Cirio analyzes the consequences of the new legislation on the transfer of security-sensitive business

New legislation on the transfer of security-sensitive business effective from 1 January 2021

On 25 November 2020, the Swedish Parliament passed amendments to the Security Act (SFS 2018:585) (“Act”) protecting infrastructure of potentially sensitive nature for Swedish security. The amended Act enters into force on 1 January 2021 for processes not already initiated before such date. The Act potentially covers a broad range of sectors and affects both Swedish and foreign investors who are contemplating investing in security-sensitive activities and entities conducting such activities when contemplating to divest all or parts of their business. The Act makes it mandatory to engage in a security assessment and consultation process with the consultation authority being the security police (Sw. SÄPO) or the armed forces (Sw. Försvarsmakten) depending on the sector involved.

Which sectors are covered?

The Act generally covers “activities of importance for Sweden’s national security”, which includes both military and civil activities. In the preparatory works services such as airports, powerplants and information systems for electronic communication are identified, as well as services that could be of fundamental importance to Sweden’s national security.

Moreover, sectors such as health care, financial services, artificial intelligence, innovations, and food supply have been mentioned as potentially being captured as well.

Also suppliers of vital services or products to operators who perform Security-Sensitive Activities may be covered. This makes it necessary for the operators to test if their own operation is subject to the legislation.

A decisive factor for whether an activity falls within the definition is whether a hostile act could lead to damaging consequences on a national level.

What types of transactions are covered?

The Act applies to all “disposals” or “transfers of ownership”, which means any kind of transfer, albeit one can expect that transfers not leading to a larger ownership change will not be scrutinized in full by the authority.

This may include

• Transfer of existing shares regardless of percentage
• Issue new shares
• Transfer of a business
• Transfer of assets or services

The only express exemptions are sales of shares in public companies (not necessarily listed companies even though this must be the intention) and sales of real estate.

There is no threshold as to the size of the ownership and therefore also a small change in ownership would potentially trigger the application of the security assessment and notification.

Furthermore, the fact that there is no threshold means that when a buyer increases its stake, regardless of current ownership or size of the planned investment, a notification has to be made each time.

How does it apply to domestic versus foreign operators and investors?

The Act applies equally to domestic and foreign investors and operators as long as the business concerned is of importance for Sweden’s national security. It may in principle also apply to foreign operators if it supplies equipment or services to said businesses.

How is the assessment and mandatory consultation process conducted?

The operator of the security-sensitive activities shall perform a safety protection assessment and a suitability assessment before initiating a transaction. It shall also be noted that it is primarily the operator, rather than the investor or acquirer, who is obliged to undertake the assessment and consultation, but the harsh consequences of not complying with the Act may affect the acquiror/investor at least as hard as the operator the business. In case of a sale of shares, even a small percentage, the seller is dependent on the operator to provide the relevant information and otherwise to cooperate.

Should the assessment establish that the transfer is unsuitable from a security protection perspective, the transfer shall not be carried out. Should the assessment instead establish that the transfer is suitable, the operator is obliged to consult with the consultation authority. The authority can only review a specific transaction i.e. it is not possible to get advance rulings or guidance. Hopefully, as the case law of the authority develops guidance notes can be provided.

Such authority is authorised to issue injunctions against the parties and, ultimately, prohibit the transfer. This right also applies if consultation has not been undertaken and in such case the authority can at any time declare the transaction null and void from the outset.

There are no timelines or review periods stipulated for the consultation process even though the lawmakers has given instructions that such shall be produced. Given the potential number of transactions which are subject to mandatory notification, it is important to factor in a rather long review period when structuring a transaction.

Key takeaways

• Identify early if the Act is applicable.
• If applicable, how will this impact on the process and the information in the sales process?
• The parties must bear in mind that some information is secret, and the NDA will have to facilitate for the fact that classified information is to be provided or not provided. If not, when shall it be provided?
• The vendor due diligence must address the risk and timetable involved in order for the buyer to take a well-informed decision.
• For bidders, additional due diligence must be performed to address legal, commercial and execution risks.
• The seller will have to decide whether certain buyers shall be excluded from the process.
• It will become relevant to look deeper into the identity of the ultimate owner of the potential buyers to make a proper risk assessment.
• Are there ways of mitigating the risk by imposing conditions on the buyer?
• How will the risk be allocated in the SPA?
• How will a drop-dead date be set, as the time for the relevant authority to take a decision is not yet provided for?
• The process must consider all regulatory approvals which are required.
• In case of a capital raising, the same issues as above will be relevant, but, in addition, the terms and conditions of the subscription must facilitate for a negative outcome in respect of one or several investors.

Final remarks

The Act will have a major impact on both foreign and Swedish investors contemplating to acquire Swedish companies conducting security-sensitive activities and Swedish operators contemplating to divest all or parts of their business. The Act will result in delays in the transaction process given that the operators will have to perform assessments of the transfer and consult with the designated consultation authority. It may also be a cumbersome exercise for many operators to seek to determine whether their business is to be considered security-sensitive as the definition thereof is not clear in the Act. Thus, investors and operators of a business to which the Act’s application is unclear may choose to carry out the mandatory self-assessment and consultation as a precautionary measure in order not to risk the harsh consequences of a transaction being null and void should they be found to have been in violation of the Act.

For more information please contact: