Skip to main content
To the homepage of Knowit


Guidance for implementation of cloud services in the public sector

On commission from Microsoft Sweden, Knowit has drafted guidance to support public sector operations in implementing cloud services. The report contains a method for risk analysis and various bases for assessments that the operations might need to make. A team of cybersecurity experts, legal experts, and cloud architects from Knowit are behind the report, MSMD AIR (Microsoft Cloud Design Analysis of Implementation and Risk).

In the report MSMD AIR, public sector operations get access to a method for risk analysis and bases for the assessments the operations must make in implementing the cloud service.

“Performing a risk and vulnerability assessment of a cloud service is a huge task. Based on the existing legislation, we have drafted this guidance to support security managers, data protection officers, legal counsels, and solution architects in implementation of Microsoft 365, in full or in part. The starting point is the requirements on information management, primarily in the General Data Protection Regulation and the Public Access to Information and Secrecy Act,” says Richard Oehme, senior advisor societal security and cybersecurity and lead for the drafting of MSMD AIR at Knowit.

The legal aspects that arise in connection with cloud services are a central part of the guidance. A municipality or other entity that wants to use cloud services needs to make several legal assessments that are both extensive and complex.

MSMD AIR describes the legal context and provides a model that guides the reader through the legal questions that need to be answered.

“Many in the public sector are struggling with the question of whether or not they can use Microsoft 365, given the legal requirements. MSMD AIR does not give an unequivocal answer to that question. Since the circumstances will differ, each organization must make its own assessment, based on the conditions at hand. However, MSMD AIR does provide guidance in these assessments by describing which legal questions need to be answered, when, and why. We also connect the legal matters with information on functionality and solutions in Microsoft 365 that might be needed, in order to determine if the legal requirements are satisfied,” says Lisa Lundin, consultant manager and head of Knowit’s legal services.

MSMD AIR will be possible to distribute and use without any limitations, under a so-called Creative Commons licence.

Do you have questions about the report MSMD AIR (Microsoft Cloud Design Analysis of Implementation and Risk)? Contact our specialists in cybersecurity and cloud services at


Christina Johansson

Head of Communications