Compliance - Digital tools and personal support

We interview Joakim Karlén about how to involve all employees in the work with information security and cyber hygiene. (Video version is in Swedish) Interviewer: Let’s start from the beginning – what does cyber hygiene actually mean? Joakim Karlén: – When you hear the word hygiene, you think about the things you should always do, like washing your hands. It’s actually the same in cybersecurity. Cyber hygiene is about ensuring that everyone knows and follows the basic routines needed to protect both themselves and the organisation. Small and large organisations – different conditions Interviewer: When working with smaller organisations, how does their work differ from that of larger ones? Joakim Karlén: – Larger organisations often have more structure and support, such as an IT department that drives the security work. In smaller organisations, individual responsibility becomes greater. Everyone needs to understand how their own actions affect security – because you can’t rely on the same support functions. Interviewer: What are the most common mistakes? Joakim Karlén: – The most common mistake is not having control over your digital assets. Many lack routines for how computers and mobile devices should be handled, or training in basic security practices. This means they miss simple but crucial safeguards. Creating engagement Interviewer: So how do you get employees to think actively about these issues? Joakim Karlén: – It starts with education. You need to explain why the rules exist and connect them to everyday work: What do you do in your daily routine, and what risks exist in those specific moments? Many don’t see cybersecurity as part of their job – but it is. Just as you wouldn’t run around the office with scissors, you shouldn’t handle your digital tools in a risky way. Cyber hygiene is about understanding the tools you use and how to handle them safely. Behaviour rather than technology Interviewer: So ultimately it’s about culture and behaviour? Joakim Karlén: – Exactly. Cyber hygiene is not just technology – it is above all behaviour and awareness. To support that culture, you need clear routines and checklists – for example, for how new employees are introduced to security practices. You can also practice incidents, such as through simulated attacks, so that everyone learns their role if something goes wrong. When you train for failure scenarios, people become more aware of their responsibilities – and more confident in how to act. Interviewer: Which threats should organisations focus on right now? Joakim Karlén: – We’re seeing that attacks are becoming more frequent and more automated. Many small organisations think “we’re not interesting” – but the attackers don’t know that. They attack anything that can be attacked. And with today’s AI tools, it’s possible to pretend to be someone else and carry out advanced social engineering attacks with far greater precision and volume than before. This means the risk of being deceived increases dramatically – especially if employees aren’t vigilant. Cyber hygiene is about doing the simple things right – every day. It requires structure, training, and engagement from everyone.

