Research security: a critical priority for research-intensive companies

Why is research security relevant now?

The geopolitical situation and increasing global competition have made research security a regulatory priority for both Sweden and the EU. Research security means protecting certain sensitive scientific activities from misuse and undue influence by non-EU countries or non-state actors. Research security is also important to prevent the illegal transfer of know-how or technologies to third countries.

These developments have led the EU and Sweden to tighten the regulatory frameworks and issue new recommendations, aiming to increase the focus on protecting strategically important research and technologies.

Research-intensive companies now need to pay extra attention to the risks of sensitive technologies and know-how being misused by foreign actors. Sufficient knowledge of current regulations is therefore more relevant than ever.

What regulations affect your research?

Research-intensive companies need to be aware of several regulations that, at first glance, may seem irrelevant to their business. These regulations include:

Investment screening controls;
Export controls;
International sanctions regimes; and
Control of military equipment.

These regulations are particularly relevant for research-intensive companies operating in the following areas:

Biotechnological research and development.
Research on dual-use items (DUI) (sv. produkter med dubbla användningsområden (PDA)) or other emerging technologies, i.e. products with both civilian and military applications (such as drones, AI, battery chemistry). This also includes know-how, software and technologies for the development of such products.
Research companies engaging with foreign entities.
Research on military equipment or related technical support..

The regulatory frameworks are closely interlinked and may overlap in practice. It is therefore important to take a holistic approach when assessing which regulatory requirements apply to specific research projects or collaborations.

Rules for funding and investments

Certain research activities can be vulnerable to hostile foreign actors or states intent on acquiring sensitive technologies or know-how, including through investments or collaborations.

The Swedish Act on Screening of Foreign Direct Investment (FDI Act) (sv. lag (2023:560) om granskning av utländska direktinvesteringar) entered into force in 2023 and aims to prevent harmful foreign direct investment in Swedish companies engaged in so called protected activities (sv. skyddsvärd verksamhet). Despite its name, it is important to note that the FDI Act requires that investments made also by Swedish investors must be reviewed and approved by the authorities.

The FDI Act covers various forms of investment and cooperation, including those not based on capital contributions or made in limited liability companies (sv. aktiebolag). Providing resources, services or technology may also constitute investments under the FDI Act, if the investor thereby gains influence over the business.

Export controls - five basic principles for your organization

Goods and technologies listed in Annex 1 of EU Regulation 2021/821 (the DUI Regulation) are subject to governmental export controls. Under certain circumstances, goods that are not listed in the Annex are also covered. The Swedish Inspectorate for Strategic Products (ISP) (sv. Inspektionen för Strategiska Produkter), which is the Swedish supervisory authority under the DUI Regulation, has listed five important principles for conducting responsible research in accordance with the applicable export control regulations:

Leadership and policies. The management must actively prioritize and integrate research security into its operations through concrete policies and guidelines.
Systematic risk assessments. Identify which research areas and projects may have security-sensitive applications, for example in AI, biotechnology, quantum technology and advanced materials that may have both civilian and military applications.
Training and support. To ensure compliance, employees need to have basic knowledge of risks and applicable rules.
Processes for international cooperation. Establish systematic methods to assess and approve international research collaborations before commencing.
Documentation and follow-up. All significant decisions and risk assessments should be documented to demonstrate the organization's compliance with applicable export control regulations.

The European Commission has issued recommendations on internal compliance for research involving DUI. In essence, compliance is ensured by having the necessary knowledge, policies and procedures in place.

International cooperation and sanctions regimes

International sanctions have become an increasingly common tool in global security policy, with sanctions currently in place against some 50 states and groups. For research companies, this poses new challenges in terms of international cooperation and funding.

It is important to conduct a thorough analysis of potential partnerships for cooperation or trading before establishing economic or cooperative relations. The sanctions regulations prohibits making products and financial resources available to persons or companies that are, directly or indirectly, subject to sanctions. A research partnership may also fall under the FDI Act and be subject to notification requirements and prior approval.

Military equipment and related technical assistance

The government’s military equipment regulation lists what constitutes military equipment and related technical assistance. Operators must check whether their activities involve military classified items or related technical assistance.

Determining whether research falls under the military equipment classification is not always straightforward. Civilian research with specific technical specifications may be close to the borderline of research with military applications. As a rule, the manufacture and development of military equipment is subject to licensing, as is research that includes such elements. A license is also required to enter into partnership agreements with foreign parties for the joint development and/or manufacture of military equipment. Partnership agreements involving the provision of technical assistance to foreign parties may also require a prior license.

Supervision and financial penalties for breaches

The ISP is tasked with supervising compliance with these regulations relating to research security. In the event of infringements, the ISP has the power to impose monetary penalties.

A compliance review project has shown that research organizations' knowledge of regulations related to research security is generally low and that compliance with these rules is largely inadequate.

Recommendations for your organization

Continuous risk assessments. Establish procedures to assess on an ongoing basis whether research projects are developing in ways that could affect security classification or compliance.
Documentation. Security-related decisions and assessments should be documented to facilitate over time tracking and reviewing .
Roles of responsibility for research security. The organization should designate specific persons or functions responsible for overseeing and coordinating research security activities.
Internal policies. The organization should have clear guidelines and policies related to research security.
Processes for collaborative agreements. The organization should establish systematic methods for evaluating and approving potential collaborative partnerships.

Remember: By proactively identifying and managing risks, your company can ensure compliance and contribute to strengthening Swedish research security.

Do you need support in navigating the regulatory frameworks for research security? Contact Lindahl's specialists for customized advice tailored to your business.