Many operators in the energy sector are affected by the changes to the protective security legislation that entered into force on 1 December 2021 through laws including the Act Amending the Protective Security Act (SFS 2021:952) and the new Protective Security Regulation (SFS 2021:955).
Businesses that are to any extent significant for Sweden’s electricity and energy supply or that involve similar socially important functions and that can thus be considered to be carrying out activities that are sensitive for security purposes in accordance with the Act must report their activities to a competent supervisory authority. An express responsibility has been imposed on each operator to perform a documented analysis of whether they are carrying out activities that are sensitive for security purposes and, if so, to investigate the need for protective security, plan and adopt the required security measures and regularly monitor and check on protective security in their own operations. The requirements for entering into protective security agreements have been extended and in some cases the operator is also required to consult the supervisory authority before an agreement may be entered into or a collaboration may be initiated. A requirement has now also been imposed for protective security agreements to be entered into between companies in the same group. Furthermore, the supervisory authorities have been given greater powers to investigate and intervene against the operator in order to ensure compliance with the regulations.
Background
Deregulation and the opening up of socially important activities to competition have meant that many socially important activities are not now subject to direct influence by the state. Those activities are largely carried out and managed by individual operators and also through foreign ownership or influence. Greater digitalisation means that many socially sensitive operations are managed in a way that may be exposed to external threats in the form of espionage, sabotage and terrorism. As the external threat to Sweden has increased, the legislator has identified a need to encircle activities processing socially-sensitive data and regulate them more clearly. The new Protective Security Act (SFS 2018:585) and Protective Security Regulation (SFS 2018:658) therefore entered into force on 1 April 2019. In order to further strengthen protective security of socially sensitive information, a new Protective Security Regulation (SSFS 2021:955) and amendments to the Protective Security Act through the Act on Amendment of the Protective Security Act (SFS 2021:952) were introduced on 1 December 2021. There follows a summary of some of the most significant legal requirements now applying in this area.
Obligation to report to a competent supervisory authority
Since 1 December 2021, operators carrying out activities covered by the Protective Security Act have been subject to an obligation to report.
It is up to each operator itself to assess whether its operations are important for Sweden’s security to any extent. As a first step, a thorough analysis needs to be carried out, particularly since breaches of the obligation to report can be combined with administrative coercive measures such as penalty orders, injunctions on prohibitions and penalty fees.
As far as operators in the energy sector are concerned, it should be emphasised that as early as in the preparatory materials for the Protective Security Act – in Government Bill 2017/18:89 – the Government pointed out that the electricity supply is in a unique position due to its direct and indirect impact on the functioning of society. Interruptions in the electricity supply were also considered to have potentially serious damaging consequences in other sectors such as electronic communications and central payment systems. For example, a power dam may have a critical function in the electricity supply system and may also give rise to effects causing damage to other operations if it fails as a result of an antagonistic act.
Each individual legal entity must be regarded as a separate operator, which means that each company engaged in activities that are sensitive for security purposes within a group is subject to the obligation to report. In other words, it is not sufficient for the group parent company to report its operations on behalf of the whole group.
The report must be issued to a competent supervisory authority. For nuclear operators engaged in activities that are sensitive for security purposes, the Swedish Radiation Safety Authority is responsible for supervision. Operators in the areas of district heating, natural gas and oil fuels that carry out activities that are sensitive for security purposes must report to the Swedish Energy Agency. Operators in electricity supply and dam facilities, with the exception of nuclear activities, must report to Svenska Kraftnät.
The role of protective security manager is strengthened
Relevant operators were previously required, unless it was clearly unnecessary, to appoint a protective security manager to be responsible for the business’ compliance with protective security legislation. A requirement is now imposed to the effect that the protective security manager must be directly subordinate to the manager of the operator’s business, which for a limited liability company normally means the Chief Executive Officer. The protective security manager is expected to lead and coordinate protective security work, control operations and to fulfil an active, operational role. In a group, each company subject to the Protective Security Act must have its own protective security manager.
