Sweden

Security Protection Act (1996:627)
Purpose and area of application:
The purpose of the act is to protect certain security sensitive and businesses worthy of protection. The act regulates security protection, i.e. protection against espionage, sabotage and other crimes against the national security. The Security Protection Act applies to (i) the government, municipalities and country councils (ii) companies (private and public) and foundations under decisive influence of the government, municipality and country council and (iii) individuals, if the business conducted is of importance to the national security.
Obligations:
• Entities/authorities falling within the scope of the act must keep an adequate level of security, taking into account the nature, scope and other circumstances relevant for the business. The security protection should prevent (i) that confidential information relating to the security of the country is corrected, altered or destroyed when unauthorized (information security); (ii) that no unauthorized access is given to places where access may be given to information referred to in (i) or where activities affecting the security of the country are conducted (access restriction), and (iii) that persons who are unreliable from a safety standpoint participate in activities that are important for the security of the country (security testing).
• When designing the information security, it shall be designed with due consideration for individuals' right to access public documents in accordance with the Freedom of the Press Act.
• Provisions prohibiting access to certain buildings, other facilities, areas and other objects can be found in the Protection Act (2010: 305).
• Employees participating in businesses relevant for the national security or processing data relevant for the protection against terrorism, must undergo a security control and a certain personal investigation. In addition, it shall be ensured that the staff receive training on security issues, and that the security protection is checked.
Miscellaneous:
Note that this law will be replaced as of 1 April 2019 by SFS 2018:585, including e.g. the following changes:
• A clarification that the Security Protection Act applies to both official and private operations
• A strengthening of the security protection in security sensitive business operations.
• A strengthening of the requirements related to outsourcing and transfer of security sensitive operations and requirements on security protection agreements and consultation with authorities.
Regulation (SFS 1996:633) on security protection
Background:
The regulation supplements the Protective Security Act (1996:627).
Obligations:
• A security analysis must be made, i.e. an analysis of what information should be under secrecy.
• Documentation of vital importance for the national security shall be inventoried at least once a year.
Identification of a Security Officer:
Authorities, and others falling within the scope of the regulation, shall, unless it is obviously unnecessary, appoint a Security Officer that shall exercise control over the security protection. As regards authorities, the Security Officer shall be directly under the authority of the director of the authority. There shall be a substitute for the Security Officer. If necessary, there must also be a deputy security officer.
Notification requirements/cooperation with authorities:
• If secret information (i.e. information classified as secret in accordance with the Public Access and Secrecy Act (2009:400) and which concerns the security of the country) is revealed/disclosed, it should be notified promptly to the Swedish Security Service (Sw: Säkerhetspolisen) if the disclosure is expected to cause damage for the national security.
• Authorities shall promptly report any IT incidents to the relevant supervisory authority if there is such incident in the authority's information system and (i) the incident could seriously affect the security of an information system where secret information is processed/handled to a certain extent, (ii) the incident could seriously affect the security of an information system that is particularly necessary to protect against terrorism, or (iii) the incident was detected by support pursuant to section 4 of the Ordinance (2007: 937) with instructions for the Defense Radiation Service.
• A governmental authority which intends to initiate a procurement which requires a security agreement pursuant to section 8 of the Security Protection Act (1996:627) shall, if the intended supplier may get access to or have the ability to store secret data outside the premises of the authority, consult the supervisory authority before such procurement is initiated.
• Before an authority establishes a registry which is to be carried out by automated processing and which can be expected to contain such data that, in case of disclosure, separately or compiled, may damage the total defense, the authority in question shall consult the Swedish Armed Forces and, depending on the nature, the Swedish Security Service. In case of data relevant for the security of the country, the authority shall, in the corresponding case, consult the Swedish Security Service.

Electronic Communications Act (2003:389) and Regulation (2003:396) on electronic communication
Purpose and area of application:
The Electronic Communications Act, implementing the EU Electronic Communications Directive, aims at providing individuals and agencies access to safe and effective electronic communications and the greatest possible benefit regarding the range of electronic communications services and their price and quality. The law applies to (i) electronic communication networks, (ii) communication services with similar installations and (iii) other radio transmission.
Obligations:
• Providers of public communications networks or electronic communication services shall take appropriate technical and organizational measures to ensure reasonable operational safety, taken into account the available technique, implementation costs and risk for disruptions and interruptions.
• Providers of a publicly available electronic communication service shall take appropriate technical and organizational security measures to ensure that the data processed in connection with the service is protected, taking into account available technology, implementation costs and the risk of data breaches.
• Suppliers that fall under the notification requirement (see below) shall take special technical and organizational measures to protect the data processed.
Notification/cooperation with authorities:
• Public communication networks commonly provided for remuneration or publicly available electronic communication services may only be provided after notification to the supervisory authority.
• Providers of public communication networks or electronic communication services must, without undue delay, report interruptions and disorders in their communication networks to the supervisory authority.
• In order to use radio transmitters in Sweden or on a Swedish ship or aircraft abroad, a radio transmitter license must be granted.
• Providers of certain general society services (listed in chapter 5 section 1) must be procured by the government, taken into account the costs of providing the service or network.
• Providers of general communication services shall without undue delay notify the supervisory authority of any privacy breaches.
• The supervisory authority may, if it is in the public interest, oblige a provider of a public communications network or publicly available electronic communications services to inform the public of any interferences or interruptions.

