Sweden’s approach to cybersecurity regulation has historically been sector-based, with rules and supervisory arrangements adapted to the risks and conditions in different parts of society. This has enabled targeted requirements for specific sectors, while placing clear responsibilities on both public and private actors.

Against a deteriorating security environment and rapidly increasing digital dependence, Sweden has now sharpened its national direction through the National Cybersecurity Strategy 2025–2029. The government’s vision is a resilient Sweden with a high level of cybersecurity, where societal vital services can be maintained even during cybersecurity incidents. The strategy is explicitly grounded in national needs and the NIS2 “all-hazards/all-risk” perspective, and it is accompanied by an action plan that is intended to be updated over time.

In line with the strategy, Sweden’s cybersecurity efforts are organised around three pillars:

• systematic and effective cybersecurity work;
• strengthened knowledge and skills development; and
• improved capability to prevent and manage cybersecurity incidents.

This direction is designed to strengthen prevention, resilience and incident-handling capacity across society, and it is intended to be mutually reinforcing with Sweden’s broader foreign- and security-policy work on cyber and digital issues. Overall, Sweden also emphasises co-operation with international partners, particularly in the EU and through security-policy co-operation such as NATO, to better address transnational threats while safeguarding Swedish security interests.

The Electronic Communications Act (Sw. Lag (2022:482) om elektronisk kommunikation) and the Electronic Communications Regulation (Sw. Förordning (2022:511) om elektronisk kommunikation) transpose the Directive of the European Parliament and of the Council (2018/1972) of 11 December 2018 establishing the European Electronic Communications Code (recast). The act and the regulation regulate electronic communications, with a focus on the security and integrity of networks and services. The act covers entities providing electronic communications networks or services within Sweden. The Electric Communications Act is supplemented by binding Swedish delegated regulations.

The Accounting Act (Sw. Bokföringslagen (1999:1078)) contains provisions on the secure handling and storage of financial data, which is crucial for cybersecurity in financial reporting. The act applies to natural and legal persons who are bookkeeping-obligated in Sweden. A legally significant role is played by the Swedish generally accepted accounting practice (Sw: god redovisningssed), which is a binding legal standard.

The Camera Surveillance Act (Sw. Kamerabevakningslagen (2018:1200)) regulates camera surveillance, balancing security needs with privacy rights, and ensuring that surveillance systems are secure against unauthorised access. The act applies where camera surveillance is carried out with equipment located in Sweden.

The Protective Security Act (Sw. Säkerhetsskyddslagen (2018:585)) and the Protective Security Regulation (Sw. Säkerhetsskyddsförordningen (2021:955)) focus on protective security, and require organisations to protect information that concerns security-sensitive activities from cyber threats, thus playing an important role in the broader cybersecurity framework. It applies to any public or private operator conducting activities that are important to Sweden’s security or that are covered by an international security protection commitment binding on Sweden, and is supplemented by binding delegated regulations.

The Swedish Cybersecurity Act (Sw. Cybersäkerhetslagen (2025:1506)) – not to be confused with the EU Cybersecurity act, which is mentioned further below – transposes the NIS2 Directive (Directive (EU) 2022/2555). It establishes a NIS2-aligned national framework to achieve a high level of cybersecurity. The Swedish Cybersecurity Act applies to essential public or private entities operating in Sweden within certain defined sectors deemed particularly critical and is supplemented by binding delegated regulations.

The EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) sets the standard for data protection and privacy in the EU, and requires organisations to implement robust security measures to protect personal data. The Data Protection Act (Sw. Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) supplements the GDPR by providing additional national rules for data protection in Sweden, ensuring comprehensive data security. See 6.1 Cybersecurity and Data Protection.

The Patient Data Act (Sw. Patientdatalag (2008:355)) and the Patient Data Regulation (Sw. Patientdataförordning (2008:360)) supplements the GDPR and includes regulations for handling personal data in the healthcare sector. The Patient Data Act is supplemented by binding delegated regulations.

The Critical Entities Resilience Directive (Directive (EU) 2022/2557, CER) strengthens the resilience of entities providing essential services (including, among others, banking and financial market infrastructure) by requiring member states to identify critical entities and ensure they implement proportionate organisational and technical measures to prevent, resist and recover from disruptive incidents.

