Blog

Lantero maintains an active agenda for ongoing technical development. This applies to our whistleblowing service as well as support services regarding compliance, user management, and the redaction service, Redact. The following is a summary of some of the technical and security-related changes implemented over the past year. ### Cloudflare Turnstile The reporting form in the whistleblowing service now utilizes Cloudflare Turnstile, which provides a seamless way to protect against bots without disrupting the user experience. ### Infrastructure Overview Our internal monitoring has been better structured to allow us to proactively handle issues before they impact the customer. We have real-time monitoring in place, providing immediate feedback regarding any disturbances in our systems or services. Bitdefender is active on all our servers, and we apply maintenance and upgrade procedures on a daily, weekly, and monthly basis to ensure everything runs smoothly and predictably. ### Information and Operational Security Some of our initiatives during the year include: - Anonymized Application Logs: We have established anonymized logs to protect personal data. - Vulnerability Patching: Patched several known vulnerabilities (CVEs) across the npm ecosystem. - Dependency Updates: Ensured that all major code libraries have been updated, such as Express, Vite, and Qs. - JWT-based Verification: We have modernized the authentication flow by switching to JWT-based user verification. In practice, this means the server does not need to store information about logged-in users, providing a more secure and reliable method for session management. - Deletion Protection: Implemented protection against deleting a channel that still contains active cases, serving as an extra safeguard for case information. ### Infrastructure and Performance Several efforts have been made to make the platform faster, more stable, and easier to maintain. During the past year, we have, among other things, completed the following: - MongoDB Upgrade: Upgraded to version, v7. This brings several security enhancements, as well as improvements in encryption, stability, and cluster management, while securing long-term support. - React Upgrade: Upgraded to React v19.2, the latest stable version of React 19. This version represents a paradigm shift in how the framework handles interface updates. Among other benefits, it reduces the need for manual routines and offers advantages for search engine optimization (SEO). - Node.js 24 Support: Provides more efficient memory management and improved support for the latest API standards. - Email Queue: Implementation of an email queue to avoid issues caused by too many simultaneous SMTP connections. - Autosave Functionality: Improved functionality for automatic saving. - Session Renewal: Minute-by-minute session renewal to reduce the risk of being logged out while working. - Nginx Improvements: Updated to follow best practices, including log rotation and HTTP/2 configuration. Do not hesitate to contact us if you would like to learn more about our development and security efforts.

Lantero has offered whistleblowing services since 2014 and has long maintained a well-established service where changes on the surface may appear minor. At the same time, looking back at the past year, we can conclude that it has been a very active year of development, featuring plenty of new functionality, security enhancements, and "under the hood" improvements that bolster both user experience and stability. The following is a brief summary of the past year's developments, and we welcome any questions or feedback from our users. ### Integration of Redact Handling whistleblowing cases involves working with sensitive information where there is a particular responsibility to protect both the whistleblower and other individuals appearing in the cases. When information is requested as a public document, or when information needs to be shared with other parts of the organization, a need for redaction may arise. Lantero has therefore built this functionality directly into the whistleblowing service. The Lantero Redact service is a tool for masking documents, providing the caseworker with AI-generated suggestions for redactions, which can then be adjusted before a new masked document is generated. While offered as a standalone tool, it is now also available as a feature directly within the whistleblowing channel. This means you can save a redacted copy of a whistleblowing case directly within your standard workflow. ### Customized Options for Anonymity Different organizations take different approaches to anonymity. While legislation sets strict requirements for the protection of confidentiality, it does not mandate that reporting must be possible anonymously. We have now made it possible for individual customers to customize their setup regarding anonymity. ### Activity Log Notifications and Daily Summaries Many different types of events can occur during the management of a case in Lantero's whistleblowing system. We have now expanded the notification options so that you can be alerted to more types of events in the case management process. At the same time, we know that organizations with high case volumes may find that they receive too many email notifications. We would therefore like to highlight the daily summary function. This feature allows you to limit email notifications to one per day, summarizing the day's activity. ### Smarter Case Management During the initial assessment of cases, it is now easier to see which caseworkers are staffing each part of the process, particularly to identify available options for staffing the Investigation stage. The case summary generated in PDF format has been improved, with the structure reviewed and refined. ### Improved User Experience As a caseworker, there are new options to customize the case management view, including the ability to collapse sections that are not currently in use. We have added security prompts that require extra confirmation before high-risk activities, such as deleting a channel. The shortcut to the overview page has been made clearer and established as its own button. Previously, the shortcut was located within the Lantero logo, which proved to be too indistinct. Language options have been expanded, and 22 languages are currently available. A series of improvements have been made to the integration with Lantero's portal for login and user management, making the user experience even smoother.

