Several areas of general background law in Sweden apply to AI systems since the laws are technology-neutral in nature. These include areas such as contract law, tort and product liability, privacy and data protection, intellectual property, product safety, employment law, consumer protection and criminal law.

The Artificial Intelligence Act (EU) 2024/1689 (AI Act) entered into force on 1 August 2024, with most of its provisions set to take effect on 2 August 2026. Prior to the AI Act, Swedish law contained no legislation specifically targeting artificial intelligence (AI).

On 19 September 2024, the Swedish government appointed a state inquiry tasked with reviewing the need for national adaptations in light of the AI Act. The inquiry has proposed that a supplementary law to the AI Act, together with corresponding legislative amendments, enter into force on 2 August 2026. The proposed supplementary law addresses, among other things, the designation of national competent authorities, supervision and sanctions, and the establishment of regulatory sandboxes for AI.

Beyond the AI Act and the proposed supplementary law, several other regulations in Sweden influence the use of AI systems. Notably, the General Data Protection Regulation (EU) 2016/679 (GDPR) governs, for example, the processing of personal data carried out wholly or partly by automated means.

AI is being deployed across a wide range of industries in Sweden, including traditional machine learning, foundation models, Retrieval-Augmented Generation (RAG) systems and agentic AI systems.

The use of AI in both the private and public sectors has gained considerable momentum in recent years. In the public sector, for example, the Swedish Tax Agency (Sw. Skatteverket) employs an AI system to sort incoming emails, support case officers, and analyse large datasets, as well as to, for instance, carry out checks and render decisions. Within the judicial system, AI is similarly being used to translate legal texts into Swedish, helping to accelerate the litigation process.

A prominent actor in AI-driven legal tech services is Legora (formerly known as Leya), a Swedish multinational AI and legal tech company founded in Stockholm in 2023. Legora has developed an AI-driven collaboration platform specifically designed for lawyers and law firms and has quickly become one of the fastest-growing companies in the sector, with its AI system now widely used by law firms across the industry.

Governments play a central role in facilitating AI innovation through measures such as investment strategies, incentives and policy initiatives. On 7 December 2023, the Swedish government appointed a committee tasked with proposing measures to strengthen the development and use of AI in Sweden. This was followed by the publication of a digitalisation strategy in May 2025 and the launch of a dedicated AI strategy in February 2026.

Sweden’s AI strategy sets out the Swedish government’s long-term approach to AI and aims to position Sweden among the world’s top-ten nations in the field. The strategy highlights a number of strong prerequisites, including high digital maturity in the business sector, access to high-quality data in the public sector, world-leading research in machine learning, language models, computer vision and AI security, as well as access to fossil-free electricity and a favourable climate for computing power infrastructure. It emphasises the need for co-ordinated and strategic action to maximise the benefits of AI, reduce associated risks and increase trust across society. The strategy further underscores the importance of an active foreign policy with like-minded countries and proactive engagement in EU co-operation to advance Swedish priorities. An accompanying action plan sets out both adopted and planned measures for implementation.

Sweden’s regulatory philosophy towards AI is shaped by the EU’s risk-based approach under the AI Act.

Prior to the AI Act entering into force, Sweden had no legislation specifically targeting AI. With the adoption of the AI Act, Sweden initiated a legislative process to develop supplementary national provisions.

In addition to the AI Act, certain provisions in Swedish law apply to AI systems. Swedish law has long relied on technology-neutral provisions, meaning that AI systems fall within the general scope of application of existing legislation.

Beyond binding legislation, government agencies and other public bodies in Sweden have issued non-binding directives intended to guide the responsible use of AI.

The Swedish Agency for Digital Government (Sw. Myndigheten för digital förvaltning, Digg) and the Swedish Authority for Privacy Protection (Sw. Integritetsmyndigheten, IMY) were tasked by the Swedish government with developing guidelines for employees in the public sector, aimed at increasing the use of generative AI to free up more time for human interaction and service.

The guidelines, published on 21 January 2025, cover seven areas, including, for example, information security, copyright, data protection and ethics. They may also serve as useful guidance for private companies.

