11 January 2021
The Swedish Protective Security Act (PSA, available in Swedish here) received an overhaul recently. Among other changes, the PSA now has a broader scope, which includes non-Swedish companies.
The PSA applies to both public and private organizations engaged in "security-sensitive activities" that are important to Sweden's national security and infrastructure. It covers a broad range of companies working in IT, law enforcement, transport, and other sectors.
Any company handling "security-sensitive information," as defined in the PSA, will need to conduct a protective security analysis, implement security protection measures, and conduct a personnel security assessment before hiring new staff.
This article will walk you through all the Swedish Protective Security Act's main concepts and requirements. It will also look at some proposed further amendments to the PSA, due to take effect from 2021.
The Swedish Protective Security Act is a security law that aims to protect critical activities, assets, and infrastructure against espionage, cyberattacks, sabotage, terrorism, and other threats.
Unlike the Swedish Data Protection Act (the law implementing the EU General Data Protection Regulation, GDPR), which covers how all organizations process all personal information, the PSA only applies to companies engaged in certain high-security activities.
Sweden is one of many jurisdictions implementing stricter laws to protect its critical information and networks as they come under attack from hostile states and cyber crime syndicates.
Following amendments to the Swedish Protective Security Act that took effect from April 1, 2019, the law now applies to non-Swedish companies. Further amendments are proposed to take effect from January 1, 2021, regarding foreign acquisitions of Swedish companies.
The PSA is complemented by the Protective Security Ordinance (available in Swedish here) which provides instructions for complying with the PSA.
The Swedish Protective Security Act covers any organization conducting "security-sensitive activities": activities that are:
Organizations operating in the following sectors are deemed to be carrying out security-sensitive activities:
However, it is important to note that any company engaged in security-sensitive activities is covered by the PSA, regardless of whether it operates in one of the sectors listed above.
The Swedish Protective Security Act categorizes security-sensitive activities based on how much damage might be caused if an attacker obtains or destroys information about the activity or prevents the activity from being carried out.
There are four categories of sensitivity:
Companies covered by the Swedish Protective Security Act are required to protect "security-sensitive information" (sometimes translated as "security-classified information"). Security-sensitive information is defined as any information relating to security-sensitive activities.
Security-sensitive information includes "classified information" under the Swedish Public Access to Information and Secrecy Act (more information available here).
To comply with the Swedish Protective Security Act, businesses must:
Implement security protection measures based on this analysis, covering both
Conduct a personnel security assessment before hiring any person who will:
Restrict access to operations that:
The Swedish Protective Security Act requires that security-sensitive activities and information are protected against espionage, sabotage, terrorism, and other threats.
A protective security analysis must include the following steps:
The PSA doesn't provide a step-by-step process for carrying out a protective security analysis. The procedure will vary depending on the sector in which your organization operates and the sensitivity of the activities it is engaged in.
In some contexts, it may be appropriate for companies to follow a risk assessment as part of a cybersecurity framework, such as those developed by the International Standards Organization (ISO) or the National Institute of Standards and Technology (NIST).
Once you have identified the security-sensitive activities and information that require protection, you must implement security protection measures to safeguard them.
You must protect security-sensitive information, regardless of where it is located, so that unauthorized individuals cannot access or amend it. You must also ensure that it can be accessed when required.
The Swedish Protective Security Act divides security protection measures into two types:
Information security measures, which must:
Physical security measures, which must:
Prevent unauthorized individuals from gaining access to areas, buildings, and other facilities or objects where:
The government and other competent authorities may issue specific security protection measures.
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
The PSA requires organizations to only employ people who are trustworthy and loyal to Swedish interests to engage in security-sensitive activities. This means carrying out a personnel security assessment as part of your hiring process.
The personnel security assessment process should involve:
Note that personnel engaged in security-sensitive activities are not required to be Swedish citizens (with some exceptions in public authorities). However, the Swedish Security Service may find it more difficult to run a background check on a non-Swedish individual.
All employees should be assigned a security clearance based on their required level of access to sensitive information.
Violating the PSA could result in an administrative fine, issued by the relevant supervisory authority (either the Swedish Security Service or the Military Intelligence and Security Service).
The following actions are sanctionable offenses under the PSA:
Administrative fines are set between a minimum of SEK 5 000 (approximately $581) and a maximum of SEK 10 million (approximately $1.16 million).
The Swedish Security Service (Säkerhetspolisen) is a government agency responsible for national security and counter-terrorism in Sweden. The Swedish Security Service is responsible for enforcing the PSA and other security regulations within public agencies and companies.
The Swedish Security Service can:
Companies covered by the PSA can contact the Swedish Security Service for advice on compliance with the law.
Organizations responsible for information that requires protection for national security purposes can also contact the Military Intelligence and Security Service (Militära underrättelse- och säkerhetstjänsten), which is part of the Swedish Armed Forces.
In August 2020, the Swedish government proposed amendments to the Swedish Protective Security Act that would place further requirements on covered entities. If passed, these new requirements would take effect from January 1, 2021.
According to a Swedish Ministry of Justice press release (available here, in Swedish), the government is concerned about foreign states strategically acquiring Swedish companies in order to gain access to confidential information and security benefits.
The Swedish Security Service has warned that foreign acquisitions of sensitive infrastructure and technology could damage Sweden's security. The government is also concerned that the COVID-19 pandemic means foreign actors may try to acquire healthcare companies.
Under the amendments, the acquisition of a company that is engaged in security-sensitive activities would need to be approved by a consultative body (remissinstans). The proposals would require the following steps to be taken before a security-sensitive acquisition could occur:
The business operator must:
The consultative body may:
If an acquisition occurs in violation of the consultative body's decision, it will be deemed invalid. A business may appeal to the government if a consultative body decides to forbid its acquisition.
The Swedish Protective Security Act applies to any company engaged in security-sensitive activities that are important for Sweden's national infrastructure or security.
Companies covered by the PSA must:
The PSA is enforced by the Swedish Security Service and the Swedish Military Intelligence and Security Service. Violating the PSA can result in an administrative fine.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.