Implementing AI in an organization today is not merely a technical challenge, but very much a legal and security-oriented one. In a conversation between Lantero and expert Joakim Karlén (in Swedish), we highlight the complex issues that arise when Large Language Models (LLMs) encounter European legislation such as GDPR and the new AI Act. ### Innovation in the US, Regulation in the EU Technological development is largely driven by American companies, but for Swedish and European organizations, local legislation sets the boundaries. Joakim Karlén notes that the current dynamic is challenging because the pace of innovation is lightning-fast while regulation is brand new. There is still a lack of clear legal precedent and court rulings, which places high demands on an organization’s internal capacity for risk analysis. ### The Clash Between GDPR and AI Dynamics One of the most central questions is how AI systems—which are by nature dynamic and non-deterministic—can live up to GDPR’s requirements for accuracy. Traditional IT systems are static; you know what you input and what you will get as output. An LLM works differently. By simulating human behavior with a degree of randomness, the output is not always predictable. This creates fundamental uncertainty regarding individual rights and the accuracy of the processed data. ### From Chatbots to Autonomous Agents We are seeing a clear shift from simple chatbots to autonomous agents capable of performing tasks independently. This introduces new risk vectors. Joakim emphasizes that an organization deploying an AI system is considered a "deployer" under the AI Act and thus bears the legal responsibility. This becomes particularly critical when agents are given the mandate to act without human intervention. The risk of incorrect decisions or random behavior means that traceability—the ability to explain why a machine acted in a certain way—becomes both a technical and legal challenge. Not least when it comes to cybersecurity. ### Internal Risks and "Oversharing" While many focus on external hackers, one of the greatest risks is internal. The concept of "oversharing" describes when an AI agent, due to a lack of permission management or classification, gives employees access to sensitive information they are not authorized to see. Protecting the "machine" itself and its access to internal data sources is therefore just as important as protecting the raw data. ### Methodology Wins in the Long Run To succeed, Joakim suggests a methodical approach. Instead of simply "trial and error," organizations should begin with a holistic analysis based on the AI Act, GDPR, and cybersecurity legislation (NIS2). By understanding the purpose of the technology and maintaining control over the information structure, you can build correctly from the start.

