarding security and preparedness in critical sectors will directly or indirectly affect most parts of society. For individual companies or organizations, it is important to determine if they are affected by the regulations – although a more reasonable question is probably how they are affected by NIS2. How the EU directive will be implemented in national legislation is still unclear, but with the overall guidelines of the directive and the expressed intentions, it is becoming quite clear how companies or organizations should approach and prepare for the new legislation. To assist in the initial assessment, Lantero provides short, overview analyses. In a 15-minute meeting, we go over whether you are clearly and directly affected by the regulations or if you are potentially or indirectly impacted. The goal of the meeting is to better understand how to approach the regulations so that you can take control of the process and allocate resources where they are most effective. Whether you view NIS2 as a compliance issue, a matter of security, or from a commercial perspective linked to customer demands, there is a reason to understand the regulations and have a clear strategy. Taking control of the issue reduces dependency on external consultants and ensures that actions are taken in the right order. Priorities can vary significantly depending on whether you take a compliance perspective or a security perspective, for example. But regardless of perspective, you need to understand where your organization stands in relation to various risks associated with network and information systems. And regardless of priorities, questions about everything from strategies and operational continuity to cryptography, personnel security, or incident management must be considered. Even organizations with a high level of security awareness have reason to review the whole picture and assess to what extent they are working in line with best practices or have made informed decisions based on actual circumstances. The first step is knowing in what way you are affected by the regulations.

As a continuation of the security requirements established in the NIS Directive, the follow-up NIS2 is now being introduced. In the new directive, the requirements are stricter, but most notably, supervisory authorities will be able to impose concrete sanctions on organizations that fail to comply. The directive will be implemented into national legislation during the fall. The main purpose is to raise the level of security within critical sectors of society. However, companies and organizations with an indirect connection to these sectors may also fall under the scope of affected activities. Lantero has developed some questions to help you determine if you need to comply with the regulations. If the answer to any of these questions is yes, you should take a closer look at the regulations and establish a plan or approach to the new rules. * Do we provide services or infrastructure in sectors such as energy, transport, banking, healthcare, water supply, or digital services? * Do we have customers in essential societal operations? (Even suppliers and third-party vendors may fall under NIS2.) * Do we manage critical infrastructure or digital services that impact national security or economic stability? (Organizations that affect national or societal security are generally included.) * Does our organization have more than 50 employees or an annual turnover exceeding 10 million euros? * Are we dependent on networks and information systems to provide our products or services? (NIS2 targets organizations whose operations rely on digital systems.) * Have we previously been subjected to cyberattacks or other security incidents that may have affected our operations or our customers' data integrity? (Companies that handle sensitive data and have been targeted by cyber threats may fall under NIS2.) Given that the directive also affects many subcontractors to the primarily affected organizations, it becomes a concern for many. It is still unclear how thoroughly the follow-up of subcontractors' NIS2 compliance will be conducted, but it is likely that it will be an advantage to demonstrate a structured approach and awareness of where one stands in relation to the framework. "We encounter many who feel that the regulations are too far-reaching and impose requirements on more organizations than necessary. At the same time, there is an opposing view among those who work closely with security issues or have been exposed to various types of attacks. They often feel that the framework is wise for most to adhere to," says Petter Tiger at Lantero.

Lantero has conducted a review of how the municipal sector is working with whistleblowing/whistleblower systems and the types of solutions being used. Generally, there is awareness of the issue, and many municipalities are working methodically and seriously, while a surprisingly large portion still have questionable internal setups for whistleblowing. The largest provider in the sector is Lantero, serving nearly a quarter of Sweden's municipalities. Additionally, many municipalities are working with other reputable providers who offer a satisfactory level of expertise and case management support. Close to five percent of municipalities have established setups through a coordinated routine with other municipalities, which often results in a pragmatic and reasonable handling of confidentiality issues, but may raise more significant concerns about ensuring anonymity and may miss the opportunity for specialized support competence as part of the case management process. "What surprises us in our review of the whistleblowing issue within municipalities is how many still lack support from an independent party," says Andreas Wahlström, Partner Manager at Lantero, who conducted the review. "When serious cases arise, the value of that help usually becomes clear." Around one-fifth of all Swedish municipalities have set up various types of internal solutions. As the legislation in this area is structured, there is room for interpretation regarding what it means, for example, to guarantee independence, ensure anonymity/confidentiality, or report orally, but according to Andreas Wahlström, it is largely a matter of creating security and trust among employees. "If the IT department theoretically has access to information regarding a report, it creates credibility issues, even if there are strict rules for how IT department personnel may access and view the information. It’s worth asking what an organization should do to be able to say it guarantees confidentiality for the whistleblower." As anti-corruption efforts are strengthened within municipalities and whistleblower systems become a more natural part of the work against misconduct, it is likely that the remaining homemade solutions will soon be replaced.