As an EU member state, Sweden is in the process of implementing the AI Act through supplementary national provisions. Since most provisions of the AI Act will take effect on 2 August 2026, the supplementary laws are likewise proposed to enter into force on that date. However, they have not yet been formally adopted.

Nine sector-specific authorities are proposed to be responsible for market surveillance, including the power to impose sanctions and injunctions. Of these, the Swedish Post and Telecom Authority (Sw. Post- och telestyrelsen, PTS), the IMY and the Swedish Financial Supervisory Authority (Sw. Finansinspektionen, SFSA) will also oversee high-risk AI systems. The PTS will additionally serve as the main co-ordinating market surveillance authority. The Swedish Board for Accreditation and Conformity Assessment (Sw. Styrelsen för ackreditering och teknisk kontroll, Swedac) and the Swedish Medical Products Agency (Sw. Läkemedelsverket) are proposed to become notifying authorities, tasked with issuing certificates where conformity requirements are met.

The PTS will furthermore be responsible for establishing a regulatory sandbox, while the other market surveillance authorities will be required to participate in specific sandbox projects. Responsibility for testing under real-world conditions is proposed to lie with the PTS, the IMY and the SFSA.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

Beyond the AI Act and its supplementary legislation, several AI-specific legislative proposals are under consideration in Sweden. Alongside the supplementary law to the AI Act, the Swedish government is introducing a number of AI-related provisions in sector-specific legislation. For example, the Swedish government is in the process of amending the current Swedish Product Liability Act (Sw. Produktansvarslag (1992:18)), expanding, in particular, its scope of application to encompass AI software and other products containing AI. These legislative changes are expected to take effect on 9 December 2026 (see 10.2 Regulatory Approaches to Liability for AI).

Other noteworthy sector-specific examples concern public administration law. For instance, state inquiries have proposed regulatory amendments to increase the use of AI at the Swedish Security Service (Sw. Säkerhetspolisen), enabling it to train its own AI models using available data to facilitate intelligence work.

Judicial decisions play an important role in shaping the legal landscape for AI. To date, there are no notable judicial decisions in Swedish law concerning AI models or systems, AI and data protection, or AI and intellectual property rights. However, in a recent case, a district court reduced a counsel’s (not a law firm member of the Swedish Bar Association) claim for compensation, finding it most probable that the counsel had used AI, as the submission contained fictitious cases and references to non-existent legal provisions, rendering the claimed number of working hours implausible.

Effective regulatory oversight of AI requires clearly designated authorities with defined mandates. Nine sector-specific authorities are proposed to be responsible for market surveillance, while the PTS will additionally serve as the main co-ordinating market surveillance authority, be responsible for establishing regulatory sandboxes, and share responsibility for testing under real-world conditions together with the IMY and the SFSA.

Regulatory agencies may issue directives to guide the responsible use of AI. Some authorities in Sweden have already done so (see 3.3 Jurisdictional Directives for more information on the guidelines issued by Digg and the IMY). In addition, the IMY has published guidance on the GDPR and AI, aiming to facilitate the use of AI in a privacy-friendly manner. The Swedish Medical Products Agency has also issued guidance on the use of AI in healthcare, addressing, in particular, considerations when introducing AI systems, ethical dimensions, and the use of AI in clinical research.

Enforcement actions serve as a key indicator of how regulators approach AI-related violations. To date, no notable enforcement or other regulatory actions targeting AI have been taken in Sweden.

National standard-setting bodies play an important role in developing technical standards for AI that affect companies operating in a given jurisdiction. In Sweden, standardisation work is led by non-profit associations that form part of the International Organization for Standardization (ISO) and the European Committee for Standardization (CEN). Sweden participates in the international work of ISO and the International Electrotechnical Commission (IEC) and the European work of CEN and the European Committee for Electrotechnical Standardization (CENELEC) on AI standardisation, and almost all Swedish standards are of international or European origin.

In addition to the standards from CEN and CENELEC, international AI standards such as ISO/IEC standards (42001, 23894, 22989) and other international standards, will likely provide an important contribution in shaping Swedish standards.

Government agencies in Sweden are increasingly adopting AI for a variety of purposes. Swedish authorities have, over the years, begun integrating AI systems across several areas (see examples in 2.1 Industry Use and 3.7 Proposed AI-Specific Legislation and Regulations).

