Compliance - Digital tools and personal support

Lantero interviewed Therese Forsberg, an investigator at the Department of Administration in Uddevalla Municipality. Therese works with redaction of documents in response to requests for public records, and she has been using Lantero Redact over the past months — receiving AI-based support for assessment and redaction. Below is a slightly shortened version of the interview. (Video version is in Swedish) Interviewer: Uddevalla is a municipality with around 60,000 residents. When it comes to requests for public records, what kind of volumes are you dealing with? Interviewee: It varies. It depends on what’s happening in the organisation. When incidents occur that lead to deviations or Lex Sarah cases, the volume increases. We also have some media outlets that submit weekly requests for all incoming records from the past week. That’s the case for municipalities across Sweden — some outlets do this continuously. So the amount can fluctuate a lot, especially if serious cases have come in. Interviewer: To what extent is this possible to plan for? Interviewee: Some parts are always manageable, but it becomes difficult when large volumes come in — sometimes thousands of documents. We don’t have a dedicated person working on this full-time, so our department has to share the workload. How the process used to work Interviewer: What did the routines look like before? Interviewee: We did everything the old-fashioned way. We printed out the documents and redacted them manually using Tipp-Ex. Then we copied and scanned them before sending them off. Adobe has some tools, but they haven’t been reliable. You could sometimes lift off the redaction digitally, so we always had to print and scan everything anyway. It was time-consuming and difficult to manage when working remotely. How the work is done now Interviewer: What does the routine look like now? Interviewee: It’s much faster. With the redaction service, we can mark what we want to redact digitally and save it directly. We avoid all the printing and scanning, which saves a lot of time. I also feel that we have better oversight of the documents and the process. Interviewer: One idea with the AI support is that more people could participate in the work by accepting or rejecting suggested redactions. Have you started expanding that responsibility? Interviewee: Not yet. We’ve involved some colleagues, but they have the same level of knowledge as we do. So for now, the responsibility remains within our department. Model training and new updates Interviewer: You recently received an updated version of the service. Have you had a chance to test the new capabilities? Interviewee: Very briefly, but what I saw looked good. I need to test it more before I can say anything definite. Interviewer: Do you think the assessments look similar across different municipalities? Interviewee: Yes, I think so. We all work with the same types of documents and the same regulations. The goal is always to protect the individual and avoid revealing personal data. That should lead to similar approaches to what needs to be redacted. User experience of the service Interviewer: Any final reflections? Interviewee: The service has been easy to use. We’ve found it user-friendly and free from issues. It has worked throughout the entire test period, which has been very valuable since we’ve had unusually large volumes of cases recently.

We interview Joakim Karlén about how to involve all employees in the work with information security and cyber hygiene. (Video version is in Swedish) Interviewer: Let’s start from the beginning – what does cyber hygiene actually mean? Joakim Karlén: – When you hear the word hygiene, you think about the things you should always do, like washing your hands. It’s actually the same in cybersecurity. Cyber hygiene is about ensuring that everyone knows and follows the basic routines needed to protect both themselves and the organisation. Small and large organisations – different conditions Interviewer: When working with smaller organisations, how does their work differ from that of larger ones? Joakim Karlén: – Larger organisations often have more structure and support, such as an IT department that drives the security work. In smaller organisations, individual responsibility becomes greater. Everyone needs to understand how their own actions affect security – because you can’t rely on the same support functions. Interviewer: What are the most common mistakes? Joakim Karlén: – The most common mistake is not having control over your digital assets. Many lack routines for how computers and mobile devices should be handled, or training in basic security practices. This means they miss simple but crucial safeguards. Creating engagement Interviewer: So how do you get employees to think actively about these issues? Joakim Karlén: – It starts with education. You need to explain why the rules exist and connect them to everyday work: What do you do in your daily routine, and what risks exist in those specific moments? Many don’t see cybersecurity as part of their job – but it is. Just as you wouldn’t run around the office with scissors, you shouldn’t handle your digital tools in a risky way. Cyber hygiene is about understanding the tools you use and how to handle them safely. Behaviour rather than technology Interviewer: So ultimately it’s about culture and behaviour? Joakim Karlén: – Exactly. Cyber hygiene is not just technology – it is above all behaviour and awareness. To support that culture, you need clear routines and checklists – for example, for how new employees are introduced to security practices. You can also practice incidents, such as through simulated attacks, so that everyone learns their role if something goes wrong. When you train for failure scenarios, people become more aware of their responsibilities – and more confident in how to act. Interviewer: Which threats should organisations focus on right now? Joakim Karlén: – We’re seeing that attacks are becoming more frequent and more automated. Many small organisations think “we’re not interesting” – but the attackers don’t know that. They attack anything that can be attacked. And with today’s AI tools, it’s possible to pretend to be someone else and carry out advanced social engineering attacks with far greater precision and volume than before. This means the risk of being deceived increases dramatically – especially if employees aren’t vigilant. Cyber hygiene is about doing the simple things right – every day. It requires structure, training, and engagement from everyone.

