The Swedish Protective Security Act (PSA, available in Swedish here) received an overhaul recently. Among other changes, the PSA now has a broader scope, which includes non-Swedish companies.
The PSA applies to both public and private organizations engaged in "security-sensitive activities" that are important to Sweden's national security and infrastructure. It covers a broad range of companies working in IT, law enforcement, transport, and other sectors.
Any company handling "security-sensitive information," as defined in the PSA, will need to conduct a protective security analysis, implement security protection measures, and conduct a personnel security assessment before hiring new staff.
This article will walk you through all the Swedish Protective Security Act's main concepts and requirements. It will also look at some proposed further amendments to the PSA, due to take effect from 2021.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. What is the Swedish Protective Security Act?
- 1.1. Are You Engaged in "Security-Sensitive Activities?"
- 1.2. Categories of Security-Sensitive Activities
- 1.3. What is "Security-Sensitive Information"?
- 2. What are the Requirements for Covered Entities?
- 2.1. Protective Security Analysis
- 2.2. Security Protection Measures
- 2.3. Personnel Security Assessment
- 3. Sanctions for Non-Compliance with the Swedish Protective Security Act
- 4. Role of the Swedish Security Service
- 5. Proposed Amendments to the Swedish Protective Security Act
- 6. Summary
What is the Swedish Protective Security Act?
The Swedish Protective Security Act is a security law that aims to protect critical activities, assets, and infrastructure against espionage, cyberattacks, sabotage, terrorism, and other threats.
Unlike the Swedish Data Protection Act (the law implementing the EU General Data Protection Regulation, GDPR), which covers how all organizations process all personal information, the PSA only applies to companies engaged in certain high-security activities.
Sweden is one of many jurisdictions implementing stricter laws to protect its critical information and networks as they come under attack from hostile states and cyber crime syndicates.
Following amendments to the Swedish Protective Security Act that took effect from April 1, 2019, the law now applies to non-Swedish companies. Further amendments are proposed to take effect from January 1, 2021, regarding foreign acquisitions of Swedish companies.
The PSA is complemented by the Protective Security Ordinance (available in Swedish here) which provides instructions for complying with the PSA.
Are You Engaged in "Security-Sensitive Activities?"
The Swedish Protective Security Act covers any organization conducting "security-sensitive activities": activities that are:
- Critical to Sweden's national infrastructure, or
- Important for Sweden's security, or
- Covered by an international protective security commitment that is binding on Sweden
Organizations operating in the following sectors are deemed to be carrying out security-sensitive activities:
- Law enforcement
- Energy supply
- Water supply
However, it is important to note that any company engaged in security-sensitive activities is covered by the PSA, regardless of whether it operates in one of the sectors listed above.
Categories of Security-Sensitive Activities
The Swedish Protective Security Act categorizes security-sensitive activities based on how much damage might be caused if an attacker obtains or destroys information about the activity or prevents the activity from being carried out.
There are four categories of sensitivity:
- Classified (top secret): Involves the risk of exceptionally severe damage
- Secret: Involves the risk of serious damage
- Confidential: Involves the risk of significant damage
- Restricted: Involves the risk of minor damage
What is "Security-Sensitive Information"?
Companies covered by the Swedish Protective Security Act are required to protect "security-sensitive information" (sometimes translated as "security-classified information"). Security-sensitive information is defined as any information relating to security-sensitive activities.
Security-sensitive information includes "classified information" under the Swedish Public Access to Information and Secrecy Act (more information available here).
What are the Requirements for Covered Entities?
To comply with the Swedish Protective Security Act, businesses must:
- Conduct a protective security analysis
Implement security protection measures based on this analysis, covering both
- Information security, and
- Physical security
Conduct a personnel security assessment before hiring any person who will:
- Have access to classified information, or
- Be engaged in security-sensitive activities, or
- Participate in operations requiring protection against terrorist acts
- Protect information about national security from exposure
Restrict access to operations that:
- Require protection against terrorist acts, or
- Are critical to national security
- Enter into protective security agreements whenever a third party may gain access to confidential, secret, or classified activities (public authorities only)
- Appoint a protective security manager (effectively a Chief Information Security Officer, or CISO, that oversees information security throughout the organization)
Protective Security Analysis
The Swedish Protective Security Act requires that security-sensitive activities and information are protected against espionage, sabotage, terrorism, and other threats.
A protective security analysis must include the following steps:
- Identify what information must be protected
- Identify the internal and external threats to this information
- Identify what protective security measures must be implemented to protect against these threats
The PSA doesn't provide a step-by-step process for carrying out a protective security analysis. The procedure will vary depending on the sector in which your organization operates and the sensitivity of the activities it is engaged in.
In some contexts, it may be appropriate for companies to follow a risk assessment as part of a cybersecurity framework, such as those developed by the International Standards Organization (ISO) or the National Institute of Standards and Technology (NIST).
Security Protection Measures
Once you have identified the security-sensitive activities and information that require protection, you must implement security protection measures to safeguard them.
