The new security protection act april 1, 2019

Published on March 21, 2019

As you may have heard, the Swedish government is implementing a new Security Protection ACT that all authorities and private actors conducting security-sensitive activities will need to comply with starting April 2019. We know what you are thinking, you already have Total Defense Planning, the NIS Directive and the GDPR (General Data Protection Regulation) to worry about, why not throw in another regulation. Well don’t worry we have developed this article and a few more to help you look like the genius at your next meeting.

So let’s break down the what, why, who this new ACT is going to affect. If you already know this, then skip ahead to our next article, where we look at how should I prepare for the New Security ACT.

What is Security Protection Act?

The Security Protection ACT, which was already adopted on 16thMay 2018 by the government, will come into force 1 April 2019. The New Security Protection Act applies to anyone, who conducts activities that are considered essential to Sweden’s security or international obligations which entail security-sensitive activities for Sweden. The law is based on the Government Bill 2017/18:89 which has been shaped according to the current and future security digital needs of Sweden. This has resulted in the new Act broadening its view on what are security-sensitive activities.

Security protection refers to the protection of security-sensitive activities against espionage, sabotage, terrorist offenses and other offenses that may threaten activities and the protection of classified information. The Security Protection Act protects activities that are important for Sweden’s security from a national perspective, which means that many activities can be of importance to society without being regarded as sensitive to security.

The new safety legislation replaces the previous legislation from 1996. An important difference to today’s security law is that the term “secret information” is replaced by classified information in the four information classes: “Top secret”, “Secret”, “Confidential” and “Restricted” ”, within the framework of the Public Prosecution Act and Secrecy Act (2009:400) (OSL), chapter 15, section 2.

Another concept that has been added is “Other security-sensitive activities” which include IT systems that are of central importance to a functioning society, for example in healthcare, energy supply and the transport sector. The term “Other security-sensitive activities” does not mean information assets that themselves consist of classified information. The term instead refers to IT systems that are of such importance for security-sensitive activities that it needs to be covered by a security protection regarding the accessibility and accuracy of the information.

All in all, anyone who is responsible for the security-sensitive operations for Sweden, will need to ensure that:

  • The need for security protection is investigated in a security protection analysis where threats, possible consequences, and vulnerabilities are included and can form the basis of a security protection plan.
  • Take precautionary measures and check that regulations are followed.
  • Provide information according to the reporting obligation to the appointed supervisory authority.
  • Inventory and classify their information assets and IT systems according to the basic principles of information security, confidentiality, integrity and availability (CIA)

Why do we need a new Security act?

The proposal for a new Security Act comes partly as a response to the technological development in recent years and partly because of a change in how we look at information that is worth protecting. The previous law from 1996, had a special focus on the national security, whereas today there is a need to also include general and individual activities within the framework of security protection. Additional arguments for the new law presented are, for example:

  • The state’s security as a concept needs to be broadened and internal and external borders are defined in a way that corresponds to today’s challenges.
  • The presence of increasing cyber security crimes and other non-governmental threats.
  • The impact of digitization on information management and data protection.
  • Increased complexity of who is responsible. For example, outsourcing, shared infrastructure and operations.
  • Information sharing as part of business or other civilian activities.

The Act is an important step in the Swedish national security strategy, among other things when it comes to creating threat and risk analyses for IT systems, operational reliability and preventing and managing IT incidents. It is also positive that there is now a requirement that central security actors must comply to. With the support of designated supervisory authorities (Swedish Security Service, the Swedish Armed Forces, the Swedish Transport Agency, the Post and Telecom Authority, the Health and Social Care Inspectorate, the Finance Inspection etc.) businesses and government alike will be joined by a common safety thinking.

Who does the Swedish Security Protection ACT concern?

The New Security Protection Act (2018:585)and the Security Protection Ordinance (2018:658)apply as of April 1, 2019 to anyone who conducts security-sensitive activities. The new act covers more functions than before, as the legislation now clarifies that it applies to both public and privately-owned businesses. The protection act covers safety-sensitive activities and classified information that are available within the defense, municipalities, authorities, but also private actors in, for example, the energy and telecom sector.

Third party Supplier to the Government

As a supplier to a government entity, or entity that supplies to a company that supplies to the government, you can be liable to the the new Security Protection Act. This means that you must implement the same level of security as a government entity. For example, if you deliver and assemble components to an electrical company and those components that are used to build in the energy infrastructure for Sweden, both your company and your subcontractors may need to sign security protection agreements.

So the question you are asking, does my business conduct operations or handle information that is sensitive to Swedens security? A simple place to start is by answering these questions.

  • Will a breach of your company cause damage to Sweden’s external security or internal security,
  • Will a breach of your company cause damage to nationally important business or
  • Will a breach of your company cause damage to Sweden’s economy.

How this affects a third-party supplier to the government?

Government authorities, municipalities and county councils that intend to conduct a procurement and enter into an agreement on goods, services or construction contracts will need to ensure that a security protection agreement specifies requirements on how security protection is met by the supplier.

The one responsible for operations must check the security protection in his / her own business, report as well as report things that are of importance to the security protection and otherwise take the necessary measures according to the new act.

Conclusion

Organizations that conduct security-sensitive activities must inventory and classify their information assets and IT systems according to the information security principles of confidentiality, availability and accuracy. Such an inventory should also determine whether the security-sensitive activity is covered by the Security Protection Act. If information assets or IT systems fall within the Security Protection Act, the organization must carry out a security protection analysis and then establish a plan for how the security protection should look. Our next blog post will dive into what concerns you need for a security analysis.


Author:

Johan Rundquist, Information Security Consultant

+46 (0)70-602 06 18

johan.rundquist@securestatecyber.com