Patient Data Act (2008:355) and Patient Security Act (2010:659)
Purpose and area of application:
IT security within the healthcare sector is mainly regulated in the Patient Data Act (2008:355). The act is further specified in the Patient Data Regulation (2008:360) and The National Board of Health and Welfare's Regulations and General Advice on the Recording and Processing of Personal Data in Health Care (HSLF-FS 2016: 40). The purpose of the regulation is to ensure proper processing of patient data by healthcare providers.
Obligations:
• Healthcare providers shall inter alia maintain an information security policy, continuously evaluate operational risks and maintain back-up copies.
• Furthermore, the legislation is supplementary to the Data Protection Regulation meaning that healthcare providers also must take all measures provided for in the regulation. Please see below for a further description of the regulation.
Notification/cooperation with authorities:
• According to the Patient Security Act (2010:659), the healthcare provider is obligated to give an annual account of how the work with inter alia information security proceeds.
• In the event of an audit by the Swedish Health and Social Care Inspectorate, the healthcare provider must cooperate with the Inspectorate and must provide such aid which may be required to conduct the audit.
• In addition, the healthcare provider is obliged to adhere to the obligations set forth in the data protection regulation, please see below for a further description of the regulation.

The Swedish Financial Supervisory Authority’s Regulations and General Guidelines (FFFS 2014:5) Regarding Information Security, IT Operations and Deposit Systems and The Swedish Financial Supervisory Authority’s Regulations and General Guidelines (FFFS 2014:4)
Purpose and area of application:
The regulations and general guidelines set forth rules regarding IT security for inter alia banks, credit market companies and securities companies.
Obligations:
• The regulations and general guidelines require companies falling within the scope of the regulations and guidelines to use an information security management system and further specify what should be included in such a system e.g. goals and directions for its information security, information classification, responsibility allocation, risk analysis, internal rules for information security work, access and permissions to its IT systems, and regular evaluation of the system.
• The regulations and general guidelines also require companies to e.g. ensure that their IT systems are sufficiently secure in relation the nature of the information processed in the systems as well as having overall goals and strategies for its IT operations.
• The deposit system provisions only apply to undertakings that receive or intend to receive deposits encompassed by a deposit guarantee scheme under the Swedish Deposit Guarantee Scheme Act (1995:1571) requiring such undertakings to e.g. use IT systems that enable the undertaking to automatically compile data about depositors and their deposits, annually analyze the risks relating to the IT system, and ensure suitable technical functions and administrative procedures.
• The deposit system provisions also require the internal audit function to perform an annual audit of the undertaking’s deposit system etc. and deliver the report to the undertaking’s board of directors.
• Please note that the regulation and general guidelines FFFS 2014:4 consist of both regulations and general guidelines. Companies falling within the scope of the regulations and guidelines are required to comply with the regulations as opposed to the general guidelines which are only “recommendations” from the Swedish Financial Supervisory Authority (“SFSA”). However, should a company decide not to comply with the general guidelines the company is expected to explain the deviation from the general guidelines.
Notification/cooperation with authorities:
• There are no requirements to notify the SFSA. However, in general the required documentation (the information security management system) is made available to the SFSA as part of the application to become an authorized company.

Regulation (2015:1052) on emergency management and authorities responsible for surveillance at heightened alerts
Purpose and area of application:
The regulation aims to minimize the vulnerability in society and to regulate the processing of data under peacetime crisis situations and heightened alerts. The regulation applies to authorities, exempt for the Government Offices, Comitology and the Armed Forces.
Obligations:
• Yearly analyze the vulnerability or threats and risks that may gravely impair the authorities’ ability to exercise its operations.
• Plan and enable crisis management and take preparatory actions in order to prevent vulnerability, threats and risks.
• Ensure that information management systems fulfil fundamental and special security requirements, especially taking into account the necessity of secure management systems.
Notification/cooperation between authorities:
• Authorities concerned by a crisis shall cooperate and support each other in crisis situations.
• In certain crises situations and upon the Swedish Government’s or the Swedish Civil Contingencies Agency’s request, report on the course of events.
• Report to the Swedish Civil Contingencies Agency any IT security incidents in the authority’s information systems that may seriously affect the security in the information management for which the authority is responsible or in services that the organization provides to other organizations.

Ship Security Act (2004:487)
Purpose and area of application:
The Ship Security Act supplements the EU Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security.
Obligations:
• The Ship Security Act does not include any specific obligations related to IT security. However, it is stipulated that the Swedish Police Authority is the organ making decisions related to the level of security on ship and port facilities and that if no such decisions are taken, the lowest level of security shall apply.
• Ship owners are responsible for ensuring that the ship undergoes supervision according to the EU Regulation No 725/2004.
• The Ship Security Act further specifies the obligation for ship owners, skippers, commanders, security protection managers and the crew of the vessel, to submit to and cooperate with the supervisory authority where inspections are carried out under the EU Regulation (EC) No 725/2004.

Nuclear Activity Act (1984:3)
Purpose and area of application:
The Nuclear Activity Act applies to nuclear activities etc., including e.g. (1) construction, possession or operation of a nuclear facility, (2) acquisition, possession, transfer, processing, transport or other involvement of nuclear material or nuclear waste (3) import of nuclear material or nuclear waste and (4) export of nuclear waste.
Obligations:
• Nuclear activities shall be conducted in accordance with the requirements and obligations set out in Sweden’s agreements entered into for the purpose of preventing nuclear proliferation and unauthorized access to nuclear material, nuclear waste and spent nuclear fuel.
• Nuclear activities may only be conducted after being granted permit for such activities.
• Security shall continuously and systematically be evaluated and, as far as possible and reasonable, improved in the business and at facilities, taken into consideration e.g. the conditions under which the operation is operated, how the equipment and facilities are affected by age and usage and experiences from similar operations.
• Security protection measures must be taken in the event of disturbances or breakdowns in the facility.
• Total and systematical analysis of the security and radiation protection including measures for maintaining and/or improving security must be conducted every ten years.
• Entities having permits allowing such entities to have nuclear power reactors must have certain science and development programs in place.