Sweden has introduced the Electronics Protection Act (EPA), with the aim of increasing security and safety for users of communications devices.
Implemented by the Swedish Post and Telecom Authority (PTS) on 1 August 2022, the new law will, for the first time, deliver protections that extend to non-traditional telecoms services such as emails, instant messaging and social media group chats.
The EPA will have a significant impact on how Sweden’s public electronic communications networks and publicly available electronic communications services operate.
Public communications networks are defined in the EPA as electronic communications networks that are used wholly or predominantly for the provision of publicly available electronic communications services that support the transfer of information between network termination points.
Similarly, electronic communications networks are defined as transmission systems, switching or routing equipment, passive network components and other resources, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, irrespective of the type of information being transmitted.
The EPA marks the latest government initiative to bolster user security in electronic communications networks.
Central provisions in the EPA conform with the EU Directive 2018/1972 that established the European Electronic Communications Code. It replaces Sweden’s current Electronic Communications Act.
The EPA and expanded rules will affect all existing and new players delivering electronic communications networks and services covered by current regulations in Sweden, said Jenny Bohman, a legal adviser at the PTS.
“Although the target group is public electronic communications networks providers and publicly available electronic communications services, certain provisions of the new law will also apply to operators offering interpersonal number-independent communications services like messaging services in internet-based apps or linked to social media,” said Bohman.
The number-independent interpersonal communication services covered by the EPA also include voice over IP (VoIP), the technology that enables users to make voice calls over broadband connections rather than more traditional public-switched telephone networks.
Moreover, the EPA incorporates new and more comprehensive rules relating to the kind of information to be provided by service providers to users before entering into contract agreements. The EPA gives the PTS greater powers to impose penalty fees on service providers and network operators that cover specific types of violations. Fines set down in the EPA range up to a maximum of SEK10m (€938,000).
The EPA includes a provision, which is integrated into Section 1 of the Act, that seeks to advance investment in high-capacity fibre and 5G networks in Sweden. Section 1 deals with facilitating individual providers and authorities to achieve the highest possible traffic in terms of capacity.
Scope of the EPA covers security in networks and services, in addition to new rules relating to obligations on communications network service providers to disclose subscriber data, number portability, switching internet connection service providers and emergency communications, in addition to the duty of care on service providers to inform customers about automatic contract extensions.
The EPA does not apply to content carried on electronic communications networks using electronic communications services. Virtual private networks (VPNs) are not considered to be content services in the EPA on the basis that they do not provide content on the internet and serve only as access points to encryption and IP addresses.
Under the new law, VPN is not being equated with public communications networks. This legal position applies regardless of whether the VPN is offered to the public through agreements and in exchange for remuneration.
The EPA is the latest in a series of legislative and practical initiatives by Sweden in 2022 to strengthen IT network and data protections.
Cyber security enhancement plan
In June, the Swedish government launched an ambitious package of cyber security reinforcements that include a SEK900m capital investment to provide the National Cyber Security Center (NCSC) with a new purpose-built headquarters. The NCSC currently operates from an office complex owned by the Swedish Civil Contingencies Agency (Myndigheten för Samhällsskydd och Beredskap/MSB).
The package comprises new funding and assignments for Sweden’s Financial Supervisory Authority (Finansinspektionen/FSA) which is being tasked with helping organisations operating in the financial services sphere to upgrade their digital resilience in the face of heightened risks and threats from bad actors in the cyber domain.
“The provision of a new NCSC headquarters is in motion. It involves the acquisition of a new property, as well as the implementation of necessary adaptations and renovations needed to make it fit for purpose. Our core objective is to make Sweden resilient against both military attacks and cyber attacks against important institutions and societal functions,” said Max Elger, Sweden’s financial markets minister.
The tasks assigned to the FSA include improving controls over the outsourced operations of financial sector companies, especially in the technology services area. The FSA is also required to develop an action plan to ascertain what rule changes may be needed, including potential amendments to present legislation to secure the desired strengthening of cyber resilience from finance industry organisations.
As part of the cyber security enhancement plan, the NCSC’s new headquarters will house, under one roof, highly specialised cyber security units from within the National Defence Radio Establishment (Försvarets Radioanstalt/FRA), the MSB and the Swedish Security Service (Säkerhetspolisen/SÄPO). The FRA is the signals intelligence division of the Swedish Defence Forces (Försvarsmakten).
“Investments we are making will create a very well-resourced national cyber security centre to coordinate work and with the capability to effectively prevent, detect and manage cyber attacks,” said Therese Naess, the NCSC’s director.
The revamping of the NCSC’s organisational structure, following the decision to colocate specialised parts of the FRA, MSB and SÄPO to a new headquarters, will also add important value and create new synergies fundamental to bolstering Sweden’s cyber security capabilities, Naess said.
NCSC activities will be operated as part of Sweden’s Total Defence, which takes a strategically holistic approach to mapping and formatting national security to prepare for external threats, known and unknown.
The PTS’s role will also become more closely aligned to the NSCS and the Total Defence national security strategy. This will involve key agencies, like the PTS, deepening their collaboration in cyber security.
“A high-capability NCSC forms an important piece of the puzzle to strengthen Swedish society’s ability to defend against cyber threats. The PTS and the major national security agencies in the NCSC will collaborate very actively to ensure Sweden has the best defences against digital risks cyber threats going forward,” said Dan Sjöblom, the PTS’s director-general.