Judicial decisions concerning the use of AI by government agencies provide important guidance on the legal boundaries of public sector AI deployment. To date, there are no judicial decisions or notable pending cases in Swedish law concerning the use of AI by the government or its authorities.

The use of AI in national security and defence raises distinct legal and regulatory considerations.

The use of AI in national security matters still appears to be in its early stages in Sweden. However, legislative changes are emerging – for example, initiatives enabling the Swedish Police Authority (Sw. Polismyndigheten) and the Swedish Security Service to use AI for real-time facial recognition for law enforcement purposes and in response to threats to national security are underway (see 3.7 Proposed AI-Specific Legislation and Regulations).

In addition to these legislative amendments, a new technology-neutral national cybersecurity strategy was published on 20 March 2025, aiming to strengthen Sweden’s cybersecurity resilience. The strategy is grounded in the Swedish Cybersecurity Act (Sw. Cybersäkerhetslag (2025:1506)) and the NIS 2 Directive (EU) 2022/2555, and provides authorities with concrete goals, such as increased systematic work on cybersecurity, skills development in the field, and the establishment of cybersecurity capabilities.

Generative AI systems – such as large language models, image generators and code generation tools – pose a range of legal challenges. Certain characteristics of AI may give rise to legal difficulties across different areas of law, such as the difficulty of predicting what actions an AI system will take, a lack of transparency, and the need for large amounts of data to train the system.

Regulatory Approaches to Foundation Models and General-Purpose AI

The AI Act takes a comprehensive approach to, among other things, counteracting harm and human rights violations arising from AI use, imposing specific requirements on both providers and deployers of AI systems.

Copyright to Training Data and Results

The use of AI raises a number of copyright issues (see 16 Intellectual Property).

Data Protection Issues

Personal data processing can occur both when training algorithms and when generating output. The challenges associated with AI use in data protection include, in particular, complying with the GDPR – for example, adhering to data processing requirements and principles, especially purpose limitation and data minimisation. The assessment of legality may be affected where, for instance, data is collected through web scraping and later used to train AI models, as this may violate the principle of purpose limitation. Additionally, security measures may need to be built into the AI from the outset, such as compliance with all principles of data processing, enabling data subjects to exercise their rights, and ensuring that, where automated decisions are taken, controllers offer personal contact and information to data subjects (see 17 Data Protection).

Responsibility for Harmful or Unlawful Results

AI may perform actions that constitute crimes or cause harm. In addition to EU product liability laws, Swedish tort law applies to liability cases caused by AI use (see 10 Liability for AI).

Transparency Requirements

Transparency is an important part of increasing trust in the development and use of AI. Various transparency requirements are therefore regulated in the AI Act (see 12.4 Transparency and Disclosure).

AI is increasingly being adopted in the legal profession, raising both practical and ethical considerations. In Sweden, a number of large law firms have already implemented AI tools. These are used, among other things, to automate routine tasks, review, summarise and translate documents, and assist with due diligence work.

To promote the ethical use of AI, the Swedish Bar Association has issued a guide on the use of generative AI. The guide highlights several issues for lawyers to consider, such as complying with applicable laws – especially the GDPR and copyright law – reviewing output data critically and verifying legal sources, abiding by the duty of confidentiality, and implementing clear internal guidelines on AI use. Gernandt & Danielsson is a co-author of the guide and part of the working group responsible for updating it as necessary.

Determining liability for harm caused by AI systems involves several general theories of liability.

Contractual Liability

Liability can arise due to contractual obligations where a party fails to perform in accordance with the terms of an agreement. In such cases, the non-breaching party may be entitled to, for example, damages, price reductions or termination of the agreement, depending on the nature and severity of the breach.

General Tort Law

Claims may also be based on non-contractual liability. Under Swedish tort law, for non-contractual liability to arise, there must generally be intent or negligence, together with an adequate causal link between the negligent conduct and the damage suffered. In case of pure economic loss, non-contractual liability generally only arises in the event of criminal acts.

Product Liability

Product liability is treated as non-contractual, and the right to compensation is derived from, notably, the Swedish Product Liability Act. The current law imposes strict liability on, among others, manufacturers, importers and suppliers, and is technology-neutral in nature – it does not specifically address AI. However, manufacturers of finished products may, for example, be held liable under the Act’s strict liability provisions if a component of a finished product, such as software containing AI, contains a security flaw that leads to damages.

