New rules require transactions involving Swedish security-sensitive activities or assets to undergo a security screening
A proposal for a more general FDI screening framework was presented by the Direct Investment Inquiry in November 2021
Sweden remains a country that recognizes the beneficial effects of foreign direct investment (FDI) and ownership on the Swedish economy and on consumers. However, concerns over an increase in foreign investors in Sweden following the economic situation caused by the global pandemic prompted the Swedish government to take actions in 2020 and introduce screening rules for foreign investments by amending the Swedish Security Protection Act ("Security Act," Säkerhetsskyddslagen).
Although a proposal for a more general FDI screening framework was presented by the Direct Investment Inquiry (Granskning av utländska direktinvesteringar) in November 2021, the beefed-up Security Act has already had notable impacts on deals involving Swedish entities.
As of January 1, 2021, the Security Act requires that any transaction involving a Swedish entity operating security-sensitive activities or assets must be notified and receive approval from the Swedish Security Service (SÄPO, Säkerhetspolisen), the Swedish Financial Supervisory Authority (FI, Finansinspektionen) or the Swedish Armed Forces (SAF, Försvarsmakten)-—together, the "Reviewing Authorities"—before completion.
Although Sweden still does not have a general FDI screening mechanism, the new security screening obligation enables the Swedish government to supervise and ultimately block investments that may pose a threat to national security.
The Security Act is a general national security law that aims to protect information and activities of importance to Sweden's security against for example espionage, sabotage, terrorist offenses and other threats. The Security Act imposes a number of obligations on companies, public agencies or authorities with security-sensitive operations. Companies are required to self-assess whether their operations are considered security-sensitive, and thus fall under the scope of the Security Act.
If the assessment results in the conclusion that the Security Act is applicable, the company is required to notify the relevant reviewing authority and comply with the obligations set out in the Security Act, including the preparation of a security protection analysis and the adoption of measures within information security, personnel security, physical protection, security-protected procurements and transactions.
WHO FILES
The notification must be submitted by the seller. The seller is responsible for the assessment of the applicability, as well as compliance with the obligations, of the Security Act.
The notification shall be submitted to the relevant reviewing authority which is defined depending on the target company's activities:
- SAF is the reviewing authority for transactions involving companies active within the supply of defense-related material as well as authorities and agencies under the Ministry of Defence
- FI is, as of December 1, 2021, the reviewing authority for transactions involving all companies operating in Swedish financial markets, such as banks and other credit institutions, insurance companies, stock exchanges, etc.
- SÄPO is the reviewing authority for all other transactions
The new security screening obligation enables the Swedish government to supervise and ultimately block investments that may pose a threat to national security
TYPES OF DEALS REVIEWED
A transaction must be notified if it involves a Swedish entity that carries out security-sensitive activities or has assets that are considered security-sensitive or has access to security-sensitive information, so-called classified information.
The obligation to notify applies to both foreign (EEA and non-EEA) and non-foreign investors. Moreover, there are no specific thresholds with respect to acquired shareholding or control. The Security Act refers to the transfer of the whole or a part of the target entity. Only the transfer of shares in public limited companies are explicitly exempted from notification.
The concept of security-sensitive activities, assets or information ("security-sensitive activities" unless specified) is vaguely defined by the Security Act as activities that are of importance to Sweden's security, or are covered by an international protective security commitment that is binding for Sweden. Further guidance, although non-exhaustive, can be found in the preparatory works that mention sectors such as defense, law enforcement, energy and water supplies, vital infrastructure, telecommunications and transport.
It falls upon the target company and/or its seller, to assess whether it falls under the concept of security-sensitive activities. If the outcome of the assessment is that it falls under the notification obligation, the seller must follow the steps of the notification procedure set out in the Security Act.
- Security assessment: First, a security assessment must be carried out to identify the specific activities, assets or information the investor may get access to following the transaction. The security assessment shall be documented
- Assessment of appropriateness: Based on the security assessment, the seller shall assess if the transaction is appropriate from a security protection point of view. The assessment of appropriateness shall be documented
- Consultation: If the assessment of appropriateness concludes that the transaction is appropriate, the seller shall consult with the relevant authority by submitting a notification including the underlying assessments and general information about the parties and the transaction
SCOPE OF THE REVIEW
If the assessment of appropriateness leads to the conclusion that the transaction is not appropriate from a protective security point of view, completion of the transaction is blocked.
