Sweden’s Protective Security Act targets cyber risks

IT suppliers must comply with tighter cyber security requirements, but are being offered help from government agencies

Sweden has responded to rising threats from the cyber domain by introducing new legislation to protect private and public security-sensitive activities from hostile attacks.

The Protective Security Act expands the legislative framework of safeguards to shield the country’s critical IT-digital infrastructure from ever-increasing assaults by malevolent actors in cyber space.

The goals and regulations set out in the legislation represent the end-product of several years of close consultation by the Swedish government with the IT industry and digital players. This collaboration focused on preparedness and drawing up legislation that would add an effective weapon to Sweden’s cyber threat defence arsenal.

The rules and regulations detailed in the Protective Security Act go far beyond the protection of personal data and national borders.

The stricter rules will apply to all IT companies and organisations, indigenous and foreign-owned, that conduct security-sensitive activities as part of their operations in Sweden. They will be required to adopt strong security measures to protect their critical IT-digital infrastructure from cyber attacks.

Mikael Damberg, Sweden’s home affairs minister, said the legislation is intended to help companies and organisations protect themselves from cyber crimes that could threaten the whole country’s security.

“Our national security services have repeatedly stated that many organisations in Sweden continue to fail in their responsibility to conduct security protection analyses,” he said. “There must be trust and confidence that information that has value and is sensitive must remain confidential. The Act strengthens protections against cyber threats, including espionage and sabotage.”

The digitisation of Swedish society has accelerated the need for a modernised legislative framework to protect high-value and sensitive information. The new law polices how data is protected and puts greater responsibility on employees within companies and organisations that operate IT data information infrastructure and cyber defence systems. 

Read more about the Swedish government’s security initiatives

The Swedish government has made it somewhat easier to comply with the Act by enabling organisations to contact key national security agencies, including MUST (Militära underrättelse och säkerhetstjänsten) and the Swedish Security Service (SSS/Säkerhetspolisen) for advice on compliance.

MUST is the military intelligence and security service branch of the Swedish Armed Forces Central Command (Försvarsmakten).

Jan Kinnander, head of MUST’s security unit, said: “The scope of the new Security Protection Act is ambitious. It bolsters our capacity to better protect IT infrastructure and data from the threats that exist today. The new law tightens the requirements for all actors, and that is good.

“The deteriorating external environment requires enhanced security protection. A positive collaboration between all good actors, civilian and military, is essential.”

Under the new Act, organisations and companies can liaise with the SSS and MUST in setting up, reinforcing or maintaining their data security protection analysis systems. The legislation applies to all organisations that deal with classified information that is material to either their own security or that may involve information systems critical to public services that are relevant to Sweden’s national security.

The Act also requires organisations to implement extra security measures when outsourcing IT data work and functions. The particular focus here is on contracts awarded to foreign-owned companies that are based in Sweden or are operating from overseas locations.    

More time for compliance

Aware of the challenges posed by the legislation, the Swedish government is giving companies and organisations more time to achieve full compliance by implementing the required measures.

Swedish companies are certain to benefit from the government’s accommodating approach to the compliance deadline. A survey conducted by PWC Sweden before the new law was enacted found that 42 of the country’s 100 leading companies accepted that they were unprepared and currently non-compliant with the new regulations.

Jakob Bundgaard, head of cyber security at PWC, said the new law is particularly relevant for companies that operate in healthcare, transport, energy supply, electronic communication, financial services and telecommunications.

“Many companies are a little hesitant about what the new rules will mean for them,” he said. “At its core, the law requires companies that fall within the reach of the Act to conduct a security protection analysis, and then establish a plan to shape their overall security protection.”

With cyber threats growing in severity, especially in relation to potential geopolitical instability, the Act strengthens the legislative tools available to Sweden’s national security agencies to help them fight against hostile, criminal attacks aimed at stealing sensitive data or disrupting critical IT infrastructure and operations in Sweden.

Fredrik Agemark, head of the SSS’s protective security unit, said that increasingly sophisticated and malicious attacks from the cyber domain, especially those targeting vital public services and critical infrastructure, require holistic solutions.

“The new security protection law presents a challenge that requires a combined effort by the whole of Swedish society,” he said. “This applies to regulators, individual authorities and companies.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management