Extensive amendments to the Swedish Protective Security, which include increased obligations for operators of security-sensitive activities and a comprehensive sanctions system, are proposed to enter into force on 1 December 2021. These changes, which were presented in a Government bill of 18 March 2021, generate new and far-reaching obligations for many companies, especially in view of the severe sanctions that may be imposed if the obligations are not complied with.
The Government bill requires companies, to a greater extent than today, consider and decide if their business is to be regarded as security-sensitive. This is a broad concept that can accommodate several different activities, including within the manufacturing industry, financial services as well as the infrastructure and the energy sectors. Extensive requirements are placed on businesses that are engaged in security-sensitive activities and therefore fall within the scope of the PSA. For example, many situations will require the conclusion of a protective security agreement, which means that the operator must take account of far-reaching and time-consuming obligations that coincide with the requirements to carry out a special protective security assessment and suitability test, and in some cases a consultation procedure with the relevant authority. Moreover, the requirement to enter into a protective security agreement affects the counterparty to a large extent, which, inter alia, must carry out security assessments of its employees.
Further, the proposed amendments will also have a significant impact on mergers and acquisition activity in Sweden. The sanctions that the supervisory authority may impose on the operator emphasise the requirements applicable to a transfer of a security-sensitive activity. Substantial fees may be the result if these requirements are not complied with, in addition to the risk that a transaction may not be carried out at all.
The main points of the Government bill are summarised below.
Obligation to notify the supervisory authority regarding security-sensitive activities. The operator of security-sensitive activities must notify the supervisory authority of its activities without delay once the legislative amendments have entered into force. Notably, supervision of these activities may be exercised regardless of whether the notification obligation has been fulfilled or not, if the supervisory authority considers that the activities falls within the scope of the PSA.
Protective security manager. An activity covered by the PSA must have a protective security manager, unless it is clearly unnecessary. The protective security manager shall lead and coordinate the protective security work and ensure that the activity is conducted in accordance with the law and current regulations.
Extended requirement to enter into protective security agreements. There is currently an obligation to enter into protective security agreements in relation to public procurements that include security-classified information as well as other circumstances where a supplier of, for example, goods and services gains access to security-sensitive activities. The proposed legislative amendments will lead to a significant extension of the requirement to enter into protective security agreements. Currently, the requirement for a protective security agreement is based on the type of agreement, cooperation or collaboration that is relevant and the role of the operator. Pursuant to the proposed amendments, the requirement will instead be based on the risk of exposure of the particular security-sensitive activity.
Requirements for a special protective security assessment and consultation procedure. Prior to entering into a protective security agreement, the operator will be obliged to carry out a special protective security assessment to identify the security-classified information or security-sensitive activities that the counterparty may gain access to. The operator must also conduct a suitability test of the planned procedure. In addition, certain particularly sensitive protective security agreements require the operator to consult with the supervisory authority. If a planned procedure is considered inappropriate in a protective security perspective, the supervisory authority may decide that it cannot be carried out. The authority may also intervene in ongoing procedures.
Extended supervision. It is proposed that the supervisory authorities are given increased supervisory powers. The supervisory authority may order a party that is subject to supervision to provide information and grant access to, inter alia, Such an order may be combined with an administrative fine. The supervisory authority may also request assistance from the Swedish Enforcement Authority to carry out supervisory measures.
A sanctions system is introduced. Pursuant to the proposed amendments, the supervisory authority may impose an administrative fine on any operator that fails to comply with key obligations under the protective security legislation. In particular, it should be noted that an administrative fine may be imposed if the requirements applicable to a transfer of security-sensitive activities have not been met, including when a shareholder has not fulfilled its obligation to consult with the supervisory authority, if a transfer has been carried out in breach of a ban or if incorrect information has been provided during the consultation procedure. The administrative fine shall be set at a minimum of SEK 25.000 and a maximum of SEK 50 million.
If you have any questions regarding the upcoming legislative amendments, please feel free to contact