Liability for AI-Generated Content

Swedish intellectual property law is technology-neutral and therefore covers AI-generated output.

Regulatory approaches to liability for AI are evolving, with new legislation addressing the specific challenges posed by AI systems. Sweden is currently implementing the new Product Liability Directive (EU) 2024/2853, with a proposed date of entry into force on 9 December 2026. The legislative amendments will expand the strict liability regime for defective products to encompass AI.

Sweden’s regulation of agentic AI systems is primarily governed by the AI Act, supplemented by provisions in other legal acts.

High-risk AI systems are permitted, provided that the strict requirements set out in the AI Act to limit the associated risks are met. In addition, sector-specific laws may apply depending on the use case. For example, the GDPR may impose restrictions where automated decision-making is based on sensitive personal data.

Allocating liability for harm caused by autonomous AI systems presents distinct challenges. Liability for damage caused by AI is governed by both EU and Swedish law, including the AI Act and the Swedish Product Liability Act, which is proposed to be amended following the implementation of the Product Liability Directive (EU) 2024/2853 (see 10.2 Regulatory Approaches to Liability for AI).

Algorithmic bias and fairness are central concerns in the regulation of AI. AI algorithms can produce biases as a result of distortions in input data – for example, historical data that reinforces existing prejudices. Algorithms may also reduce transparency, making it difficult to ascertain whether discrimination has occurred.

The AI Act seeks to address AI biases in a number of ways, such as requiring input data to be of high quality, relevant and sufficiently representative, establishing methods for data management to identify potential biases, alerting human controllers of biases, and mandating impact assessments of AI’s effects on fundamental rights.

Biometric AI systems, including emotion recognition and facial recognition technologies, are subject to specific legal restrictions. In Sweden, the regulatory framework governing the processing of biometric data consists primarily of the AI Act and the GDPR (for the private sector).

Deepfakes and synthetic media generated by AI raise significant legal concerns. The AI Act imposes several obligations on operators to counteract the risks of AI-generated deepfake content – for example, by requiring providers to ensure that AI output is appropriately labelled when interacting with humans.

More broadly, the Digital Services Act (EU) 2022/2065 (DSA) requires providers of large online platforms and search engines to identify, assess and mitigate potential risks resulting from deepfakes, and to ensure that their online interfaces are not misleading.

Additionally, the Swedish Marketing Act (Sw. Marknadsföringslag (2008:486)), which is technology-neutral by design, prohibits misleading claims – a prohibition that could extend to AI-generated deepfakes.

Transparency and disclosure are fundamental to building trust in AI systems. The legal framework for AI transparency and disclosure is primarily set out in the AI Act and mainly supplemented by the GDPR. For example, high-risk AI systems must be designed so that operators can interpret the output data and understand what data has been processed, must alert humans interacting with AI through labels, and must inform individuals that they are subject to automated decisions by a high-risk AI system.

Procuring AI systems requires careful consideration of contractual frameworks and risk allocation. At its core, an AI procurement agreement is an IT agreement under which the purchaser is granted, for example, a licence to use an AI system. The challenge, however, lies in adapting terms and conditions so that the agreement complies with the various legal obligations imposed on AI systems, including from a data protection, intellectual property and AI operator and product safety perspective.

Typically, AI procurement agreements may take the form of licence agreements, system development agreements, operating agreements, outsourcing agreements and cloud service agreements. Most commonly, these will be software licence agreements, under which the contracting parties may need to address issues such as data training, service levels and uptime, warranty, liability, AI Act requirements and insolvency. Where the supplier processes personal data, the parties may also need to consider, including personal data protection, the division of responsibility between controllers and processors, data protection and portability integration in the AI system, and cross-border data transfers.

Accountability across the AI supply chain is essential to ensure compliance and manage risk. The AI value chain covers and imposes a number of obligations on all operators involved in the development, distribution and use of AI systems. For example, providers must ensure conformity of the AI to technical standards, importers must ensure that AI systems bear CE labels, and deployers must carry out impact assessments, among other things. Failure to comply may lead to the imposition of substantial fines.

