The organization should establish and document a formal process for consulting with the supervisory authority. This process is initiated after a suitability assessment has concluded that a planned procedure involving another actor is not inappropriate, but before the procedure itself begins.
The process must clearly define the triggers for consultation, which include any procedure where another actor may gain access to:
- Security-classified information in the security protection class confidential or higher.
- Other security-sensitive activities of corresponding importance to national security.
The process should also specify who is responsible for initiating the consultation, what documentation is required for the authority, and how to handle and implement any measures ordered by the authority as a result of the consultation.
Also when an operator intends to transfer:
- All or part of a security-sensitive activity, or
- Property important to Sweden’s security or related to international commitments.
The operator must:
- Conduct a specific security assessment to identify sensitive information or activities that could be accessed.
- Perform a suitability assessment to determine whether the transfer is appropriate from a security perspective.
- Document both assessments.
If the suitability assessment shows the transfer is not appropriate, the transfer must not be carried out.
