Swedish Protective Security Act

Understanding the Swedish Protective Security Act: Safeguarding National Interests

The Swedish Protective Security Act (Säkerhetsskyddslag 2018:585) is a critical piece of legislation designed to safeguard national security-sensitive activities from threats, ensuring that Sweden’s critical infrastructure and key assets remain protected. This blog provides an in-depth look at the Act’s objectives, scope, responsibilities, compliance requirements, enforcement actions, and its interplay with the General Data Protection Regulation (GDPR).

What is the Swedish Protective Security Act?

The Swedish Protective Security Act was introduced to enhance Sweden’s ability to prevent, detect, and respond to national security threats. The law imposes strict obligations on entities operating within security-sensitive sectors to ensure the protection of classified information, critical infrastructure, and essential services.

The Act applies to both public and private entities involved in activities deemed essential to Sweden’s national security, requiring them to implement rigorous security measures. It also mandates operators to assess and mitigate security risks that could affect national interests.

The law is designed to counter threats such as espionage, sabotage, cyberattacks, and insider threats that could undermine data protection in Sweden.

Key Objectives of the Swedish Protective Security Act

The primary objectives of the Act include:

1. Protecting National Security: Ensuring that entities responsible for security-sensitive operations implement appropriate security measures.
2. Enhancing Security Preparedness: Establishing guidelines for identifying and mitigating risks related to classified information, critical infrastructure, and key government functions.
3. Strengthening Oversight and Enforcement: Providing Swedish authorities with the tools to monitor compliance and enforce penalties where necessary.
4. Ensuring Collaboration with Authorities: Requiring organizations to notify supervisory authorities about security-sensitive activities and to consult them before significant business transactions affecting national security.
5. Safeguarding Digital Infrastructure: Reinforcing cybersecurity measures to prevent cyber threats targeting government institutions and private sector entities operating in critical infrastructure.
6. Preventing Foreign Influence: Restricting access to security-sensitive activities by foreign entities unless explicitly approved by Swedish authorities.

Scope of the Swedish Protective Security Act

The Act applies broadly to entities in critical sectors, including:

• Government agencies managing classified information.
• Defense and military contractors.
• Energy and telecommunications providers essential to national infrastructure.
• Healthcare organizations handling sensitive patient data.
• Financial institutions deemed critical to economic stability.
• Transportation and logistics companies ensuring national supply chain resilience.
• Cybersecurity service providers safeguarding Sweden’s digital assets.
• Research institutions and universities working with sensitive technological advancements.
• Foreign investments in critical industries, which are subject to government scrutiny to prevent national security risks.
  

Sweden’s foreign investment law intersects with the Protective Security Act, ensuring that acquisitions, mergers, or foreign ownership in security-sensitive sectors undergo government review. Since December 1, 2021, companies engaged in classified information handling, critical infrastructure, or strategic industries must consult authorities before significant transactions to assess security risks. This aligns with EU-wide efforts to regulate foreign direct investment (FDI) and safeguard national interests against potential geopolitical threats.

Responsibilities Under the Swedish Protective Security Act

Entities falling under the scope of the Act have several key responsibilities:

1. Notifying Supervisory Authorities

Organizations must inform the relevant supervisory body about their security-sensitive activities. This enables authorities to maintain oversight and provide guidance on compliance.

2. Conducting Protective Security Analyses

A protective security analysis must be carried out to identify security-sensitive assets, evaluate risks, and determine the necessary protective measures. These assessments must be documented and regularly updated.

3. Implementing Protective Security Measures

Organizations must take steps to secure their operations, including:

• Information Security: Preventing unauthorized access to classified data.
• Physical Security: Protecting facilities from potential threats.
• Personnel Security: Ensuring employees with access to sensitive data are security-cleared and trustworthy.
• Cybersecurity Measures: Implementing threat detection, encryption, access control, and incident response plans to mitigate cyber risks.

4. Establishing Protective Security Agreements

Before engaging third-party contractors or service providers, organizations must establish agreements ensuring compliance with security obligations.

5. Consultation Before Significant Transactions

Entities must consult authorities before mergers, acquisitions, or asset transfers that may impact security-sensitive operations.

6. Ongoing Training and Security Awareness

Employees must receive continuous training on security risks, protocols, and compliance measures to maintain high levels of vigilance and preparedness.

Implementation Timeline

The Swedish Protective Security Act was first introduced in 2018, with additional updates and enforcement measures coming into effect in 2021.

• 2018: Initial implementation with a focus on national security.
• 2021: Amendments expanding regulatory powers, increasing penalties, and requiring stricter compliance measures.
• 2023-Present: Continuous revisions based on emerging threats, especially in cybersecurity and foreign investment risks.

Since December 1, 2021, Swedish authorities have gained the ability to impose substantial fines on organizations that fail to comply with the Act’s requirements.

Compliance Requirements and Penalties

Failure to comply with the Protective Security Act can result in significant penalties, including:

• Fines ranging from 25,000 SEK to 50 million SEK (for private entities).
• Fines up to 10 million SEK for state authorities, municipalities, or regions.
• Business restrictions, operational limitations, or revocation of licenses for severe violations.

Recent Enforcement Actions

1. Telenor Sverige AB (2023):
   • Fined 12.5 million SEK (~1.1 million EUR) by the Swedish Post and Telecom Authority (PTS) for security protection violations.
2. Water Supply Company (2023):
   • Fined 3 million SEK for failing to notify authorities, appoint a security manager, and conduct security analysis.
3. Technology Firm (2024):
   • Investigation ongoing for potential violations in handling classified government contracts.

Sweden GDPR Implementation

The Swedish Protective Security Act operates alongside GDPR but has a distinct focus:

• GDPR governs the protection of personal data and privacy.
• The Protective Security Act regulates the security of classified information and critical infrastructure.
• NIS 2 Directive (EU) complements both by focusing on cybersecurity for essential services and digital providers.

Organizations must align their security strategies to comply with all relevant regulations, ensuring that security measures meet national security requirements while also protecting individuals’ personal data.