You must protect security-sensitive information, regardless of where it is located, so that unauthorized individuals cannot access or amend it. You must also ensure that it can be accessed when required.
The Swedish Protective Security Act divides security protection measures into two types:
Information security measures, which must:
- Prevent security-sensitive information from being disclosed, altered, made accessible, or destroyed without authorization
- Prevent any other harm to security-sensitive information or systems concerning security-sensitive activities
Physical security measures, which must:
Prevent unauthorized individuals from gaining access to areas, buildings, and other facilities or objects where:
- The individuals can gain access to security-protected information, or
- Security-sensitive activities are conducted
- Prevent any other harm to such areas, buildings, facilities, or objects
The government and other competent authorities may issue specific security protection measures.
Personnel Security Assessment
The PSA requires organizations to only employ people who are trustworthy and loyal to Swedish interests to engage in security-sensitive activities. This means carrying out a personnel security assessment as part of your hiring process.
The personnel security assessment process should involve:
- Interviewing the individual
- Collecting any relevant certificates and references
- Referring the individual to the Swedish Security Service, which will run a background check involving police registers and criminal databases
Note that personnel engaged in security-sensitive activities are not required to be Swedish citizens (with some exceptions in public authorities). However, the Swedish Security Service may find it more difficult to run a background check on a non-Swedish individual.
All employees should be assigned a security clearance based on their required level of access to sensitive information.
Sanctions for Non-Compliance with the Swedish Protective Security Act
Violating the PSA could result in an administrative fine, issued by the relevant supervisory authority (either the Swedish Security Service or the Military Intelligence and Security Service).
The following actions are sanctionable offenses under the PSA:
- Failing to notify the supervisory authority that the organization is undertaking, or has stopped undertaking, security-sensitive activities
- Failing to carry out or update a protective security analysis
- Failing to take protective security measures
- Failing to classify information
- Failing to monitor its own protective security measures
- Failing to comply with a notification or order from a supervisory authority
- Failing to enter into a protective security agreement when required
- Entering into a non-compliant protective security agreement
- Failing to appoint a protective security manager
Administrative fines are set between a minimum of SEK 5 000 (approximately $581) and a maximum of SEK 10 million (approximately $1.16 million).
Role of the Swedish Security Service
The Swedish Security Service (Säkerhetspolisen) is a government agency responsible for national security and counter-terrorism in Sweden. The Swedish Security Service is responsible for enforcing the PSA and other security regulations within public agencies and companies.
The Swedish Security Service can:
- Decide whether it is necessary to carry out a protective security inspection
- Carry out protective security inspections
- Issue recommendations for improving protective security
- Provide advice and support to organizations engaged in security-sensitive activities
- Conduct a security screening before a person is permitted to engage in security-sensitive activities or access classified information
Companies covered by the PSA can contact the Swedish Security Service for advice on compliance with the law.
Organizations responsible for information that requires protection for national security purposes can also contact the Military Intelligence and Security Service (Militära underrättelse- och säkerhetstjänsten), which is part of the Swedish Armed Forces.
Proposed Amendments to the Swedish Protective Security Act
In August 2020, the Swedish government proposed amendments to the Swedish Protective Security Act that would place further requirements on covered entities. If passed, these new requirements would take effect from January 1, 2021.
According to a Swedish Ministry of Justice press release (available here, in Swedish), the government is concerned about foreign states strategically acquiring Swedish companies in order to gain access to confidential information and security benefits.
The Swedish Security Service has warned that foreign acquisitions of sensitive infrastructure and technology could damage Sweden's security. The government is also concerned that the COVID-19 pandemic means foreign actors may try to acquire healthcare companies.
Under the amendments, the acquisition of a company that is engaged in security-sensitive activities would need to be approved by a consultative body (remissinstans). The proposals would require the following steps to be taken before a security-sensitive acquisition could occur:
The business operator must:
- Carry out and document a special security protection analysis and a suitability test
- Consult with the appropriate consultative body
The consultative body may:
- Order the business to take measures to fulfill their legal obligations
- If necessary, decide that the acquisition cannot take place
If an acquisition occurs in violation of the consultative body's decision, it will be deemed invalid. A business may appeal to the government if a consultative body decides to forbid its acquisition.
The Swedish Protective Security Act applies to any company engaged in security-sensitive activities that are important for Sweden's national infrastructure or security.
Companies covered by the PSA must:
- Protect security-sensitive activities and security-sensitive information from unauthorized access or damage
- Carry out a security protection analysis to identify risks to security-sensitive activities and information
- Implement security protection measures
- Conduct a personnel security assessment whenever hiring an employee that will undertake security-sensitive activities or have access to security-sensitive information
- From January 1, 2021, companies may also need to consult with a consultative body before entering into a foreign acquisition
The PSA is enforced by the Swedish Security Service and the Swedish Military Intelligence and Security Service. Violating the PSA can result in an administrative fine.