ProTechtive Security (Sw. Säkerhetsskydd) – who does it concern?

‘Protective security’ (Sw. “säkerhetsskydd”) means the protection of security-sensitive activities against espionage, sabotage, terrorist offences and other crimes. It aims to safeguard those activities that are in greatest need of protection from a national perspective.

We have seen an increased awareness regarding rules on protective security and the question whether certain operations are in scope of the relevant rules being raised more frequently. Protective security has received the highest attention from the legislator for the last couple of years and the Protective Security Act which came into force about two years ago is about to see its scope widened yet again. A broader approach for the Protective Security Act was to highlight the availability and integrity aspects of information- and IT-systems. The financial system provide vital functions through such systems and organisations need to ask themselves whether they are in scope of the Protective Security Act, and if they are, take appropriate measures. In this article, we provide a brief summary of the Protective Security Act and examine the recent Government bill, which for instance introduces new powers of investigation for supervisory authorities, introduces new rules regarding protective security agreements and strengthens the role of an obligatory protective security manager.

It may concern you

Rules on protective security apply to activities that are of importance for Sweden’s security from a national perspective. Operators of financial services and information- and IT-systems may well be in scope of the Protective Security Act (2018:585) (“the Act”) and if so need to proactively analyse what measures to take. Further, as we read preparatory works to the Act, it is not unlikely that there are operators vital for Sweden’s security either unaware of their responsibilities or not applying the rules for other reasons. Also, outsourced suppliers to operators conducting security-sensitive activities could find themselves having to sign a protective security agreement (Sw. säkerhetsskyddsavtal) which for instance could oblige them to conduct security investigations of personnel. Such actors are also in scope for supervisory authorities’ supervision. Before we look closer at the recently published Government bill (prop. 2020/21:194), with proposed changes and amendments to the Act, we start with an overview of the Act.

The Act

The concern of the Act is to protect those activities that are in greatest need of protection, primarily against antagonistic attacks. The Act came into force April 1st 2019, replacing an older act on protective security. The Act applies to more organisations than previously and to public as well as private operators of security-sensitive activities. The Act aims to pro-tect not only classified information but security-sensitive activities in a wider scope and specifically pointing out information and IT-systems. Financial services and systems can be vital for the public and also of national importance and therefore in scope of the Act.

Operators of security sensitive activities must carry out a protective security analysis. The analysis is the starting point for planning and taking appropriate protective security measures. The Act also contains rules on security investigations of personnel, which aim at establishing the persons participating in security-sensitive activities are loyal to the interests protected by the Act.

One important rule of the Act obliges an operator, under certain circumstances, to enter into a protective security agreement with a contractor. An outsourcing of security sensitive activities could be an example of a contractual relationship where the parties, besides the commercial agreement, also need to enter into a protective security agreement. The aim of such an agreement is to, on a contractual basis, provide the information or otherwise security-sensitive activity the same protection as it enjoys with the operator (requiring security investigations of personnel, having a protective security manager, no subcontracting without the operator’s consent etc.). 

Since January 1st 2021 the Act contains rules on transfer of security-sensitive activities and certain property. The rules obliges a transferor to make a suitability assessment from a protective security perspective of the transfer and consult with a consulting authority.
The Protective Security Ordinance (2018:658) and the Swedish Security Service’s regulation on Protective Security (PMFS 2019:2) contains further and more detailed rules on protective security

The recent Government bill – proposals for changes to the Act

On May 20th 2021 the Government adopted a Government bill with proposals for changes to the Act. In connection to making the bill public, Minister of the Interior Mikael Damberg stated that security issues are high on the Government’s agenda. He said that in recent years, the Government has developed extensive new regulations in the area of security protection that have both modernized and strengthened the legal framework. However, according to Damberg, the development of security policy and certain events that have occurred have shown that there is a need for further measures. This statement provides a background to the resent proposal.

Important features of the proposal are:

• Protective security managers shall have a more prominent role in the protective security management.
• Operators must enter into protective security agreements in more situations.
• Operators must make an assessment and test the appropriateness of outsourcing and similar procedures which require protective security agreements, and in some cases consult with a supervisory authority. If a procedure is unsuitable from a security point of view, the supervisory authority can decide that it may not be implemented and also intervene in an ongoing procedure.
• Supervisory authorities are given investigative powers and the possibility to order operators to take certain measures, subject to a conditional fine, and decide on administrative sanctions against those who do not comply with the requirements of protective security legislation.

The security manager

There are already some requirements regarding the protective security manager in the Protective Security Ordinance. The Government bill however entails a general requirement that the protective security manager must be directly subordinate to the head of the operator’s operations (in a limited liability company the CEO). The Government proposes to extend the responsibility of the protective security manager to include management and coordination of protective security activities and to control that the operator conducts its business in accordance with the Act and adherent regulations. The responsibility of the protective security manager according to the proposal cannot be delegated.

