Skip to main content

What does the new security law mean?

Who is the new Swedish security protection legislation for and what does it actually say?
Learn more here.

The new Swedish security protection legislation clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing security protection analyses for their operations.

 

What is security protection?

Security protection means preventative measures to protect Sweden's security against espionage, sabotage, terrorist crimes and other crimes. The technological development in recent years means that we need to broaden the concept of security. In addition, public sector organisations and private companies should now also be included within the framework of security protection.

The term Sweden's security refers to both military and civilian activities that may be of importance to Sweden's security. What needs to be protected to prevent threats to Sweden's security may to some extent change over time, but the activities that are important for Sweden's security today all fall into one or more of the following categories:

  • Activities that are important for Sweden's external security: This means Sweden's ability to maintain national defense (territorial sovereignty) as well as Sweden's integrity, independence and freedom of action (political independence).
  • Activities that are important for Sweden's internal security: This refers to Sweden's ability to maintain and ensure basic structures in the form of the democratic state, the judiciary and a law enforcement capacity at the national level.
  • Nationally important activities: This means deliveries, services and functions that are necessary for society's functionality at the national level.
  • Activities that are important for Sweden's economy: This refers to the national ability to pay.
  • Damage-generating activities: This includes an activity that, if exposed to an antagonistic act, can generate damaging consequences for other security-sensitive activities.
     

 

 

What does the new law mean?

To strengthen the security protection, the Government in 2018 proposed a new security Law. The new Law, the Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden's security or which is to be protected according to an international commitment for security protection. The protection of other security-sensitive activities, such as important information systems, is also being strengthened.

The new law clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing security protection analyses for their operations.

 

Some news is that it becomes mandatory with traceability logs and a security officer for all operators. Addtionally, on proposal, is that sanctions can be imposed.

 

New call-to-action

 

When did it begin to apply?

The new Protective Security Act applies since April 1st, 2019.

 

Who is the new Protective Security Act for?

The Law will apply to activities that are run in both public and private areas and those concerned can seek support and advice from the Security Service and the Armed Forces and other supervisory authorities. New is that businesses with data worth protecting are covered, without being officially classified as secret. This can, for example, be about critical infrastructure and their systems for operation, since these represent a potential vulnerability.

However, there is no list, permit review process or similar that clearly indicates who is conducting security-sensitive activities. Instead, it is each operator's own responsibility to stay informed, make assessments and conduct their business in accordance with the regulations that apply in the area of security protection.

The work with security protection needs to begin with an active stance on whether an activity is to some extent sensitive to security. In practice, this means that operators, if the answer is not obvious, need to carry out the first step of the process of security protection analysis and based on this, they can then decide if they fall under the definition security protection.

 

Protective Security Act

 

A new concept was introduced with the Protective Security Act

A new concept was introduced with the new law: security-protection classified data. A security protection classified information is information that is classified as secrecy * in accordance with the Public Access to Information and Secrecy Act and which also concerns activities of importance to Sweden's security or which are covered by an international commitment on security protection for Sweden.

*Secrecy is the term for information that is not to be disclosed and therefore does not become publicly available. A secrecy information entails a duty of confidentiality for those who have or have been given a position on the information.

Security protection classified information shall be divided into security protection classes based on the damage that disclosure of the information may cause to Sweden's security:

  1. Qualified Secret - Extremely Serious Damage
  2. Secret - Serious damage
  3. Confidential - Not insignificant damage
  4. Confidential Secret - Only minor damage

 

New call-to-action

 

Security protection agreement

Government agencies, municipalities or county councils that intend to carry out a procurement and enter into an agreement on goods, services or construction contracts must enter into a security protection agreement if:

  • there is security classified information in the security class confidential or higher, or
  • the procurement otherwise refers to or gives the supplier access to security-sensitive activities of corresponding importance

The same applies to individual operators who enter into agreements with external suppliers.

 

The difference between the NIS Directive and the Protective Security Act

The Protective Security Act applies to the protection of activities or information that may be important for Sweden's security. The NIS Directive sets requirements linked to the networks and information systems on which a business depends in order to deliver socially important or digital services. The same network and information system may be covered by the Protective Security Act, which may also cover other types of activities. Many organisations can thus be affected by both regulations, but the parts covered by security protection are exempt from the NIS Directive.

In order to fall under the Protective Security Act, you must have activities or process information that falls within the framework of security protection (see the description above). This can apply to networks, information systems and other parts of the business.

If you deliver socially important or digital services, you are covered by the NIS Directive. The requirements in the NIS Directive only apply to the networks and information systems on which the delivery of the socially important or digital service depends.

 

New call-to-action

 

Supplements to the Protective Security Act (August 2020)

To strengthen the protection of Sweden's security, the Government proposes supplements to the Protective Security Act (2018: 585). They have therefore decided on a law council referral with proposals for amendments to the Protective Security Act that apply to transfers of security-sensitive activities. The proposal aim to prevent potential sales that could harm the security of Sweden. 

 

The proposal includes the following:

  • Operators who intend to transfer security-sensitive activities or certain property will be obliged to carry out a special security assessment as well as a suitability test before such a procedure is initiated.
  • Operators will be obliged to consult with a consultative authority prior to the transfer.
  • The consultation authority will be given the opportunity to order operators to take measures to fulfill their obligations under the law and ultimately decide that a transfer may not be carried out (prohibition).
  • A transfer in violation of a prohibition will be invalid.

 

The amendment entered into force on January 1st, 2021. Read more here (in Swedish).

 

A stricter Protective Security Act (October 2021)

The government is now proposing that the present Protective Security Act will become more strict. The amendments to the law are proposed to enter into force on December 1st 2021. This is what the new proposal contains: 

  • Security protection agreements apply to more types of collaborations 
  • Certain security protection assessments must be carried out 
  • Supervisory authorities get a larger role

 

Read our blog post about the new proposal!