On 25 November 2020, the Swedish Parliament passed amendments to the Security Act (SFS 2018:585) (“Act”) protecting infrastructure of potentially sensitive nature for Swedish security. The amended Act enters into force on 1 January 2021 for processes not already initiated before such date. The Act potentially covers a broad range of sectors and affects both Swedish and foreign investors who are contemplating investing in security-sensitive activities and entities conducting such activities when contemplating to divest all or parts of their business. The Act makes it mandatory to engage in a security assessment and consultation process with the consultation authority being the security police (Sw. SÄPO) or the armed forces (Sw. Försvarsmakten) depending on the sector involved.
The Act generally covers “activities of importance for Sweden’s national security”, which includes both military and civil activities. In the preparatory works services such as airports, powerplants and information systems for electronic communication are identified, as well as services that could be of fundamental importance to Sweden’s national security.
Moreover, sectors such as health care, financial services, artificial intelligence, innovations, and food supply have been mentioned as potentially being captured as well.
Also suppliers of vital services or products to operators who perform Security-Sensitive Activities may be covered. This makes it necessary for the operators to test if their own operation is subject to the legislation.
A decisive factor for whether an activity falls within the definition is whether a hostile act could lead to damaging consequences on a national level.
The Act applies to all “disposals” or “transfers of ownership”, which means any kind of transfer, albeit one can expect that transfers not leading to a larger ownership change will not be scrutinized in full by the authority.
This may include
The only express exemptions are sales of shares in public companies (not necessarily listed companies even though this must be the intention) and sales of real estate.
There is no threshold as to the size of the ownership and therefore also a small change in ownership would potentially trigger the application of the security assessment and notification.
Furthermore, the fact that there is no threshold means that when a buyer increases its stake, regardless of current ownership or size of the planned investment, a notification has to be made each time.
The Act applies equally to domestic and foreign investors and operators as long as the business concerned is of importance for Sweden’s national security. It may in principle also apply to foreign operators if it supplies equipment or services to said businesses.
The operator of the security-sensitive activities shall perform a safety protection assessment and a suitability assessment before initiating a transaction. It shall also be noted that it is primarily the operator, rather than the investor or acquirer, who is obliged to undertake the assessment and consultation, but the harsh consequences of not complying with the Act may affect the acquiror/investor at least as hard as the operator the business. In case of a sale of shares, even a small percentage, the seller is dependent on the operator to provide the relevant information and otherwise to cooperate.
Should the assessment establish that the transfer is unsuitable from a security protection perspective, the transfer shall not be carried out. Should the assessment instead establish that the transfer is suitable, the operator is obliged to consult with the consultation authority. The authority can only review a specific transaction i.e. it is not possible to get advance rulings or guidance. Hopefully, as the case law of the authority develops guidance notes can be provided.
Such authority is authorised to issue injunctions against the parties and, ultimately, prohibit the transfer. This right also applies if consultation has not been undertaken and in such case the authority can at any time declare the transaction null and void from the outset.
There are no timelines or review periods stipulated for the consultation process even though the lawmakers has given instructions that such shall be produced. Given the potential number of transactions which are subject to mandatory notification, it is important to factor in a rather long review period when structuring a transaction.
The Act will have a major impact on both foreign and Swedish investors contemplating to acquire Swedish companies conducting security-sensitive activities and Swedish operators contemplating to divest all or parts of their business. The Act will result in delays in the transaction process given that the operators will have to perform assessments of the transfer and consult with the designated consultation authority. It may also be a cumbersome exercise for many operators to seek to determine whether their business is to be considered security-sensitive as the definition thereof is not clear in the Act. Thus, investors and operators of a business to which the Act’s application is unclear may choose to carry out the mandatory self-assessment and consultation as a precautionary measure in order not to risk the harsh consequences of a transaction being null and void should they be found to have been in violation of the Act.