Swedish Protective Security Act

Swedish Protective Security Act

The Swedish Protective Security Act (PSA, available in Swedish here) received an overhaul recently. Among other changes, the PSA now has a broader scope, which includes non-Swedish companies.

The PSA applies to both public and private organizations engaged in "security-sensitive activities" that are important to Sweden's national security and infrastructure. It covers a broad range of companies working in IT, law enforcement, transport, and other sectors.

Any company handling "security-sensitive information," as defined in the PSA, will need to conduct a protective security analysis, implement security protection measures, and conduct a personnel security assessment before hiring new staff.

This article will walk you through all the Swedish Protective Security Act's main concepts and requirements. It will also look at some proposed further amendments to the PSA, due to take effect from 2021.


What is the Swedish Protective Security Act?

The Swedish Protective Security Act is a security law that aims to protect critical activities, assets, and infrastructure against espionage, cyberattacks, sabotage, terrorism, and other threats.

Unlike the Swedish Data Protection Act (the law implementing the EU General Data Protection Regulation, GDPR), which covers how all organizations process all personal information, the PSA only applies to companies engaged in certain high-security activities.

Sweden is one of many jurisdictions implementing stricter laws to protect its critical information and networks as they come under attack from hostile states and cyber crime syndicates.

Following amendments to the Swedish Protective Security Act that took effect from April 1, 2019, the law now applies to non-Swedish companies. Further amendments are proposed to take effect from January 1, 2021, regarding foreign acquisitions of Swedish companies.

The PSA is complemented by the Protective Security Ordinance (available in Swedish here) which provides instructions for complying with the PSA.

Are You Engaged in "Security-Sensitive Activities?"

The Swedish Protective Security Act covers any organization conducting "security-sensitive activities": activities that are:

  • Critical to Sweden's national infrastructure, or
  • Important for Sweden's security, or
  • Covered by an international protective security commitment that is binding on Sweden

Organizations operating in the following sectors are deemed to be carrying out security-sensitive activities:

  • Defense
  • Law enforcement
  • Energy supply
  • Water supply
  • Telecommunication
  • Transport

However, it is important to note that any company engaged in security-sensitive activities is covered by the PSA, regardless of whether it operates in one of the sectors listed above.

Categories of Security-Sensitive Activities

Categories of Security-Sensitive Activities

The Swedish Protective Security Act categorizes security-sensitive activities based on how much damage might be caused if an attacker obtains or destroys information about the activity or prevents the activity from being carried out.

There are four categories of sensitivity:

  • Classified (top secret): Involves the risk of exceptionally severe damage
  • Secret: Involves the risk of serious damage
  • Confidential: Involves the risk of significant damage
  • Restricted: Involves the risk of minor damage

What is "Security-Sensitive Information"?

Companies covered by the Swedish Protective Security Act are required to protect "security-sensitive information" (sometimes translated as "security-classified information"). Security-sensitive information is defined as any information relating to security-sensitive activities.

Security-sensitive information includes "classified information" under the Swedish Public Access to Information and Secrecy Act (more information available here).

What are the Requirements for Covered Entities?

What are the Requirements for Covered Entities?

To comply with the Swedish Protective Security Act, businesses must:

  • Conduct a protective security analysis
  • Implement security protection measures based on this analysis, covering both

    • Information security, and
    • Physical security
  • Conduct a personnel security assessment before hiring any person who will:

    • Have access to classified information, or
    • Be engaged in security-sensitive activities, or
    • Participate in operations requiring protection against terrorist acts
  • Protect information about national security from exposure
  • Restrict access to operations that:

    • Require protection against terrorist acts, or
    • Are critical to national security
  • Enter into protective security agreements whenever a third party may gain access to confidential, secret, or classified activities (public authorities only)
  • Appoint a protective security manager (effectively a Chief Information Security Officer, or CISO, that oversees information security throughout the organization)

Protective Security Analysis

The Swedish Protective Security Act requires that security-sensitive activities and information are protected against espionage, sabotage, terrorism, and other threats.

A protective security analysis must include the following steps:

  • Identify what information must be protected
  • Identify the internal and external threats to this information
  • Identify what protective security measures must be implemented to protect against these threats

The PSA doesn't provide a step-by-step process for carrying out a protective security analysis. The procedure will vary depending on the sector in which your organization operates and the sensitivity of the activities it is engaged in.

In some contexts, it may be appropriate for companies to follow a risk assessment as part of a cybersecurity framework, such as those developed by the International Standards Organization (ISO) or the National Institute of Standards and Technology (NIST).

Security Protection Measures

Security Protection Measures

Once you have identified the security-sensitive activities and information that require protection, you must implement security protection measures to safeguard them.

You must protect security-sensitive information, regardless of where it is located, so that unauthorized individuals cannot access or amend it. You must also ensure that it can be accessed when required.