The reviewing authorities have the powers to block a transaction or approve it subject to commitments. Moreover, if the seller fails to notify a transaction that falls under the scope of the Security Act, a consultation procedure may be initiated ex officio and the transaction can be prohibited and held null and void, even after closing.
According to limited guidance issued by SÄPO, a transaction is considered inappropriate if the acquirer's access to the target's assets or operations may cause risks to national security. The target's operations or assets may also be of such a nature or such a significance for national security that a transfer of these to the acquirer is in itself inappropriate. A transaction may be inappropriate if the acquirer represents foreign interests.
The test is linked to a central question: What would the effects of a hostile action, such as an attack, espionage or an interruption of the target's business, products or services, have on Sweden's national security? (In this context, Sweden's national security is segmented into several categories including internal and external security, critical activities, national economy and spill-over effects on other critical activities.)
In order for the hostile action to trigger the need for security protection, the effects on national security must be material and measurable. For example, given that Sweden's population is largely geographically diverse and mainly concentrated to the Stockholm region, an attack against certain activities located in Stockholm will likely have a greater impact on national security compared to an attack against similar activities located in scarcely populated areas.
REVIEW PROCESS TIMELINE
There is no official timing for the review process. However, the Reviewing Authorities have an obligation to comply with Swedish administrative rules requiring a swift procedure. A decision should normally be issued within one to two months.
HOW INVESTORS CAN PROTECT THEMSELVES
Although the Security Act has been in force since the 1990s, it has mainly been a concern for a limited group of companies and government entities. The recent amendments, requiring certain investments to be notified, have thrown protective security issues into the spotlight of Swedish transactions. As the applicability of the Security Act is based on a self-assessment, target companies are now expected to be aware of the Security Act and whether it applies to their operations.
In view of the novelty of the notification obligation and the non-transparent nature of the Reviewing Authorities, there is limited guidance on the sectors and industries covered by the Security Act as well as the review process. A case-by-case assessment of the target is recommended for every deal.
An investor who aims to invest in any of the highlighted industries (defense, law enforcement, energy and water supplies, vital infrastructure, telecommunications and transport) should anticipate an assessment of the target company's services or products, assets, information accessed or stored and customers in order to conclude on the applicability of the Security Act.
The responsibility for the assessment of the applicability of the Security Act as well as the notification lies on the seller, and prior clearance should be a condition of the deal.
PROPOSAL FOR A GENERAL FDI REGIME
On November 1, 2021, the Direct Investment Inquiry handed over its report to the Swedish government, wherein it put forward a Proposal for a system for the review of FDI activities in Sweden.
The Proposal has a wide scope and would enable the Inspectorate of Strategic Products (Inspektionen för Strategiska Produkter) to review and block foreign investments by non-EU, EU and Swedish investors in activities "worthy of protection." Such activities include security-sensitive businesses and functions that are fundamental to the society (similar in scope to the current security screening mechanism), dual-use products, critical metal and minerals, and the development of new technologies.
According to the Proposal, the current security screening regime and the FDI regime would apply in parallel with no framework superseding the other. In practice, this means that a deal involving security-sensitive activities could be subject to two parallel notifications, one submitted by the seller under the Security Act, and one submitted by the acquirer under the FDI regime. It remains to be seen whether this potentially burdensome mechanism is maintained in the final proposal.
Compared to the current security screening, the proposed FDI screening would:
- Widen the scope of activities that would be subject to mandatory notification
- Apply a higher threshold for when transactions may be prohibited
- Introduce a threshold for when investments must be notified of 10 percent or more of the total number of votes
- Provide a more structured notification procedure with a Phase 1 (25 days) and a Phase 2 (three to six months), which would give the investing party increased foreseeability
The Proposal has been referred to stakeholders for consultation. Following the consultation, the government will put forward its official bill, which will be voted on in the Swedish Parliament. The Proposal suggests that the new act enters into force on January 1, 2023.
LESSONS LEARNED
A pragmatic approach is necessary when discussing the applicability of the Security Act in the context of a transaction for two reasons:
- Target companies may not always be familiar with the Security Act and the concept of security-sensitive activities. While it may be fairly easy for a company to provide information required for a merger filing analysis, questions related to security aspects may require more time and guidance
- The consequences of classifying as an entity operating security-sensitive activities are considerable, and go beyond the transaction. A company that falls under the Security Act must comply with a number of obligations that may require internal restructuring and costs
[View source.]
