A stricter Protective Security Act: 3 things the CISO needs to consider
The new, stricter Protective Security Act will enter into force on December 1st 2021, if the government's proposal passes. Before that, the CISO needs to be aware of what applies – here are the most important things!
What is the Protective Security Act?
The Protective Security Act (2018:585) clarifies the obligations of those who conduct security-sensitive activities and the importance of operators conducting security protection analyses for their activities.
Security protection means preventative measures to protect Sweden's security against espionage, sabotage, terrorist crimes and other crimes. The technological development in recent years means that we need to broaden the concept of security. In addition, public sector organisations and private companies should now also be included within the frame of security protection.
The law will apply to activities in both public and private sector, and those concerned can seek support and advice from the Security Service and the Armed Forces or other supervisory authorities. A new aspect is that businesses with data worth protecting are covered, without being officially classified as secret. This can, for example, be about critical infrastructure and their systems for operation, since these represent a potential vulnerability.
The government is now proposing that the present Protective Security Act will become more strict. The amendments to the law are proposed to enter into force on December 1st 2021.
1. Security protection agreements apply to more types of collaborations
Part of the new proposal is that the security protection agreement included in procurements will now apply to all types of collaborations where the other party can gain insight into security-sensitive activities. These agreements may also need to be established with subcontractors to the actor with whom you are about to enter into cooperation with. The agreement must be entered if the actor, through the cooperation, can gain access to security-classified information classified as confidential or higher, as well as information about the business that can be considered to have an equal degree of significance for Sweden's security.
2. Certain security protection assessments must be carried out
Outsourcing and similar situations that require security protection agreements must undergo special security protection assessments. This is to be able to determine whether the procedure is appropriate or not from a security protection point of view. The assessment shall, among other things, review which security protection classified information that the collaboration partner can access, as well as which information about security-sensitive activities they can handle. If it turns out that the collaboration is not inappropriate, the supervisory authority must be consulted before the collaboration begins.
3. Supervisory authorities get a larger role
Another aspect is that the supervisory authorities will be given more power to investigate security protection and any shortcomings. If it becomes apparent during an inspection that the requirements have not been met, the shortcomings that the supervisory authority has discovered must be handled immediately.
The supervisory authority shall also have the right to issue fines and sanctions if an operator has not complied with the obligations that apply. This may apply, for example, if you have not controlled your security protection or if you have not controlled that a partner complies with the security protection agreement. If you do not follow the regulations, you can receive a penalty fee of up to 50 million SEK.
Do you want to know more about the Protective Security Act?
Read the whole proposal for the Protective Security Act (in Swedish)!
Do you need help with your cybersecurity? Do not hesitate to contact us!
Do you work as CISO and want to learn more about working with cybersecurity? Read our guide for CISOs!