The Swedish Protective Security Act clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing protective security analyses for their operations.
What is protective security?
Protective security means preventative measures to protect Sweden's security against espionage, sabotage, terrorist crimes and other crimes that could damage operations. The term Sweden's security refers to both military and civilian activities that may be of importance to Sweden's security. What needs to be protected to prevent threats to Sweden's security may to some extent change over time, but the activities that are important for Sweden's security today all fall into one or more of the following categories:
- Activities that are important for Sweden's external security: This means Sweden's ability to maintain national defense (territorial sovereignty) as well as Sweden's integrity, independence and freedom of action (political independence).
- Activities that are important for Sweden's internal security: This refers to Sweden's ability to maintain and ensure basic structures in the form of the democratic state, the judiciary and a law enforcement capacity at the national level.
- Nationally important activities: This means deliveries, services and functions that are necessary for society's functionality at the national level.
- Activities that are important for Sweden's economy: This refers to the national ability to pay.
- Damage-generating activities: This includes an activity that, if exposed to an antagonistic act, can generate damaging consequences for other security-sensitive activities.
What does the law mean?
To strengthen the protective security, the Government in 2018 proposed a new security Law. The new Law, the Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden's security or which is to be protected according to an international commitment for protective security. The protection of other security-sensitive activities, such as important information systems, is also being strengthened.
The new law clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing protective security analyses for their operations.
Some news is that it becomes mandatory with traceability logs and a security officer for all operators. Addtionally, on proposal, is that sanctions can be imposed.
When did it begin to apply?
The new Protective Security Act applies since April 1st, 2019.
Who is the Protective Security Act for?
The Law will apply to activities that are run in both public and private areas and those concerned can seek support and advice from the Security Service and the Armed Forces and other supervisory authorities. New is that businesses with data worth protecting are covered, without being officially classified as secret. This can, for example, be about critical infrastructure and their systems for operation, since these represent a potential vulnerability.
However, there is no list, permit review process or similar that clearly indicates who is conducting security-sensitive activities. Instead, it is each operator's own responsibility to stay informed, make assessments and conduct their business in accordance with the regulations that apply in the area of protective security.
The work with protective security needs to begin with an active stance on whether an activity is to some extent sensitive to security. In practice, this means that operators, if the answer is not obvious, need to carry out the first step of the process of a protective security analysis and based on this, they can then decide if they fall under the definition protective security.
How to follow the Protective Security Act
The best way to start with following the Protective Security Act is to do a protective security analysis. Follow these steps to do such an analysis:
1. What is the goal of the business?
Make a business description where it is clear what responsibilities and processes that exist in the business. Also note any dependence on other functions, both internal and external.
2. Which are the protection values?
Think about what the protection values of the business are, i.e. what are the most sensitive parts, the parts that can affect the country's security if someone comes across them?
3. Which consequences can arise?
Make an impact assessment and assess where the limit for acceptance goes.
4. What is the threat?
Make a clear description of the threats and the opponent. What does the threat picture look like? What type of attacker could be considered a threat? Are there any known potential attackers and what is the threat associated with them?
5. Which vulnerabilities exist?
Perform a vulnerability analysis that shows vulnerabilities that are linked to the business's protection values. These can be used by a potential attacker, and therefore it is important to know where they are.
6. Which protective measures are suitable?
Finally, identified vulnerabilities should be linked to appropriate protection measures. The measures can be divided into three different areas: information security, physical security, and personnel security.
When you have done your protective security analysis, it should be evident what security measures you should apply and where.
Solutions used to comply with the Protective Security Act
How to work with your protective security is always based on the Protective Security Act. Under the Protective Security Act is the Protective Security Ordinance, which itself is followed by various regulations and guidelines. These regulations and guidelines thus apply to different sectors, which means specific rules for different organisations.
The Protective Security Ordinance states that if security-classified data is to be communicated to an information system outside the operator's control, the data must be protected by cryptographic functions that are approved by the Swedish Armed Forces. VPN encryption is one such solution.
Sometimes it is necessary to communicate over the Internet, but the sensitivity of the information may prevent you from being able to openly send it to the recipient. The solution is to use a VPN encryptor (Virtual Private Network). A VPN encryptor can be used to protect your network, while connected to the Internet, by creating secure and private tunnels between a device and a network, or between two networks. This way, you can be connected to the Internet, but the information you send to other devices within the private network is encrypted and sent securely through the tunnels, resulting in traffic that cannot be read by anyone outside of your private network.