Below is a lightly edited version of an interview (in Swedish) we conducted with Sara Johansson, who works with whistleblowing assessments at Lantero. We asked her what new case officers need to keep in mind when they start handling whistleblowing cases, what types of situations they may encounter, and which common pitfalls to watch out for. Interviewer: When someone steps into a role as a new case officer in a municipality and begins working with the whistleblowing function, what should they keep in mind or expect? Sara Johansson: You’ll need to find a way to separate the wheat from the chaff, because many of the reports you receive are not, in fact, whistleblowing cases. They may involve an employee having issues with their manager, comments on organisational efficiency, or opinions on how things are structured. These are typically not whistleblowing matters. Then there are cases where there is actually something to look into. In those situations, you need to determine whether the reporting individual belongs to the protected group under the legislation, and whether the report concerns a public-interest wrongdoing. This might involve signs of corruption, serious conflicts of interest, or questionable recruitment processes carried out without proper advertising. In some types of operations, there may also be risks to patient safety or collaboration difficulties in critical environments. The key is to identify and distinguish these cases from the rest. Interviewer: There is a lot of legislation underlying this work, and case officers need to apply it in their assessments. And in many organisations—especially smaller ones—actual cases are infrequent. How should one stay up to date on these issues? Sara Johansson: One challenge is that there are very few court decisions in this area, which means there's not much case law to rely on. My recommendation is therefore to read everything that is published: follow relevant accounts on LinkedIn—ours, for example—and stay updated on news reporting around the topic. At the same time, you need to keep in mind that there is a clear sequence for handling these cases: there must be a wrongdoing, and it must concern a group defined as the public. Interviewer: And if someone has questions? Sara Johansson: Then they contact Lantero. Interviewer: Do you have an example of a situation that may arise—something many case officers will encounter early on? Sara Johansson: Do you want an example of a case that isn’t a whistleblowing matter? Because most cases are not. Interviewer: Yes, describe that type of case. Sara Johansson: The most common goes something like: “You have to do something. We can’t take it anymore. Our manager has completely lost control.” Then follows a long description of everything that is not working. This is by far the most common scenario. Interviewer: And what is your advice to the client in that situation? Sara Johansson: My advice is to explain that this is not a serious wrongdoing under the law, but something that needs to be addressed through another process. Often, you raise it within the organisation as a tip—an indication that the organisation should take a closer look at how the work environment is functioning—rather than treating it as a whistleblowing case. Interviewer: If you have further thoughts or questions on this topic, you are very welcome to contact us. Otherwise, we wish you the best of luck—and thank you for watching.

When a public authority receives a request to disclose documents, the same question often arises: how much may – or must – we redact in a whistleblowing case? Many case officers find this difficult, as whistleblowing cases involve sensitive information while the principle of public access imposes strict requirements to release documents. We interviewed Andreas Wahlström (in Swedish), who works with assessments and redaction of whistleblowing cases at Lantero. He explains both the legal requirements and the practical challenges faced by municipalities and government agencies. Andreas reminds us that public documents are, as a rule, public. This means that “anyone has the right to request a whistleblowing report.” But the obligation to disclose also comes with a significant responsibility to redact. This applies to both directly identifying information and indirect details that could reveal the whistleblower. Redaction is therefore a central part of managing whistleblowing cases. The legal basis primarily comes from two chapters in the Swedish Public Access to Information and Secrecy Act: OSL Chapter 32, Section 3 b and OSL Chapter 17, Section 3 b. These regulate the protection of reporting individuals – as well as other persons mentioned in the report. In practice, the guidance is clear: redact rather more than less. If there is any uncertainty, the case officer should act cautiously to protect everyone involved. For many case officers in municipalities and government agencies, redaction is still a manual process. Andreas notes that in the past six months, new tools have emerged that make the work both faster and safer. These tools propose what should be redacted, simplify the workflow, and help the case officer produce a document that can be safely disclosed. One such example is Lantero Redact, a tool developed to help public-sector organisations manage redaction in accordance with legal requirements. It provides concrete suggestions on what to redact, is easy to use, and ensures that the material is properly anonymised before disclosure. For those who want to dive deeper or need support in a specific case, Andreas and the team at Lantero are available to help. Redaction is not only a legal requirement – it is also a crucial part of maintaining trust in the whistleblowing function and protecting reporting individuals.