Since it became mandatory for employers to have an internal whistleblower channel, the employers using Lantero’s whistleblower channel have received over 2,500 reports in total. Municipal operations have three times as many reports compared to private operations. The introduction of the whistleblower law has not been without challenges, but we can see that many employers have greatly benefited from their whistleblower processes. ### Thank you to all brave and wise individuals June 23 is The World Whistleblower Day. With all the thousands of cases that have come in, we at Lantero want to take the opportunity to acknowledge and thank all the brave individuals who have taken the time and energy to report suspected misconduct. We also want to thank all the wise employers who take whistleblowing seriously and understand the benefits of a well-functioning whistleblower process. ### Significant differences Lantero has customers from both public and private sectors. We can note that public operations (largely municipalities) receive three times more reports compared to private operations. The reasons for this can be several: - Municipalities operate in many different areas - Municipalities are typically relatively large employers - Municipalities are major purchasers of both goods and services - Several municipalities are exposed to organized crime But we also believe it may be due to many municipalities being very ambitious with their whistleblower channel. They have worked actively to make the channel known and encouraged its use when needed. Therefore, receiving many reports does not necessarily have to be a negative thing. It can be a sign that the employer is open to improving the operation. ### The new whistleblower law is not without challenges Compared to the previous whistleblower law, the new one is more comprehensive. This does not necessarily mean it is clearer. For example, the assessment of whether an incoming report falls under the whistleblower law or not should be based on several factors that are open to interpretation. What does it mean that a case has “public interest” to be investigated? If it cannot be conclusively determined that the whistleblower received the information in a “work-related context,” should it not be classified as a whistleblower case? If a case has public interest, but the whistleblower is not covered by the whistleblower law’s protection, what is the employer’s responsibility then? We believe that the key to answering these questions lies in the original purpose of the whistleblower law: To protect informants to encourage people to dare to report suspected irregularities. The law has not yet been extensively tested. This means there are still ambiguities. Another challenge is the requirement for independence in the handling of incoming cases. A requirement that we think is entirely reasonable and central to whistleblower legislation. However, we often see that employers struggle to meet this requirement. Particularly for smaller employers, it is difficult to solve this with internal resources. It is therefore crucial to have well-formulated, anchored, and communicated routines from the start on how this should be handled. If a conflict of interest arises in the handling of a case, it should be simple, obvious, and well-anchored to bring in an external resource. On an overall level, we can unfortunately state that our experience is that internal whistleblower channels have an important function to fulfill. A function that, in the short time since the new law became mandatory, has proven useful and valuable for many employers. Good luck to all brave individuals and wise employers! The World Whistleblower Day is for you.

In connection with the requirement for a whistleblowing channel for smaller companies in Sweden that came into effect at the end of 2023, we at Lantero experienced an intense period. We have welcomed many new companies and organizations as clients. Some of you are in close contact with us regarding cases or other advisory services, while we have much more sparse interaction with others. We are always available if you need assistance. We are now working on new services, primarily related to regulations, reporting, and case management processes. A particular focus is the fight against welfare crime and fraud, an area undergoing significant development, especially in the public sector. For many municipalities and authorities, welfare crime is a special focus as costs have recently increased rapidly, and the area has been identified as possibly the primary source of funding for organized crime. We have long had close cooperation with many municipalities in related areas and are collaborating particularly closely in this project with a handful of municipalities that are at the forefront of the fight against welfare crime. Together, we are developing effective tools for the overall effort and, from a national perspective, for sharing best practices in this area. If you are interested in participating in the development work in future phases, please feel free to contact us. The whistleblowing service is also being further developed based on our customer interactions. We are adding functionality and making the tool easier to use. For instance, we have established new possibilities to easily revert a case in the case management process. As part of Lantero's maintenance work, we will be performing a server migration on June 12th between 13:00 and 16:00 CET. During this time, the system will be unavailable for login, and whistleblowers will not be able to submit a report via the web form. We have chosen to carry out the upgrade during the time of day when new whistleblower cases are normally not reported in the system. We thank you in advance for your patience!

Lantero will perform a server migration on June 12th between 13:00 and 16:00. This will result in a service interruption during which the service will not be available. We have chosen to schedule the interruption during the day because we prioritize availability for whistleblowers and know from experience that more cases are reported outside of office hours. We constantly strive to maintain the best, safest, and most stable service possible and appreciate your patience with this temporary service disruption. Please do not hesitate to contact us with any questions or feedback!