Security rules for participation in the node’s activities

[211014]

Basic requirements regarding an organisation’s membership in the node

The following basic requirements are set when an organisation applies for membership in the node. 

  • The organisation aims to support and contribute to the work towards reaching the node’s goals. 
  • The organisation will contribute to a good cooperation environment as well as be respected.
  • The organisation has to have active operations within cybersecurity with employees in Sweden that contribute to Swedish business, growth, and sustainability.
    • Not just a sales department/organisation in Sweden. 
  • The organisation should have the development of Swedish cybersecurity as one of its goals.
    • It should be obvious that the organisation does not prioritise the security of another country.
    • According to SÄPO (Swedish Security Service) is a relationship with China, Russia, or Iran specially problematic, but other countries can also be estimated as a risk. 

The internal coordination group in the node will perform checks, using open sources and when needed, cooperate with RISE security and/or relevant authorities. The steering group will (from 2022) decide on membership and potential membership rejections can not be appealed. 

Three different types of activities in the node’s operations

The node arranges activities of three different types: 

  • Public events 
  • Member activities 
  • Working groups in the categories “open”, “sensitive”, “protected” and “Swedish Defense”

Member activities could be e.g., conferences, roundtables, workshops, or panel discussions.

Four categories of working groups

The node organises working groups in various cybersecurity-related areas, where the security level in a working group must be adapted based on the information that the group is expected to handle. Thus, the working groups are divided into four categories: open, sensitive, protected, and

  • Public events Member activities Working groups in the categories “open”, “sensitive”, “protected” and “Swedish Defense”.
  • Category “open”

    • In this group, only public information within the technology field in which the group works will be handled. 

    Category “sensitive”

    • In this group, sensitive information may be handled, regarding Swedish research and innovation. The group will provide the information with protection against foreign transparency, especially from countries outside the EU and the EEA.

    Category “protected”

    • In this group, very sensitive information about Swedish research and innovation may be handled, which the group will protect against all foreign transparency. The group may also handle information worthy of protection about Swedish socially important activities. 

    Socially important activities – Activities, services, or infrastructure that maintain or ensure societal functions that are necessary for society’s basic needs, values, safety or security./ MSB 2020

    Category “Swedish Defence”

    • In this group, defense secrecy may be handled, e.g., information regarding security-sensitive activities. Applicable Swedish requirements for security protection must be met. 

    Requirements on persons that want to participate in the node’s different activities

    The node has different types of activities, in which different requirements are placed on the persons who want to participate.

    The node’s public event

    No specific requirements are set- everyone can participate

    The node’s member activities

    The following requirements apply.

    • The person must be a professional (long-term employed or equivalent) at an organisation/company that is a node member. 
    • The person intends to contribute to the work to reach the node’s goals. 
    • The person must have a good development of Sweden’s cybersecurity as one of their goals. 
      • It should be obvious that the person does not prioritise the security and development of another country.
      • According to SÄPO (Swedish Security Service) is a relationship with China, Russia, or Iran specially problematic, but other countries than these three can also be considered as a risk. 

    An important aspect regarding dependence on a former home country is that a person may be exposed to pressure from the security services of that home country. The node does not want to contribute to this type of risk arising. When the notification is received regarding participation in a member activity, the internal coordination group assesses whether the participant fulfills the requirements for participation.

    • The coordination group makes checks using open sources, and when needed, cooperates with RISE security and/or relevant authorities. 
    • It is the coordination group that decides on participation, but the group may use support from the steering group in some cases before a decision is made.
    • Any potential denials regarding a person’s participation in the node’s member activities can not be appealed.

    Some additional restrictions may apply to member activities and are then announced in connection to the invitation to the meeting. One example is meetings where, for national security reasons, only Swedish citizens are allowed to participate.

    The node’s “open” working groups

    Everyone interested may announce their interest to participate in an “open” group, provided that the person is employed (permanently employed or equivalent) in a company/organisation that is a node member.

    • The group is established based on a Swedish context, by decision of the coordination group. 
    • The established group then chooses additional members (by majority decision), based on the basic principle that everyone who meets the above requirement is welcome in an open working group. 
      • Any potential denials regarding a person’s participation in an open working group cannot be appealed.

    The node’s “sensitive” working groups

    Only citizens of EEA- countries, and countries close to the EEA (such as Switzerland, the United Kingdom, the United States, and Canada) can express an interest in this group category.

    • The group is established based on a Swedish context, by decision of the coordination group. 
    • The established group then chooses by consensus decision additional members (persons) who can join. Here, the requirements in the section “The node’s member activities” (see above) are used to support decisions. The group leader leads these consensus decisions, with support from the node’s coordinator.

    The node’s “protected” working groups

    The same requirements as for participation in a “sensitive” working group apply, see above.

    The node’s working groups in the category “Swedish Defence”

    Only Swedish citizens may announce their interest in this group category.

    • The group is established by a Swedish defense supplier and by following applicable requirements for security protection, where e.g. security screening may be relevant. 

    Representative/contact person for a node member

    A person who is a representative must meet the requirements in the section “The node’s member activities” (see above).

    Consortium that create an application for a European call, e.g. Horizon Europe

    A consortium created to design an EU application has full freedom to choose and engage the people they want to include. The innovation node thus makes no demands on these participating people.

    • The innovation node intends to contribute to initiating consortia but is not responsible for the consortia that are then created, e.g. for an application to Horizon Europe.
    • In other words, when participants in one of the node’s working groups create a consortium to design an EU application, the consortia’s participants take responsibility for any security issues, including which persons that may participate in the consortia (in the same way as has been done so far in the EU work).
    • If the consortia later receives EU funding and begins project work, rules according to the EU and Horizon Europe apply.