The use of AI in hiring and termination decisions is subject to specific legal and regulatory requirements. AI systems used for recruitment and termination purposes may be classified as high-risk systems under the AI Act, meaning that operators must comply with a number of obligations, including addressing biases.

AI-enabled employee evaluation and monitoring technologies raise important legal considerations. AI systems used for evaluating employee performance may, for example, be classified as high-risk AI systems under the AI Act, and some may even constitute prohibited AI practices.

Digital platform companies are currently among the most prominent users of AI. In Sweden, platform companies operating in areas such as music, e-commerce and fintech leverage AI to stay competitive and enhance customer experience – for example, by creating personalised playlists, delivering customised offers, and deploying AI-driven customer interactions. These companies are required to, in particular, assess risks and take appropriate measures to ensure compliance with the AI Act and other applicable laws.

AI is increasingly being integrated into financial services, transforming areas such as credit decisioning, trading and customer interaction, among other areas. The adoption of AI has spread rapidly across Swedish financial institutions. For example, financial institutions may use AI to search for or summarise information, gain customer insights, and interact with customers via chatbots. Furthermore, AI may also be deployed to, for instance, combat money laundering, conduct credit assessments and, to a lesser extent, support algorithmic trading.

AI is being deployed in healthcare across a wide range of applications, from diagnostics to treatment planning. In Sweden, beyond its use in diagnostics, administration and care planning, AI is also employed, for example, to identify cancer from medical images and to prepare radiation treatment plans that minimise unnecessary damage to surrounding tissue. AI-driven medical devices are likewise finding their way into clinical practice, such as active optimisation of pacemakers and image and signal diagnostics in radiology.

The development of autonomous vehicles relies heavily on AI technology and raises distinct legal and regulatory questions. Driving autonomous vehicles is currently not permitted on Swedish public roads. However, upon obtaining a permit from the Swedish Transport Agency and complying with various legal obligations – including, for example, obligations under the AI Act – companies may be permitted to conduct trials with autonomous vehicles.

AI is transforming the retail and consumer sector through, among other things, personalisation, automation and enhanced customer experiences. In Sweden, the use of AI in retail has accelerated, with large companies in the food and pharmaceutical sectors, in particular, pioneering AI integration. AI is currently being explored for purposes such as warehouse management, customised recommendations, customer-tailored product descriptions, attraction recommendations for travellers, and reducing the need for staff at checkouts.

Industrial AI and robotics are driving significant efficiency gains in manufacturing and production, among other areas. Large Swedish industrial companies have, for example, begun to deploy AI in areas such as quality control, production planning and generative information management, leading to, for example, increased efficiency, reduced waste and improved decision support. At the same time, these companies may face common challenges, including system integration, limited IT infrastructure and scalability issues with AI solutions. More broadly, the industrial sector and AI may be particularly well suited to one another, as manufacturers generate large volumes of data – precisely the resource that AI technology requires for training.

Intellectual property protection for AI system components spans several areas of law, such as patents, copyright, trade secrets and database rights. The scope of protection largely depends on the specific property right in question – for example, AI may be eligible for patent protection, trade secret protection and copyright protection, among other forms of intellectual property protection.

Whether AI can be recognised as an inventor or author is a key question in intellectual property law. Under the general principles of Swedish intellectual property law, an AI system currently cannot be designated as an inventor or author.

The use of copyrighted works for AI training raises significant legal questions. Under Swedish law, anyone who has obtained lawful access to a copyright-protected work is entitled to make copies for text and data mining purposes, such as AI training, unless the rights-holder has opted out. Should infringements of protected works occur, damages for AI-generated output may be claimed under the Swedish Copyright Act (Sw. Upphovsrättslag (1960:729)) (see 10.1 General Theories of Liability).

Licensing schemes for AI training also exist in Sweden. For example, in September 2025, the Swedish Performing Rights Society (STIM) published a licensing scheme enabling AI companies to train their models on music legally. Such licensing arrangements may help avoid infringements, provided that AI deployers and copyright holders abide by the applicable licence terms. Gernandt & Danielsson has written an in-depth article on this topic in its newsletter, G&D Monthly Digest December 2025.

