A service from LUMRA · For municipalities and public sector

PIANOLA, NIS2-ready Microsoft 365 for municipalities and public bodies.

Municipalities and public sector bodies have been covered by NIS2 since 2025. Owning a security product is not enough. You need documented controls and ongoing oversight. PIANOLA does the work, you get the evidence. All in plain language.

About LUMRA Book a walkthrough

The service is procurement-ready, transparently priced and run by LUMRA, a Swedish company. Data stays inside the EU.

Tailored for your industry

Industry perspective

Three things we often find in the public sector

These are the most common gaps that show up in NIS2 maturity assessments across the public sector.

Conditional Access weak or missing

Conditional Access is either not used at all or only partly. Administrators can sign in from uncontrolled devices, regardless of time and location.

Email security falls short of national DMARC guidance

DMARC policy sits at 'none'. Phishing is sent in the municipality's name every day without being blocked. SPF and DKIM are often misconfigured too.

No incident response routine within the 72-hour window

NIS2 requires early reporting. There is rarely a traceable log of what happened, when and how.

Documentation the public sector actually needs

NIS2 SFS 2025:1506 PIANOLA documents your security maturity against the NIS2 cybersecurity requirements at every scan.
CIS Controls v8 We map every finding to a CIS control so you can fold it straight into audit work.
MSB information security guidance Actions are aligned with the Swedish Civil Contingencies Agency recommendations for municipalities and regions.
Procurement documentation The PIANOLA report can be used as supporting evidence in procurement to show your security posture.
Start a free scan

Microsoft 365 in reality

You think you have control. But how do you actually know?

Organisations that have hired IT consultants, ticked off Secure Score recommendations and said "Microsoft handles this" usually believe they're secure. PIANOLA is the extra pair of glasses that shows what's actually going on, continuously and not just at audit time.

A scan is a snapshot. A day later, someone has changed a policy, granted a new app or invited a guest, and the picture is already out of date. Documentation that isn't kept up ages just as fast. Security keeps moving, and PIANOLA keeps the picture alive.

What leadership often believes

  • "We've got MFA on"
  • "Microsoft handles cybersecurity"
  • "Our IT consultant has it covered"
  • "We do an audit once a year"

What PIANOLA actually measures

  • MFA is often not even enforced for admins
  • Microsoft ships tools, not configuration
  • The consultant saw the picture in March, not today
  • Drift happens every week, not at audit time
Sample view

Risk index via PIANOLA · 4 environments

Care services, ~80 employees

48

A common pattern in the sector: no enforced MFA policy, external sharing wide open, guests not reviewed in months.

Critical action

Logistics, ~150 employees

64

Even with E5 licensing, PIANOLA can find: MFA not enforced for admins, OAuth consent open to all, weak DMARC policies.

Needs work

Construction, ~50 employees

78

Drift can creep in after a consulting engagement. PIANOLA typically catches new open items around sharing and app consent in the months that follow.

Stable, drift remains

Consulting firm, ~30 employees

86

Continuous work leaves only minor cleanup, typically documentation and quarterly review.

Strong foundation

Risk index 0–100. The colour tells leadership where to look first. The view shows typical patterns across four sectors, not specific customers. PIANOLA is the extra pair of glasses, every week and not just at audit.

What makes us different

Other tools alert. PIANOLA acts.

Most security tools fill the IT inbox with warnings and leave the investigation to you. That is where security work tends to stall, not at detection, but at everything that follows. PIANOLA closes the loop.

The usual path

The alerts are left to you

  • The inbox fills constantly. Warnings from different systems, around the clock.
  • Assessment takes time. Someone has to react, even in the middle of the night.
  • Investigation is manual. Log digging, correlation, situational analysis, all on your own.
  • The team takes the hit. Volume always wins in the end.

The PIANOLA path

Decisions are already made

  • PIANOLA acts on its own. Decisions execute automatically, with a 24-hour window to undo.
  • We measure continuously. Nine security areas in Microsoft 365, all the time.
  • The report arrives in your inbox. A monthly snapshot, not a nightly flood of alerts.
  • You get time to think. Security no longer requires someone to keep watch.

The difference between chasing security and owning it.

The status view, in two seconds

A glimpse of what leadership sees in the report. Together, the three panels give a quick read on how the environment is doing. The depth is there when you need it.

Open findings

What needs attention right now

Findings are prioritised by severity, from critical risks down to lower-priority observations.

0

Critical

2

High

8

Medium

15

Low

Top actions

What to take on first

With reasoning, expected impact, and a suggested owner.

1 Restrict external sharing
2 Disable legacy auth protocols
3 Revoke risky app consents

Status by area

Where the focus is right now

Security posture per area. Green = under control, yellow or red = needs attention.

Identity and MFA OK
Email and forwarding 2 to review
Sharing in SharePoint OK
Apps and OAuth consents 1 priority
Endpoint and Defender OK

One report, four auditors

The same underlying control data, expressed in the language each framework speaks: NIS2 for regulatory compliance, CIS for technical hardening, NIST for risk governance, and ISO for management systems. Whoever asks, you respond from a single report.

EU · Directive

NIS2

10 measures in Article 21.2. Evidence report per measure shows exactly where you stand for the supervisory authority.

Risk management Art. 21.2.a
Access control Art. 21.2.d
MFA and authentication Art. 21.2.j
+ 7 more points Art. 21.2

CIS · Technical

CIS Controls v8

Eight priority control domains mapped. Shows which security baselines you actually meet in Microsoft 365.

Data assets CIS 3
Accounts and privileges CIS 5-6
Email and web CIS 9
+ 5 more domains CIS 4-17

NIST · Strategy

NIST CSF 2.0

Five core functions mapped directly to your Microsoft 365 environment. The language leadership and the board expect.

Govern GV
Identify · Protect ID · PR
Detect · Respond DE · RS
Recover RC

ISO · Management

ISO 27001:2022

Annex A controls mapped per organizational and technical domain. Provides traceability for ISMS audits.

Identity management A.5.16
Access control A.5.15
Secure config A.8.9
+ more Annex A A.8.x

Whether your IT partner, auditor or insurer asks, you respond from the same source. PIANOLA automatically maps 109 security controls on every assessment - no separate investigation needed for each framework.

NIS2 from 2026, your biggest driver right now

The new cybersecurity law raises the bar for your Microsoft 365 environment

The ten areas the directive requires, what PIANOLA handles for you continuously, and what remains the leadership's responsibility. Clear, honest, and straight to the point.

The same underlying data also maps to CIS Controls, NIST CSF and ISO 27001. See the frameworks below.

Read our NIS2 walkthrough

About the company

LUMRA is the company behind PIANOLA

LUMRA is a Swedish IT security company that builds PIANOLA. We specialise in Microsoft 365 security and serve small and medium-sized Swedish businesses and their IT partners.

Instead of one-off reports that go stale the day they're filed, we keep the conversation flowing year-round between leadership, IT, and your partner. PIANOLA is how we put that into practice: regular reports, a clear status view, and actions the service can apply directly or hand back to you.

  • CompanyLUMRA
  • ServicePIANOLA
  • FocusMicrosoft 365 security
  • AudienceSwedish small and medium-sized businesses
  • Contacthej@lumrait.se
The company lumrait.se About LUMRA, the incident calculator, contact, and how to book a call. Existing customer Sign in to PIANOLA For customers who want to see the status of their own Microsoft 365 environment.

PIANOLA maps to

NIS2 (EU 2022/2555) CIS Controls v8 NIST CSF 2.0 ISO 27001:2022