Lantero interviewed Therese Forsberg, an investigator at the Department of Administration in Uddevalla Municipality. Therese works with redaction of documents in response to requests for public records, and she has been using Lantero Redact over the past months — receiving AI-based support for assessment and redaction. Below is a slightly shortened version of the interview. (Video version is in Swedish) Interviewer: Uddevalla is a municipality with around 60,000 residents. When it comes to requests for public records, what kind of volumes are you dealing with? Interviewee: It varies. It depends on what’s happening in the organisation. When incidents occur that lead to deviations or Lex Sarah cases, the volume increases. We also have some media outlets that submit weekly requests for all incoming records from the past week. That’s the case for municipalities across Sweden — some outlets do this continuously. So the amount can fluctuate a lot, especially if serious cases have come in. Interviewer: To what extent is this possible to plan for? Interviewee: Some parts are always manageable, but it becomes difficult when large volumes come in — sometimes thousands of documents. We don’t have a dedicated person working on this full-time, so our department has to share the workload. How the process used to work Interviewer: What did the routines look like before? Interviewee: We did everything the old-fashioned way. We printed out the documents and redacted them manually using Tipp-Ex. Then we copied and scanned them before sending them off. Adobe has some tools, but they haven’t been reliable. You could sometimes lift off the redaction digitally, so we always had to print and scan everything anyway. It was time-consuming and difficult to manage when working remotely. How the work is done now Interviewer: What does the routine look like now? Interviewee: It’s much faster. With the redaction service, we can mark what we want to redact digitally and save it directly. We avoid all the printing and scanning, which saves a lot of time. I also feel that we have better oversight of the documents and the process. Interviewer: One idea with the AI support is that more people could participate in the work by accepting or rejecting suggested redactions. Have you started expanding that responsibility? Interviewee: Not yet. We’ve involved some colleagues, but they have the same level of knowledge as we do. So for now, the responsibility remains within our department. Model training and new updates Interviewer: You recently received an updated version of the service. Have you had a chance to test the new capabilities? Interviewee: Very briefly, but what I saw looked good. I need to test it more before I can say anything definite. Interviewer: Do you think the assessments look similar across different municipalities? Interviewee: Yes, I think so. We all work with the same types of documents and the same regulations. The goal is always to protect the individual and avoid revealing personal data. That should lead to similar approaches to what needs to be redacted. User experience of the service Interviewer: Any final reflections? Interviewee: The service has been easy to use. We’ve found it user-friendly and free from issues. It has worked throughout the entire test period, which has been very valuable since we’ve had unusually large volumes of cases recently.

We interview Joakim Karlén about how to involve all employees in the work with information security and cyber hygiene. (Video version is in Swedish) Interviewer: Let’s start from the beginning – what does cyber hygiene actually mean? Joakim Karlén: – When you hear the word hygiene, you think about the things you should always do, like washing your hands. It’s actually the same in cybersecurity. Cyber hygiene is about ensuring that everyone knows and follows the basic routines needed to protect both themselves and the organisation. Small and large organisations – different conditions Interviewer: When working with smaller organisations, how does their work differ from that of larger ones? Joakim Karlén: – Larger organisations often have more structure and support, such as an IT department that drives the security work. In smaller organisations, individual responsibility becomes greater. Everyone needs to understand how their own actions affect security – because you can’t rely on the same support functions. Interviewer: What are the most common mistakes? Joakim Karlén: – The most common mistake is not having control over your digital assets. Many lack routines for how computers and mobile devices should be handled, or training in basic security practices. This means they miss simple but crucial safeguards. Creating engagement Interviewer: So how do you get employees to think actively about these issues? Joakim Karlén: – It starts with education. You need to explain why the rules exist and connect them to everyday work: What do you do in your daily routine, and what risks exist in those specific moments? Many don’t see cybersecurity as part of their job – but it is. Just as you wouldn’t run around the office with scissors, you shouldn’t handle your digital tools in a risky way. Cyber hygiene is about understanding the tools you use and how to handle them safely. Behaviour rather than technology Interviewer: So ultimately it’s about culture and behaviour? Joakim Karlén: – Exactly. Cyber hygiene is not just technology – it is above all behaviour and awareness. To support that culture, you need clear routines and checklists – for example, for how new employees are introduced to security practices. You can also practice incidents, such as through simulated attacks, so that everyone learns their role if something goes wrong. When you train for failure scenarios, people become more aware of their responsibilities – and more confident in how to act. Interviewer: Which threats should organisations focus on right now? Joakim Karlén: – We’re seeing that attacks are becoming more frequent and more automated. Many small organisations think “we’re not interesting” – but the attackers don’t know that. They attack anything that can be attacked. And with today’s AI tools, it’s possible to pretend to be someone else and carry out advanced social engineering attacks with far greater precision and volume than before. This means the risk of being deceived increases dramatically – especially if employees aren’t vigilant. Cyber hygiene is about doing the simple things right – every day. It requires structure, training, and engagement from everyone.

