The new requirements apply to security-sensitive activities and security-classified information found in the armed forces, government agencies and the judicial system – but also at private operators such as the energy and telecom sectors, water and energy plants and information systems for electronic communications. The definition of security-sensitive activities in the Protective Security Act is broad and not clearly defined. Which type of business, or part of the business, that carries out a security-sensitive activity needs to be determined through an assessment on a case-by-case basis in order to ensure that the new requirements are met.
In short, the proposal introduces the following new elements;
- Assessment: A requirement for an operator of security-sensitive activities to conduct and document a specific security assessment, and a suitability assessment, prior to initiating a transfer of its business, or parts thereof. If the suitability assessment indicates that the transfer is not suitable from a security perspective, the operator may not proceed with the transfer.
- Consultation: A requirement for the operator of security sensitive activities to consult with the applicable consultation authority prior to the transfer.
- Orders and Prohibition: Competence for the consultation authority to order the operator to take measures to fulfil its obligations under the Protective Security Act and, ultimately, to prohibit the transfer. No compensation to an owner being prohibited to transfer its security-sensitive activities is included in the current proposal.
- Invalidity: Competence for the consultation authority to declare unlawful transfers (i.e. carried out in violation of the provisions) as void. Also, a transfer in violation of an issued prohibition is automatically considered void.
It should be noted that, under the current Swedish legislation in this field, an operator is only required to notify the Swedish Security Service prior to initiating a transfer of its security-sensitive activities, and to inform the acquirer that the activities are governed by the Protective Security Act. It should further be noted that the Protective Security Act entered into force 2019 and that there is not yet any established practice on the interpretation of security-sensitive activities.
The proposal has now been submitted to the Council on Legislation for scrutiny before submission to the Parliament. We expect the proposal to draw significant attention from various industries risking to become subject to the new rules, as the proposal as it stands imposes quite significant constraints on the ownership of affected assets. Such debate may of course defer the implementation of the proposal.
As this will likely impact the strategy for potential transactions going forward, we will get back shortly with further details on the new proposal together with our analysis of the practical implications. However, you are of course welcome to contact us at any time to discuss any specific questions you may have.