Hardware-based encryption solutions are more expensive and can be a bit more complicated to manage, but if you have sensitive information or information that needs stronger protection – making security a top priority – hardware solutions should be your choice.
In the Security Police's regulations on protective security (PMFS 2022:1) it is stated that information systems that are separated from other information systems may transmit data for import or export through one-way communication. A product that can be used for that is a data diode.
A data diode is a cybersecurity solution that ensures a one-way exchange of information. This hardware product, with its high assurance, maintains both network integrity by preventing intrusions and network confidentiality by protecting the most sensitive information.
Data diodes are the fail-safe way to protect sensitive systems and confidential data. Data diodes are hardware products that are placed between two networks. A data diode acts as a check valve whose function only allows data to be sent forward while blocking all data in the opposite direction. Since it is not software, the data diode cannot be attacked by malicious code, which also contributes to high assurance.
Read more about data diodes and how they work!
A new concept was introduced with the Protective Security Act
A new concept was introduced with the new law: security-protection classified data. A protective security classified information is information that is classified as secrecy* in accordance with the Public Access to Information and Secrecy Act and which also concerns activities of importance to Sweden's security or which are covered by an international commitment on protective security for Sweden.
*Secrecy is the term for information that is not to be disclosed and therefore does not become publicly available. A secrecy information entails a duty of confidentiality for those who have or have been given a position on the information.
Protective security classified information shall be divided into protective security classes based on the damage that disclosure of the information may cause to Sweden's security:
- Qualified Secret - Extremely Serious Damage
- Secret - Serious damage
- Confidential - Not insignificant damage
- Confidential Secret - Only minor damage
Protective security agreement
Government agencies, municipalities or county councils that intend to carry out a procurement and enter into an agreement on goods, services or construction contracts must enter into a protective security agreement if:
- there is security classified information in the security class confidential or higher, or
- the procurement otherwise refers to or gives the supplier access to security-sensitive activities of corresponding importance
The same applies to individual operators who enter into agreements with external suppliers.
The difference between the NIS Directive and the Protective Security Act
The Protective Security Act applies to the protection of activities or information that may be important for Sweden's security. The NIS Directive sets requirements linked to the networks and information systems on which a business depends in order to deliver socially important or digital services. The same network and information system may be covered by the Protective Security Act, which may also cover other types of activities. Many organisations can thus be affected by both regulations, but the parts covered by protective security are exempt from the NIS Directive.
In order to fall under the Protective Security Act, you must have activities or process information that falls within the framework of protective security (see the description above). This can apply to networks, information systems and other parts of the business.
If you deliver socially important or digital services, you are covered by the NIS Directive. The requirements in the NIS Directive only apply to the networks and information systems on which the delivery of the socially important or digital service depends.
Supplements to the Protective Security Act (August 2020)
To strengthen the protection of Sweden's security, the Government proposed supplements to the Protective Security Act (2018: 585). They have therefore decided on amendments to the Protective Security Act that apply to transfers of security-sensitive activities. The supplements aim to prevent potential sales that could harm the security of Sweden.
The supplements include the following:
- Operators who intend to transfer security-sensitive activities or certain property will be obliged to carry out a special security assessment as well as a suitability test before such a procedure is initiated.
- Operators will be obliged to consult with a consultative authority prior to the transfer.
- The consultation authority will be given the opportunity to order operators to take measures to fulfill their obligations under the law and ultimately decide that a transfer may not be carried out (prohibition).
- A transfer in violation of a prohibition will be invalid.
The amendment entered into force on January 1st, 2021. Read more here (in Swedish).
A stricter Protective Security Act (October 2021)
The government has decided that the present Protective Security Act should be more strict. The amendments to the law entered into force on December 1st 2021. This is what the amendments contain:
- Protective security agreements now applies to all types of collaboration where the other party can gain insight into the security-sensitive operations
- Certain protective security assessments must be carried out
- Supervisory authorities get a larger role
Read our blog post about the new amendments!
Do you need help with your protective security? We can help you!
Are you a CISO and want to learn more about cybersecurity? Read our guide!