The EU's NIS2 Directive came into force in January 2023, and member states have until October 17, 2024, to transpose it into national legislation. Yet, many organizations still fail to meet the requirements two years after the directive was approved. Figures suggest that as many as two-thirds (66 percent) of affected organizations will miss the October 17 deadline, despite nine out of ten reporting incidents that could have been prevented by measures mandated under NIS2. Looking at EU member states, only two out of 27—Croatia and Italy—have fully implemented the directive into their national legislation. Estonia and Portugal lag the furthest behind and have yet to begin the process. Given the scale of fines and sanctions that non-compliance entails, the sluggish response is somewhat surprising. In addition to significant fines for companies and organizations, individuals in leadership positions may also face personal sanctions. ### Development from NIS1 The first EU-wide cybersecurity legislation, introduced in 2018, was known as NIS1. Its purpose was to implement a common set of security standards across all member states. NIS2 is an evolution of the same framework and underlying ambition. The new regulations expand the scope, meaning more organizations are required to comply. Generally, NIS2 applies to organizations that provide critical services or fall under the sectors covered by NIS2's expanded scope, have more than 50 employees, or an annual turnover exceeding €10 million. Operators of critical infrastructure were subject to NIS1 and, by extension, are also covered by NIS2. Organizations in sectors such as digital services, space industry, postal services, network operators, chemical producers/distributors, and some manufacturers are now also covered by NIS2. Organizations are categorized as "essential" and "important," with all being deemed critical sectors, though some more than others. This classification determines the specific requirements organizations must meet. Each organization must determine whether it falls under NIS2, not only because of potential penalties but also because the regulations impose different requirements on various sectors. While NIS2 aims to elevate security standards across industries to a common level, compliance requirements are not uniform. ### What's New? In addition to expanding the number of organizations covered by the directive, four key areas with stricter requirements are introduced: risk management, corporate responsibility, mandatory incident reporting, and business continuity planning. - Risk Management: Organizations must take adequate measures to minimize threats to network and supply chain security, improve access controls (using multi-factor authentication), implement encryption, and have an incident response plan ready in the event of a serious attack. - Corporate Responsibility: Leaders in affected organizations must have a comprehensive understanding of the directive and be responsible for managing cybersecurity risks. - Mandatory Reporting: Incidents must be reported within 24 hours of detection to a database managed by ENISA, the EU's cybersecurity agency. - Business Continuity Planning: Organizations must ensure they can continue operations during a major cyberattack. ### Compliance Checklist Given the varying requirements between organizations, creating a universal checklist is challenging. However, below are the most fundamental steps: - Identify whether your organization falls under NIS2. - Understand the requirements and evaluate the current level of compliance. - Secure the budget for necessary changes. - Identify other EU cybersecurity laws applicable to your organization. - Conduct cybersecurity assessments to identify vulnerabilities and threats. - Assess third-party risks and establish appropriate risk management procedures. - Develop plans for incident response, business continuity, and cybersecurity. - Implement security measures like multi-factor authentication (MFA). - Ensure staff receives up-to-date cybersecurity training. ### Penalties and Challenges for Non-Compliance Organizations classified as "essential" risk fines of at least €10 million or 2 percent of their global annual turnover. Organizations classified as "important" face lower but still significant fines of at least €7 million or 1.4 percent of their global annual turnover. Non-compliance may also result in legal consequences for business leaders. For instance, Ireland's national implementation of NIS2 includes the risk of imprisonment. Despite the risks, many organizations remain unprepared. One might argue that national authorities should have provided better support and guidance, or that the requirements are unreasonably burdensome alongside other regulations. However, it is ultimately in the organizations' own interest to strengthen cybersecurity and protect critical services in an increasingly threatening cyber environment.