The Swedish security protection legislation clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing security protection analyses for their operations.
What is security protection?
Security protection means preventative measures to protect Sweden's security against espionage, sabotage, terrorist crimes and other crimes. The technological development in recent years means that we need to broaden the concept of security. In addition, public sector organisations and private companies should now also be included within the framework of security protection.
The term Sweden's security refers to both military and civilian activities that may be of importance to Sweden's security. What needs to be protected to prevent threats to Sweden's security may to some extent change over time, but the activities that are important for Sweden's security today all fall into one or more of the following categories:
- Activities that are important for Sweden's external security: This means Sweden's ability to maintain national defense (territorial sovereignty) as well as Sweden's integrity, independence and freedom of action (political independence).
- Activities that are important for Sweden's internal security: This refers to Sweden's ability to maintain and ensure basic structures in the form of the democratic state, the judiciary and a law enforcement capacity at the national level.
- Nationally important activities: This means deliveries, services and functions that are necessary for society's functionality at the national level.
- Activities that are important for Sweden's economy: This refers to the national ability to pay.
- Damage-generating activities: This includes an activity that, if exposed to an antagonistic act, can generate damaging consequences for other security-sensitive activities.
What does the law mean?
To strengthen the security protection, the Government in 2018 proposed a new security Law. The new Law, the Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden's security or which is to be protected according to an international commitment for security protection. The protection of other security-sensitive activities, such as important information systems, is also being strengthened.
The new law clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing security protection analyses for their operations.
Some news is that it becomes mandatory with traceability logs and a security officer for all operators. Addtionally, on proposal, is that sanctions can be imposed.
When did it begin to apply?
The new Protective Security Act applies since April 1st, 2019.
Who is the Protective Security Act for?
The Law will apply to activities that are run in both public and private areas and those concerned can seek support and advice from the Security Service and the Armed Forces and other supervisory authorities. New is that businesses with data worth protecting are covered, without being officially classified as secret. This can, for example, be about critical infrastructure and their systems for operation, since these represent a potential vulnerability.
However, there is no list, permit review process or similar that clearly indicates who is conducting security-sensitive activities. Instead, it is each operator's own responsibility to stay informed, make assessments and conduct their business in accordance with the regulations that apply in the area of security protection.
The work with security protection needs to begin with an active stance on whether an activity is to some extent sensitive to security. In practice, this means that operators, if the answer is not obvious, need to carry out the first step of the process of security protection analysis and based on this, they can then decide if they fall under the definition security protection.
How to follow the Protective Security Act
The best way to start with following the Protective Security Act is to do a protective security analysis. Follow these steps to do such an analysis:
1. What is the goal of the business?
Make a business description where it is clear what responsibilities and processes that exist in the business. Also note any dependence on other functions, both internal and external.
2. Which are the protection values?
Think about what the protection values of the business are, i.e. what are the most sensitive parts, the parts that can affect the country's security if someone comes across them?
3. Which consequences can arise?
Make an impact assessment and assess where the limit for acceptance goes.
4. What is the threat?
Make a clear description of the threats and the opponent. What does the threat picture look like? What type of attacker could be considered a threat? Are there any known potential attackers and what is the threat associated with them?
5. Which vulnerabilities exist?
Perform a vulnerability analysis that shows vulnerabilities that are linked to the business's protection values. These can be used by a potential attacker, and therefore it is important to know where they are.
6. Which protective measures are suitable?
Finally, identified vulnerabilities should be linked to appropriate protection measures. The measures can be divided into three different areas: information security, physical security, and personnel security.
When you have done your protective security analysis, it should be evident what security measures you should apply and where.
A new concept was introduced with the Protective Security Act
A new concept was introduced with the new law: security-protection classified data. A security protection classified information is information that is classified as secrecy * in accordance with the Public Access to Information and Secrecy Act and which also concerns activities of importance to Sweden's security or which are covered by an international commitment on security protection for Sweden.
*Secrecy is the term for information that is not to be disclosed and therefore does not become publicly available. A secrecy information entails a duty of confidentiality for those who have or have been given a position on the information.
Security protection classified information shall be divided into security protection classes based on the damage that disclosure of the information may cause to Sweden's security:
- Qualified Secret - Extremely Serious Damage
- Secret - Serious damage
- Confidential - Not insignificant damage
- Confidential Secret - Only minor damage
Security protection agreement
Government agencies, municipalities or county councils that intend to carry out a procurement and enter into an agreement on goods, services or construction contracts must enter into a security protection agreement if:
- there is security classified information in the security class confidential or higher, or
- the procurement otherwise refers to or gives the supplier access to security-sensitive activities of corresponding importance
The same applies to individual operators who enter into agreements with external suppliers.
The difference between the NIS Directive and the Protective Security Act
The Protective Security Act applies to the protection of activities or information that may be important for Sweden's security. The NIS Directive sets requirements linked to the networks and information systems on which a business depends in order to deliver socially important or digital services. The same network and information system may be covered by the Protective Security Act, which may also cover other types of activities. Many organisations can thus be affected by both regulations, but the parts covered by security protection are exempt from the NIS Directive.
In order to fall under the Protective Security Act, you must have activities or process information that falls within the framework of security protection (see the description above). This can apply to networks, information systems and other parts of the business.
If you deliver socially important or digital services, you are covered by the NIS Directive. The requirements in the NIS Directive only apply to the networks and information systems on which the delivery of the socially important or digital service depends.
Supplements to the Protective Security Act (August 2020)
To strengthen the protection of Sweden's security, the Government proposed supplements to the Protective Security Act (2018: 585). They have therefore decided on amendments to the Protective Security Act that apply to transfers of security-sensitive activities. The supplements aim to prevent potential sales that could harm the security of Sweden.
The supplements include the following:
- Operators who intend to transfer security-sensitive activities or certain property will be obliged to carry out a special security assessment as well as a suitability test before such a procedure is initiated.
- Operators will be obliged to consult with a consultative authority prior to the transfer.
- The consultation authority will be given the opportunity to order operators to take measures to fulfill their obligations under the law and ultimately decide that a transfer may not be carried out (prohibition).
- A transfer in violation of a prohibition will be invalid.
The amendment entered into force on January 1st, 2021. Read more here (in Swedish).
A stricter Protective Security Act (October 2021)
The government has decided that the present Protective Security Act should be more strict. The amendments to the law entered into force on December 1st 2021. This is what the amendments contain:
- Security protection agreements apply to more types of collaborations
- Certain security protection assessments must be carried out
- Supervisory authorities get a larger role
Read our blog post about the new amendments!
Do you need help with your protective security? We can help you!
Are you a CISO and want to learn more about cybersecurity? Read our guide!