New requirements regarding protective security agreements
Previously, the requirement to enter into a protective security agreement was confined to procurements and other acquisitions. The circle of stakeholders with which an operator must enter into a protective security agreement has now been expanded through the updates to the protective security legislation that entered into force in December 2021, in such a way that protective security agreements may also need to be entered into in connection with contracts without procurement for cooperation or collaboration that enable the counterparty to gain access to data classified for protective security purposes. It is up to the operator in each individual case to carry out a security assessment where the risk of exposure of the activities that are sensitive for security purposes must be weighed against the damaging consequences that may affect Swedish society as a result of exposure of the data. The protective security legislation is based on four categories of data that must be protected:
- Top secret: particularly serious damage
- Secret: serious damage
- Confidential: not insignificant damage
- Restricted: only minor damage
Before entering into an agreement or collaboration, the operator must carry out a security assessment in order to survey the category of data that a party to an agreement or collaboration may access. The security assessment must be accompanied by a suitability test in which the operator must weigh up whether it is appropriate for an agreement to be entered into or a collaboration initiated in view of the potential damaging consequences.
A protective security agreement must always be entered into with a counterparty who is able to access data classified as “confidential” or higher. One new feature is also the introduction of an obligation to consult a relevant supervisory authority for information that is considered to belong to the category of “secret” or higher. The supervisory authority is given the opportunity to comment on the design of the protective security agreement and ultimately prohibit the intended procurement, entry into an agreement or collaboration.
It is important to bear in mind that if the criteria for entering into a security agreement in accordance with the law have been met, that security agreement must be signed before the counterparty can gain access the activities/information that are sensitive for security purposes.
An obligation has also been introduced for operators to check and monitor and, when the need arises, revise any protective security agreements entered into. That means that any security agreement must be designed in such a way as to make these rights clear and safeguard them.
Protective security agreements must be entered into with all relevant subcontractors that may have access to information that must be protected. Protective security agreements also need to be entered into between companies within the same group.
The link between the protective security agreement and security clearance of a counterparty’s personnel is clarified
It is already presumed that an operator, through the application of protective security legislation and on the basis of the protective security agreement, will be able to impose requirements regarding security clearance with a record check and specific personal investigation of the other party’s persona. However, this was not clearly stated in any statute.
It has now been clarified in law that the protective security agreement can form a basis for the requirement for security clearance of a counterparty’s personnel and can form a basis for decisions on placement in a security category, record checks and a specific personal investigation.
The security clearance is carried out by the person who will employ or engage the person in question. The main purpose of the assessment is to clarify whether the person can be presumed to be loyal to the interests to be protected and is reliable from a security point of view and to investigate any vulnerabilities that could mean that the person ends up in a vulnerable situation.
Extended powers for the supervisory authorities
The latest amendments to the protective security legislation have granted the supervisory authorities greater powers and new abilities to intervene in order to enforce compliance with the regulations.
For example, the supervisory authority is able to impose measures on pain of a fine, for example ordering an operator to terminate a particular collaboration. The supervisory authority can also prohibit a particular measure, for example by prohibiting an operator from entering into an agreement or initiating a collaboration. The supervisory authority is also able to impose a penalty fee for breaches of requirements of key importance for protective security, including breaches of the obligation to report, the requirement to appoint a protective security manager, the requirement to carry out and update protective security analyses or the requirement to enter into a protective security agreement, etc.
In addition, the supervisory authorities have also been granted extended powers to investigate. The authorities can, among other things, require access to areas and premises and access to information and can request assistance from the Swedish Enforcement Service.
A few concluding points
The protective security legislation is relatively new and there are regular updates and clarifications. The legislative process has often been hasty and it is important for the operators concerned to actively monitor news in this area.
There is still a need for clarification from the legislator and the relevant authorities of how the regulations will be implemented in practice. In the case of any uncertainty, we recommend discussing the matter with the relevant supervisory authority. Advokatfirman Lindahl can of course help if any advice is required on matters such as as compliance, negotiation and preparation of protective security agreements, as well as other matters that may arise in discussions with the supervisory authorities.