The EU's NIS2 Directive came into force in January 2023, and member states have until October 17, 2024, to transpose it into national legislation. Yet, many organizations still fail to meet the requirements two years after the directive was approved. Figures suggest that as many as two-thirds (66 percent) of affected organizations will miss the October 17 deadline, despite nine out of ten reporting incidents that could have been prevented by measures mandated under NIS2. Looking at EU member states, only two out of 27—Croatia and Italy—have fully implemented the directive into their national legislation. Estonia and Portugal lag the furthest behind and have yet to begin the process. Given the scale of fines and sanctions that non-compliance entails, the sluggish response is somewhat surprising. In addition to significant fines for companies and organizations, individuals in leadership positions may also face personal sanctions. ### Development from NIS1 The first EU-wide cybersecurity legislation, introduced in 2018, was known as NIS1. Its purpose was to implement a common set of security standards across all member states. NIS2 is an evolution of the same framework and underlying ambition. The new regulations expand the scope, meaning more organizations are required to comply. Generally, NIS2 applies to organizations that provide critical services or fall under the sectors covered by NIS2's expanded scope, have more than 50 employees, or an annual turnover exceeding €10 million. Operators of critical infrastructure were subject to NIS1 and, by extension, are also covered by NIS2. Organizations in sectors such as digital services, space industry, postal services, network operators, chemical producers/distributors, and some manufacturers are now also covered by NIS2. Organizations are categorized as "essential" and "important," with all being deemed critical sectors, though some more than others. This classification determines the specific requirements organizations must meet. Each organization must determine whether it falls under NIS2, not only because of potential penalties but also because the regulations impose different requirements on various sectors. While NIS2 aims to elevate security standards across industries to a common level, compliance requirements are not uniform. ### What's New? In addition to expanding the number of organizations covered by the directive, four key areas with stricter requirements are introduced: risk management, corporate responsibility, mandatory incident reporting, and business continuity planning. - Risk Management: Organizations must take adequate measures to minimize threats to network and supply chain security, improve access controls (using multi-factor authentication), implement encryption, and have an incident response plan ready in the event of a serious attack. - Corporate Responsibility: Leaders in affected organizations must have a comprehensive understanding of the directive and be responsible for managing cybersecurity risks. - Mandatory Reporting: Incidents must be reported within 24 hours of detection to a database managed by ENISA, the EU's cybersecurity agency. - Business Continuity Planning: Organizations must ensure they can continue operations during a major cyberattack. ### Compliance Checklist Given the varying requirements between organizations, creating a universal checklist is challenging. However, below are the most fundamental steps: - Identify whether your organization falls under NIS2. - Understand the requirements and evaluate the current level of compliance. - Secure the budget for necessary changes. - Identify other EU cybersecurity laws applicable to your organization. - Conduct cybersecurity assessments to identify vulnerabilities and threats. - Assess third-party risks and establish appropriate risk management procedures. - Develop plans for incident response, business continuity, and cybersecurity. - Implement security measures like multi-factor authentication (MFA). - Ensure staff receives up-to-date cybersecurity training. ### Penalties and Challenges for Non-Compliance Organizations classified as "essential" risk fines of at least €10 million or 2 percent of their global annual turnover. Organizations classified as "important" face lower but still significant fines of at least €7 million or 1.4 percent of their global annual turnover. Non-compliance may also result in legal consequences for business leaders. For instance, Ireland's national implementation of NIS2 includes the risk of imprisonment. Despite the risks, many organizations remain unprepared. One might argue that national authorities should have provided better support and guidance, or that the requirements are unreasonably burdensome alongside other regulations. However, it is ultimately in the organizations' own interest to strengthen cybersecurity and protect critical services in an increasingly threatening cyber environment.

At Lantero, we’re closely monitoring the evolving landscape of the NIS2 directive and its upcoming impact on cybersecurity compliance in Sweden. As of October 18, 2024, the NIS2 directive was due to be implemented in national legislation. However, like many other EU countries, Sweden is still in the process of legislative adaptation. According to SOU 2024:18, a new cybersecurity law is set to replace the current NIS law and bring Sweden in line with NIS2 standards, but this won’t take effect until early 2025. November 7, 2024 The EU Commission will enact a regulation specifying NIS2's requirements for risk management and incident reporting, setting new standards for certain operators, including cloud service providers, DNS providers, and online marketplaces. For operators currently under the NIS law, this period represents a critical transitional phase. Compliance with NIS obligations remains mandatory, yet interpretations must now consider NIS2’s broader framework, especially around risk management and incident reporting as outlined in Article 21 of the directive. Who’s Affected? New group now included - NIS2 will widen the scope compared to NIS. Directly affected group will now also include providers in sectors such as DNS services, cloud services, and online marketplaces - The indirectly affected groups will be suppliers to the affected organizations. In practice this will mean that most organizations will need to take the new requirements into consideration to be able to compete long-term. Lantero’s LawLogic toolbox is here to support businesses as they navigate these complex changes. From guidance on best practices to streamlined reporting tools, we’re prepared to help ensure compliance and mitigate risks. With the new regulations, many are asking whether they are affected by the new rules, but the question that should be asked is rather how they are affected. It should be clear that one needs to take the regulations into consideration, and Lantero's tool aims to make the material clear and structured, so that the work can be formulated into concrete activities and initiated.