Protective security agreements in more situations

The Government proposes to extend the obligation to conclude a protective security agreement in such a way that it also applies to procedures other than procurement and other acquisitions. An operator who intends to carry out a procurement, enter into an agreement or initiate a cooperation or a collaboration  with a contractor, shall enter into a protective security agreement with the contractor if the operator through the procedure can gain access to classified information in the security class confidential (Sw. konfidentiell) or higher, or to security-sensitive activities of equivalent importance to Sweden’s security. The obligation applies to situations where the operator is supplier as well as purchaser. The Government also proposes to clarify that the operator must also enter into a security protection agreement with a subcontractor and that the operator shall enter into protective security agreements before the counterparty can gain access to the security-sensitive business or information.

Procedures surrounding a protective security agreement

There are already some rules on the procedures surrounding the entering into a protective security agreement, especially for Government authorities. Because of their limited scope the Government is of the opinion that the scope needs to be widened. The Government proposes that before initiating a procedure that requires a protective security agreement, an operator, including private operators, must carry out a specific security assessment, identify which security-classified information or other security-sensitive activities other parties can access and that requires protection.  Based on the specific security assessment the operator must make a suitability assessment of the planned procedure. If the suitability assessment leads to the conclusion that the procedure is inappropriate from a security point of view, the operator shall not initiate the procedure.

The Government also proposes an obligation for all operator’s to, under certain circum-stances, consult the relevant supervisory authority before it proceeds with an outsourcing or other activity requiring a protective security agreement. The obligation to consult a supervisory authority depends on the sensitivity of the outsourced activity. Further, the supervisory authority is given the mandate to prohibit the planned outsourcing or other activity which require a protective security agreement.  Also, supervisory authorities will have the power to intervene in an ongoing contractual relationship. If an ongoing procedure is unsuitable from a protective security point of view, the supervisory authority will have the possibility to, subject to a conditional fine, order the operator and its counterparty to take the measures needed to prevent damage to Sweden’s security, finally to decide that the procedure must be stopped.

Further powers for supervisory authorities

The protective security legislation currently does not contain any specific powers for the exercise of supervision. A basic precondition for supervision of the security protection is therefore that the supervised entities cooperate with the supervisory authorities and com-ply with their instructions and recommendations. This is, as has already become obvious, about to change. 

We have already mentioned that supervisory authorities are given the mandate to intervene in a planned or ongoing outsourcing or other procedures which require a protective security agreement. The Government also proposes that the supervisory authorities shall be given more powers for their effective supervision.

For instance, the Government proposes that an operator under supervision must, upon request, provide the supervisory authority with the information needed for supervision. The supervisory authorities shall have the right to, to the extent necessary for their super-vision, gain access to areas, premises and other spaces, but not housing, which is used in activities subject to supervision. The supervisory authorities shall also be able to order the person under supervision to provide information and to provide access to premises and the like. The supervisory authority may also decide to order an operator to take measures to fulfill its obligations under the Act and regulations that have been issued under it. Such orders may be combined with a conditional fine.

The proposal also introduces a system of administrative sanctions. The supervisory authorities shall be able to decide on administrative sanctions for certain breaches of the Act and of regulations under the Act. For private operators, the Government proposes a maximum administrative fine of SEK 50 million. It will also be possible to decide on an administrative sanction against a shareholder who has not fulfilled its obligation to consult prior to the transfer of shares in security-sensitive activities, has carried out such a transfer in violation of a prohibition, or has provided incorrect information in connection with the consultation.

Notification obligation

The Government proposes an obligation for operators to notify its supervisory authority of its security-sensitive activities. Anyone who conducts security-sensitive activities shall, without delay, notify the supervisory authority. The same applies when the security-sensitive activity has ceased.

So which are the supervisory authorities?

Supervision in the area of protective security is divided between different authorities. For private operators in the financial sector and third party providers to such operators the county administrative boards are responsible for the supervision at present. The Government states that provisions on which authorities that are to be protective security supervi-sory authorities shall be decided through a Government ordinance. We expect that the Government will point out Finansinspektionen as the supervisory authority in the financial sector. For the purpose of supervising that operators abides by the Act and regulations under the Act, the supervisory authority may also exercise supervision over the actors who operators have entered into protective security agreements with.

Conclusions

Banks, financial infrastructure companies and other institutions that may be in scope of the Act do best in carefully analyzing whether they conduct security-sensitive activities and if they conclude they do, take appropriate actions. They need to be attentive to updates in the legislative landscape and for instance as it comes to outsourcing of security-sensitive activities carefully consider the appropriate steps to take to comply with the current and future legislation. The rules on protective security are not always easy to interpret.

Further, parties contracting with operators regulated by the Act must pay attention to the contractual obligations that might follow. Supervisory authorities may also show interest in the parties’ relationship.

In comparison to administrative fines in the financial sector, the maximum administrative fine proposed by the Government for breaches of the Act is low. Yet, the incentives for complying with the Act should not only be connected to the amount of a possible sanction, but to the interest the Act aims to protect, and to the reputation risk a sanction could entail for an operator subject to a sanction. We know being regulatory compliant is of great im-portance to the concerned companies, which do not want the bad will of breaching legal requirements. One should not expect less than that Finansinspektionen would approach its likely assignment to come with the greatest sense of responsibility and take an active role as a supervisory authority in the protective security field.