As countries and organisations are coping with increasing threats in cyberspace, the Swedish government is preparing stricter security requirements in the field of national security, in part targeting outsourcing. In this article, Henrik Nilsson and Carl Gleisner of Wesslau Söderqvist Advokatbyrå in Stockholm, Sweden summarise the changes of most concern for business partners of Swedish entities engaged in sensitive operations.
Outsourcing of IT operations
The importance of cyber security has come to the forefront in recent years with an ever-growing plethora of examples to prove the point. One Swedish example of this is when the former director general of the Swedish Transport Agency was investigated in 2017 for unauthorised disclosure of information regarding national security and accepted a summary imposition of a fine. It would later become clear that the director general had overridden security concerns in relation to an outsourcing of most of the authority’s IT operations to foreign service providers outside the country, raising the prospects of access to sensitive information to foreign personnel who had not gone through security screening.
Revised Protective Security Act
Coinciding in time with the media spotlight on the Transport Authority’s failure in correctly handling information of importance to national security, the legislature was in the processes of enacting a revised version of the Protective Security Act of 1996. While the main tenets of the act of 1996 were kept, the new law aimed to prepare Sweden for a modern and more dynamic threat landscape and clarified that privately held undertakings are also covered by the law.
Under the Protective Security Act, the authorities and undertakings the Act is addressed at are responsible for assessing whether their activities, in part or in whole, are of importance to the national security of Sweden. Organisations that the Act applies to are required to conduct a protective security assessment, classify information, implement necessary controls and enter into protective security agreements when procuring goods and services. Furthermore, these organisations are under reporting requirements.
Even after the enactment of the revised law of 2018, the Protective Security Act relied on the voluntary co-operation of the organisations concerned. Following the failure at the Transport Agency and other issues, the Swedish government began a process of preparing stricter rules, enabling greater supervision and enforcement.
Protective security agreements will be required in more situations
The requirement for organisations concerned to enter into protective security agreements is presently limited to procurement situations. This has left out important situations where partners of authorities and undertakings otherwise gain access protected information or operations, such as: when co-operating regarding research, innovation and cybersecurity; actors concerned in their role as suppliers; and, of course, the preliminary stages of any activity.
Under a government referral to the Council on Legislation published 18 March 2021, proposed amendments to the Protective Security Act will extend the obligation to enter into protective security agreements to all situations in which other actors may gain access to information classified as secret or its equivalent operations. Furthermore, actors concerned will be required to revise any future protective security agreements following changes in conditions and to act upon the contracting party’s breaches of the agreement. Actors concerned must also secure contractual rights to perform any audits necessary to ensure the other party’s compliance.
In an important change, organisations with operations vital to Sweden’s national security will be required to notify this to the relevant supervisory authority.
Special protective security assessments and assessments of appropriateness
It is especially noted in the referral that outsourcing is an area where actors have, to a large degree, failed to assess the lawfulness and appropriateness of any proposed outsourcing at an early stage. To counteract this, the referral proposes amendments making it explicit that actors concerned must, in cases where protective security agreements are mandatory, conduct and document a special protective security assessment and an assessment of the appropriateness in all situations. In some situations, the actor concerned must consult the supervisory authority even if the proposed activity is not deemed as inappropriate.
The referral proposes that supervisory authorities receive new powers, including authority to prohibiting activities planned or stopping already initiated activities if these are deemed to be inappropriate. Such orders may be combined with administrative fines if necessary.
Anyone conducting business with actors concerned must therefore bear in mind that neglecting obligations on protective security may lead to orders prohibiting the planned activities, thus disrupting the business opportunity.
Increased supervisory powers, new sanctions
It was also noted in the referral of proposed amendments to the Protective Security Act, that the supervision of the actors concerned has been observed as ranging from the insufficient to the non-existent. It was further noted that some actors had elected to not correct cases of infringements even when established.
Under the proposed amendments, supervisory authorities will receive new powers to investigate infringements by ordering actors concerned to disclose relevant information and grant access to premises necessary to conduct supervision. Such orders can be combined with the threat of administrative fines. Furthermore, the supervisory authorities will be authorised to engage the Swedish Enforcement Authority to physically secure access to information and premises if necessary. Finally, the supervisory authorities may issue sanction charges of £2,000-4m against covered actors who infringe any of the fundamental obligations under the protective security acquis, initiate an activity contrary to an order issued by the supervisory authority or give incorrect information during a consultation. If, as is expected, the proposed amendments are adopted by the Riksdag, the changes to the Preventive Security Act will come into force on 1 December 2021.
Following the adoption of the proposed amendments, actors concerned and their business partners will be required to review their processes regarding protective security. Any foreign business partner is recommended to investigate its ability to comply with stricter requirements and ability to respond to questions from a supervisory authority with far-reaching powers of investigation.