The Swedish Protective Security Act divides security protection measures into two types:

  • Information security measures, which must:

    • Prevent security-sensitive information from being disclosed, altered, made accessible, or destroyed without authorization
    • Prevent any other harm to security-sensitive information or systems concerning security-sensitive activities
  • Physical security measures, which must:

    • Prevent unauthorized individuals from gaining access to areas, buildings, and other facilities or objects where:

      • The individuals can gain access to security-protected information, or
      • Security-sensitive activities are conducted
  • Prevent any other harm to such areas, buildings, facilities, or objects

The government and other competent authorities may issue specific security protection measures.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.


Personnel Security Assessment

The PSA requires organizations to only employ people who are trustworthy and loyal to Swedish interests to engage in security-sensitive activities. This means carrying out a personnel security assessment as part of your hiring process.

The personnel security assessment process should involve:

  • Interviewing the individual
  • Collecting any relevant certificates and references
  • Referring the individual to the Swedish Security Service, which will run a background check involving police registers and criminal databases

Note that personnel engaged in security-sensitive activities are not required to be Swedish citizens (with some exceptions in public authorities). However, the Swedish Security Service may find it more difficult to run a background check on a non-Swedish individual.

All employees should be assigned a security clearance based on their required level of access to sensitive information.

Sanctions for Non-Compliance with the Swedish Protective Security Act

Sanctions for Non-Compliance with the Swedish Protective Security Act

Violating the PSA could result in an administrative fine, issued by the relevant supervisory authority (either the Swedish Security Service or the Military Intelligence and Security Service).

The following actions are sanctionable offenses under the PSA:

  • Failing to notify the supervisory authority that the organization is undertaking, or has stopped undertaking, security-sensitive activities
  • Failing to carry out or update a protective security analysis
  • Failing to take protective security measures
  • Failing to classify information
  • Failing to monitor its own protective security measures
  • Failing to comply with a notification or order from a supervisory authority
  • Failing to enter into a protective security agreement when required
  • Entering into a non-compliant protective security agreement
  • Failing to appoint a protective security manager

Administrative fines are set between a minimum of SEK 5 000 (approximately $581) and a maximum of SEK 10 million (approximately $1.16 million).

Role of the Swedish Security Service

Role of the Swedish Security Service

The Swedish Security Service (Säkerhetspolisen) is a government agency responsible for national security and counter-terrorism in Sweden. The Swedish Security Service is responsible for enforcing the PSA and other security regulations within public agencies and companies.

The Swedish Security Service can:

  • Decide whether it is necessary to carry out a protective security inspection
  • Carry out protective security inspections
  • Issue recommendations for improving protective security
  • Provide advice and support to organizations engaged in security-sensitive activities
  • Conduct a security screening before a person is permitted to engage in security-sensitive activities or access classified information

Companies covered by the PSA can contact the Swedish Security Service for advice on compliance with the law.

Organizations responsible for information that requires protection for national security purposes can also contact the Military Intelligence and Security Service (Militära underrättelse- och säkerhetstjänsten), which is part of the Swedish Armed Forces.

Proposed Amendments to the Swedish Protective Security Act

Proposed Amendments to the Swedish Protective Security Act

In August 2020, the Swedish government proposed amendments to the Swedish Protective Security Act that would place further requirements on covered entities. If passed, these new requirements would take effect from January 1, 2021.

According to a Swedish Ministry of Justice press release (available here, in Swedish), the government is concerned about foreign states strategically acquiring Swedish companies in order to gain access to confidential information and security benefits.

The Swedish Security Service has warned that foreign acquisitions of sensitive infrastructure and technology could damage Sweden's security. The government is also concerned that the COVID-19 pandemic means foreign actors may try to acquire healthcare companies.

Under the amendments, the acquisition of a company that is engaged in security-sensitive activities would need to be approved by a consultative body (remissinstans). The proposals would require the following steps to be taken before a security-sensitive acquisition could occur:

  • The business operator must:

    • Carry out and document a special security protection analysis and a suitability test
    • Consult with the appropriate consultative body
  • The consultative body may:

    • Order the business to take measures to fulfill their legal obligations
    • If necessary, decide that the acquisition cannot take place

If an acquisition occurs in violation of the consultative body's decision, it will be deemed invalid. A business may appeal to the government if a consultative body decides to forbid its acquisition.

Summary

The Swedish Protective Security Act applies to any company engaged in security-sensitive activities that are important for Sweden's national infrastructure or security.

Companies covered by the PSA must:

  • Protect security-sensitive activities and security-sensitive information from unauthorized access or damage
  • Carry out a security protection analysis to identify risks to security-sensitive activities and information
  • Implement security protection measures
  • Conduct a personnel security assessment whenever hiring an employee that will undertake security-sensitive activities or have access to security-sensitive information
  • From January 1, 2021, companies may also need to consult with a consultative body before entering into a foreign acquisition

The PSA is enforced by the Swedish Security Service and the Swedish Military Intelligence and Security Service. Violating the PSA can result in an administrative fine.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.