Research security: a critical priority for research-intensive companies

Why is research security relevant now?

The geopolitical situation and increasing global competition have made research security a priority for Sweden and the EU. Research security means protecting scientific activities from misuse and undue influence by non-EU countries or non-state actors. Research security is also important to prevent the illegal transfer of knowledge or technology to third countries.

These developments have led the EU and Sweden to tighten their regulatory frameworks and issue new recommendations to increase the focus on protecting strategically important research and technology from falling into the wrong hands.

Research-intensive companies now need to pay extra attention to the risks of sensitive technology and knowledge being misused by foreign actors. Knowledge of current regulations is therefore more relevant than ever.

What regulations affect your research?

Research-intensive companies need to be aware of several regulations that at first glance may not seem relevant to their business. These regulations include:

1. Investment review;

2. Export controls;

3. International sanctions regimes; and

4. Control of military equipment.

These regulations are particularly relevant for companies operating in the following areas:

• Biotechnology research and development.

• Research in dual-use products (PDA) or other emerging technologies, i.e. products that can have both civilian and military applications (such as drones, AI, battery chemistry). This also includes knowledge, software and technologies for the development of such products.

• Research companies with links to foreign entities.

• Research on armaments or technical support to armaments.

The regulatory frameworks are closely interlinked and may overlap in practice. It is therefore important to take a holistic approach when assessing which requirements apply to specific research projects or collaborations.

Funding and investment - what applies?

Research worth protecting can be vulnerable to hostile foreign actors or states intent on acquiring sensitive technology or knowledge, including through investment or collaboration.

The Foreign Direct Investment Review Act (FDI Act) came into force in 2023 and aims to prevent harmful foreign direct investment in Swedish protected activities. Note that the law means that investments made by Swedish investors must also be reviewed and approved by the authorities.

The Act covers various forms of investment and cooperation, including those not based on capital contributions or conducted in limited companies. The provision of resources, services or technology may also constitute investments under the Act, provided that the investor thereby gains influence over the business.

Export controls - five basic principles for your organization

Goods and technology listed in Annex 1 of EU Regulation 2021/821 (the PDA Regulation) are generally subject to export controls. In certain situations, goods not listed in the Annex are also covered. The Swedish Inspectorate for Strategic Goods (ISP), which is the Swedish review authority under the export control regulations, has listed five important basic principles for conducting research responsibly and in accordance with the applicable export control regulations:

• Establish clear leadership and develop policies. The organization's management must actively prioritize and integrate research security into its operations through concrete policies and guidelines.

• Conduct systematic risk assessments. Identify which research areas and projects may have security-sensitive applications, for example in AI, biotechnology, quantum technology and advanced materials that may have both civilian and military applications.

• Provide training and support. To ensure compliance, staff need to have basic knowledge of risks and applicable regulations.

• Develop clear processes for international cooperation. Establish systematic methods to assess and approve international research collaborations before they start.

• Assurance through documentation and follow-up. All significant decisions and risk assessments should be documented to demonstrate the organization's compliance with applicable export control regulations.

The European Commission has also developed recommendations on internal compliance for research involving PDA. In essence, compliance is ensured by having the necessary knowledge, policies and procedures in place.

International cooperation and sanctions regimes

International sanctions have become an increasingly common tool in global security policy, with sanctions currently in place against some 50 states and groups. For research companies, this poses new challenges in terms of international cooperation and funding.

It is important to conduct a thorough analysis of potential cooperation or trading partners before establishing economic relations. According to the sanctions regulations, it is prohibited to make products and financial resources available to persons or companies that are, directly or indirectly, subject to sanctions. Cooperation may also fall under the UDI Act and be subject to prior notification and approval.

Military equipment and technical assistance for military equipment

The Munitions List lists what constitutes munitions and technical assistance. Operators must check whether their activities involve munitions-classified items or related technical assistance.

Determining whether research falls under the Munitions Regulations is not always straightforward. Civilian research with specific technical specifications may be close to the borderline of research with military applications. As a rule, the manufacture and development of military equipment is subject to licensing, as is research that includes such elements. A license is also required to enter into cooperation agreements with foreign parties for the joint development and/or manufacture of military equipment. Cooperation agreements involving the provision of technical assistance to foreign parties also require a license.

Supervision and sanctions for breaches of regulations

The ISP is tasked with supervising compliance with the regulations. In the event of infringements, the ISP has the power to impose penalties.

An inspection project has shown that research organizations' knowledge of export control regulations is generally low and that the organizations' compliance with these rules is largely inadequate.

Practical recommendations for your organization

• Continuous risk assessments. Establish procedures to assess on an ongoing basis whether research projects are developing in ways that could affect security classification or compliance.

• Documentation. Security-related decisions and assessments should be documented so that they can be tracked and reviewed over time.

• Roles of responsibility for research security. The organization should designate specific individuals or functions responsible for overseeing and coordinating research security activities.

• Internal policies. The organization should have clear guidelines and policies related to research security.

• Processes for collaborative agreements. The organization should establish systematic methods for evaluating and approving collaborators before projects start.

Remember: By proactively identifying and managing risks, your company can ensure compliance and contribute to strengthening Swedish research security.

Do you need support in navigating the regulatory framework for research security? Contact Lindahl's specialists for customized advice tailored to your business.