The EU's NIS2 Directive came into force in January 2023, and member states have until October 17, 2024, to transpose it into national legislation. Yet, many organizations still fail to meet the requirements two years after the directive was approved. Figures suggest that as many as two-thirds (66 percent) of affected organizations will miss the October 17 deadline, despite nine out of ten reporting incidents that could have been prevented by measures mandated under NIS2. Looking at EU member states, only two out of 27—Croatia and Italy—have fully implemented the directive into their national legislation. Estonia and Portugal lag the furthest behind and have yet to begin the process. Given the scale of fines and sanctions that non-compliance entails, the sluggish response is somewhat surprising. In addition to significant fines for companies and organizations, individuals in leadership positions may also face personal sanctions. ### Development from NIS1 The first EU-wide cybersecurity legislation, introduced in 2018, was known as NIS1. Its purpose was to implement a common set of security standards across all member states. NIS2 is an evolution of the same framework and underlying ambition. The new regulations expand the scope, meaning more organizations are required to comply. Generally, NIS2 applies to organizations that provide critical services or fall under the sectors covered by NIS2's expanded scope, have more than 50 employees, or an annual turnover exceeding €10 million. Operators of critical infrastructure were subject to NIS1 and, by extension, are also covered by NIS2. Organizations in sectors such as digital services, space industry, postal services, network operators, chemical producers/distributors, and some manufacturers are now also covered by NIS2. Organizations are categorized as "essential" and "important," with all being deemed critical sectors, though some more than others. This classification determines the specific requirements organizations must meet. Each organization must determine whether it falls under NIS2, not only because of potential penalties but also because the regulations impose different requirements on various sectors. While NIS2 aims to elevate security standards across industries to a common level, compliance requirements are not uniform. ### What's New? In addition to expanding the number of organizations covered by the directive, four key areas with stricter requirements are introduced: risk management, corporate responsibility, mandatory incident reporting, and business continuity planning. - Risk Management: Organizations must take adequate measures to minimize threats to network and supply chain security, improve access controls (using multi-factor authentication), implement encryption, and have an incident response plan ready in the event of a serious attack. - Corporate Responsibility: Leaders in affected organizations must have a comprehensive understanding of the directive and be responsible for managing cybersecurity risks. - Mandatory Reporting: Incidents must be reported within 24 hours of detection to a database managed by ENISA, the EU's cybersecurity agency. - Business Continuity Planning: Organizations must ensure they can continue operations during a major cyberattack. ### Compliance Checklist Given the varying requirements between organizations, creating a universal checklist is challenging. However, below are the most fundamental steps: - Identify whether your organization falls under NIS2. - Understand the requirements and evaluate the current level of compliance. - Secure the budget for necessary changes. - Identify other EU cybersecurity laws applicable to your organization. - Conduct cybersecurity assessments to identify vulnerabilities and threats. - Assess third-party risks and establish appropriate risk management procedures. - Develop plans for incident response, business continuity, and cybersecurity. - Implement security measures like multi-factor authentication (MFA). - Ensure staff receives up-to-date cybersecurity training. ### Penalties and Challenges for Non-Compliance Organizations classified as "essential" risk fines of at least €10 million or 2 percent of their global annual turnover. Organizations classified as "important" face lower but still significant fines of at least €7 million or 1.4 percent of their global annual turnover. Non-compliance may also result in legal consequences for business leaders. For instance, Ireland's national implementation of NIS2 includes the risk of imprisonment. Despite the risks, many organizations remain unprepared. One might argue that national authorities should have provided better support and guidance, or that the requirements are unreasonably burdensome alongside other regulations. However, it is ultimately in the organizations' own interest to strengthen cybersecurity and protect critical services in an increasingly threatening cyber environment.