The legal status of AI-generated works of art and works of authorship – including questions of copyright protection, ownership and moral rights – remains an evolving area of law. The general principles of Swedish intellectual property law apply.

Foundation models and open-source AI raise specific intellectual property considerations, including questions of licensing, derivative works and IP risks in commercial use. The right to use foundation models and open-source AI is ultimately shaped by the applicable licence terms.

Training AI systems on personal data raises significant data protection challenges. When training AI, all provisions of the GDPR must be observed, in particular the principles of purpose limitation and data minimisation, as well as the requirement for a lawful basis. A key challenge lies in fulfilling the principle of purpose limitation, as further processing may deviate from the original purpose for which the data was collected. In cases of further processing, controllers may also need to carry out a compatibility assessment, encompassing measures such as informing data subjects, encryption and pseudonymisation. Additionally, AI systems that process personal data must incorporate data protection as a built-in standard, including mechanisms to safeguard data subjects’ rights, such as the right to information, rectification and erasure.

The deployment of AI systems that process personal data is subject to specific data protection requirements. Controllers must, among other things, have a lawful basis for the processing, inform data subjects accordingly, and ensure that built-in data protection mechanisms are in place. Moreover, data subjects must generally be informed about how long their data will be stored and be notified if they have been subject to automated decisions.

AI-specific data governance requirements – including data protection impact assessments, data protection by design and cross-border data transfers – are, notably, critical to ensuring compliance. The protection of data subjects’ rights is facilitated by, for example, the obligation on AI operators and controllers to integrate data protection by design and by default throughout the AI system’s life cycle. Controllers must also carry out impact assessments prior to and during ongoing data processing where the processing poses high risks to data subjects’ rights. An additional challenge concerns cross-border data transfers. Controllers and processors must, in particular, consider whether the companies supplying AI are listed under the EU–US Data Privacy Framework or rely on other legal bases, such as standard contractual clauses and supplementary safeguards, in order to comply with the GDPR’s cross-border data transfer provisions.

AI raises a number of emerging antitrust issues, including algorithmic collusion, abuse of dominance through data-driven market power and vertical integration in AI value chains. From a global perspective, AI has given rise to several competition concerns, such as the emergence of monopolistic market structures.

Control of large amounts of data may solidify market dominance, as data ownership is critical in AI development. This can lead to improvements in AI that attract more customers and further raise barriers to entry – particularly where, for example, prices can be increased, customers locked in, and data exclusivity agreements demanded. Moreover, possession of large datasets and control of digital infrastructure may result in a high degree of vertical integration across the AI value chain. The Digital Markets Act (EU) 2022/1925 (DMA) seeks, for example, to address gatekeepers’ exclusivity agreements and terms of use that create lock-in effects and reinforce barriers to entry.

To date, no notable enforcement actions by the Swedish Competition Authority (Sw. Konkurrensverket, SCA) targeting anti-competitive behaviour in relation to AI have been carried out. With the aim of fostering effective competition in AI, a Swedish government inquiry is currently proposing to equip the SCA with new tools to impose forward-looking and pro-competitive measures for entire markets, thereby addressing poorly functioning oligopolies and monopolies.

Cybersecurity legislation is increasingly relevant to AI systems, addressing risks such as adversarial attacks, data poisoning and supply chain security. In Sweden, cybersecurity is governed by various legal acts, including the AI Act, the Swedish Cybersecurity Act and the Cyber Resilience Act (EU) 2024/2847 (CRA).

AI carries significant environmental, social and governance (ESG) dimensions, ranging from energy consumption and algorithmic fairness to responsible AI frameworks, among other areas. Companies must exercise due diligence to limit their negative impacts on the environment, people, and across upstream and downstream value chains. The AI Act imposes certain ESG obligations on operators, alongside other legal acts. For example, providers of general-purpose AI (GPAI) must, in particular, report energy consumption in the technical documentation, AI must be designed free of biases, risks posed by high-risk AI systems must be managed on an ongoing basis, and deployers must carry out impact assessments regarding fundamental rights.

Effective AI governance requires robust frameworks for risk management, life cycle governance and accountability. The AI Act seeks to regulate AI governance holistically and in proportion to both the size of the operators involved and the risk level of the AI system in question.