At Lantero, we’re closely monitoring the evolving landscape of the NIS2 directive and its upcoming impact on cybersecurity compliance in Sweden. As of October 18, 2024, the NIS2 directive was due to be implemented in national legislation. However, like many other EU countries, Sweden is still in the process of legislative adaptation. According to SOU 2024:18, a new cybersecurity law is set to replace the current NIS law and bring Sweden in line with NIS2 standards, but this won’t take effect until early 2025. November 7, 2024 The EU Commission will enact a regulation specifying NIS2's requirements for risk management and incident reporting, setting new standards for certain operators, including cloud service providers, DNS providers, and online marketplaces. For operators currently under the NIS law, this period represents a critical transitional phase. Compliance with NIS obligations remains mandatory, yet interpretations must now consider NIS2’s broader framework, especially around risk management and incident reporting as outlined in Article 21 of the directive. Who’s Affected? New group now included - NIS2 will widen the scope compared to NIS. Directly affected group will now also include providers in sectors such as DNS services, cloud services, and online marketplaces - The indirectly affected groups will be suppliers to the affected organizations. In practice this will mean that most organizations will need to take the new requirements into consideration to be able to compete long-term. Lantero’s LawLogic toolbox is here to support businesses as they navigate these complex changes. From guidance on best practices to streamlined reporting tools, we’re prepared to help ensure compliance and mitigate risks. With the new regulations, many are asking whether they are affected by the new rules, but the question that should be asked is rather how they are affected. It should be clear that one needs to take the regulations into consideration, and Lantero's tool aims to make the material clear and structured, so that the work can be formulated into concrete activities and initiated.

The NIS2 Directive, which stands for Network and Information Security Directive, aims to strengthen cybersecurity and resilience against cyber threats within the EU. It is an update of the previous NIS Directive and introduces several new measures to increase requirements for companies and public institutions managing critical infrastructure or essential services. ### Impact on Businesses - Increased Costs: Companies will need to invest more in cybersecurity, including technology, training, and personnel, to meet the new requirements. - Greater Focus on Risk Management: Cybersecurity must be integrated into the company’s overall risk management process, and businesses must be prepared to quickly detect and handle cyberattacks. - Increased Pressure on Suppliers: Since companies are also responsible for their suppliers' security, this may put pressure on the entire supply chain to implement stricter security measures. At first glance, NIS2 may seem like a concern for a specific segment of businesses and public administration, but its most likely effect is that the entire society will elevate its level of cybersecurity. This is partly because affected organizations and companies need to monitor their suppliers, but also because the general "hygiene level" of security will rise, making it harder to justify security lapses. ### Expanded Scope Compared to the original NIS legislation, the scope of NIS2 will be expanded to cover more sectors. In addition to energy, transport, finance, and healthcare, it will now also include: - Postal services and waste management - Digital services (including cloud services, data centers) - Space sector Some smaller companies that were previously exempt may also be included depending on their size and importance to critical societal functions. ### Specific Requirements Security requirements will generally become stricter, with concrete demands in areas such as risk management, security monitoring, incident management, and regular vulnerability assessments. Furthermore, there is an ambition for better coordination at the societal level regarding the reporting of incidents. Companies are required to follow specific protocols for reporting incidents, including actions taken to handle them. Failure to report in time could result in significant fines. The fine levels may resemble those imposed under GDPR, and steps are also being taken to hold company management and board members personally accountable. In summary, sanction mechanisms are being established to force rapid and substantial efforts to raise the security standards of all affected companies and organizations. The idea of coordination also extends to information sharing, so that national cybersecurity authorities will improve their collaboration and coordination between countries and sectors. In summary, NIS2 is a natural continuation of NIS, with the same underlying spirit but significantly stricter application. For those who haven't paid attention to NIS before or started working on these issues, there is a significant amount of work ahead in the coming years.