The EU Cyber Resilience Act (Regulation (EU) 2024/2847, CRA) introduces harmonised, horizontal cybersecurity requirements for products with digital elements placed on the EU market, imposing life cycle security obligations primarily on manufacturers (and, where relevant, other supply-chain actors). See 4. Cyber-Resilience.

The EU Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) aims to enhance digital operational resilience within the financial sector by setting uniform requirements across the EU. The regulation covers nearly the entire EU financial sector and critical ICT third-party providers regardless of their location, as long as they serve EU financial entities. The regulation is significantly supplemented through binding technical standards and implementing acts. See 3. Operational Resilience in the Financial Sector.

The Cybersecurity Act (Regulation (EU) 2019/881) establishes the European Union Agency for Cybersecurity (ENISA) and a framework for cybersecurity certification of ICT products. European cybersecurity certificates issued are recognised in all EU member states. ENISA compiles and publishes guidelines and develops good practices concerning cybersecurity requirements, though these are not directly binding. However, where a specific Union legal act provides, a certificate or EU statement of conformity may be used to demonstrate presumption of conformity with requirements of that legal act. See 5.1 Key Cybersecurity Certification Legislation.

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689, “AI Act”) establishes rules for artificial intelligence, including security requirements for AI systems, to ensure they are safe and trustworthy. The AI Act applies to providers placing on the market or putting into service AI systems in the EU, regardless of their location. See 6.2 Cybersecurity and AI.

The EU regulation on electronic identification and trust services (Regulation (EU) No 910/2014, eIDAS) governs electronic identification and trust services, ensuring secure electronic transactions across the EU and setting the standards for secure electronic signatures and transactions. It applies to notified eID schemes and to trust service providers established in the EU.

The Electronic Communications Act and the Electronic Communications Regulation

The Swedish Post and Telecom Authority (PTS) supervises compliance with the Acts and related EU instruments. PTS may issue corrective injunctions with fines (Sw: vite), revoke permits or order cessation of business in cases of non-compliance, or impose administrative sanction fees, and has investigative powers including access to premises and ordering compulsory production of documents. A national telecom co-operation group (Sw: nationella telesamverkansgruppen) led by PTS, which includes the Swedish Civil Defence and Resilience Agency (MCF), the Swedish Armed Forces and other public and private actors, co-ordinates crisis planning and restoration of electronic communications infrastructure during peacetime crises or heightened preparedness.

The Accounting Act

The Swedish Accounting Standards Board (BFN) is the supervisory authority, focusing on the secure handling and storage of financial data. Although primarily concerned with accounting practices, BFN’s role includes ensuring that financial data is protected against unauthorised access. The Swedish Accounting Act does not establish cyber-incident response teams.

The Camera Surveillance Act

The Swedish Authority for Privacy Protection (IMY) is the supervisory authority under this act, balancing security needs with privacy rights. The supervision shall ensure that surveillance systems are secure against unauthorised access, protecting individuals’ privacy while allowing for necessary security measures. IMY supervises compliance using the powers available under the GDPR framework. The Camera Surveillance Act does not establish cyber-incident response teams.

The Protective Security Act

The supervisory mandate is divided up according to the sector in which the supervised entity (referred to as ‘the operator’) is active and the following authorities are sharing the mandate; the Swedish Security Service, the Swedish Armed Forces, Svenska Kraftnät (The Swedish National Grid), the Swedish Transport Agency, PTS, the Swedish Defence Materiel Administration, the Swedish Financial Supervisory Authority, the Swedish Energy Agency, the Swedish Radiation Safety Authority, the County Administrative Boards of Stockholm, Skåne, Västra Götaland and Norrbotten. The supervision shall ensure that the operators fulfil the obligations imposed and focus on protection of security sensitive activities from cyber threats. Their role is critical in safeguarding national security and ensuring the protection of critical infrastructure. Supervisory authorities may demand information and documents, access premises, issue compliance injunctions with fines, and impose administrative sanction fees.

The Swedish Cybersecurity Act

MCF is the primary regulator, acting as a co-ordinator among sector-specific regulators and a national contact point in the EU co-operation regarding NIS2. The supervisory authorities for the different sectors can be viewed here.

Supervisory authorities may demand information and documents, access premises, conduct regular and targeted security audits and security scans, issue compliance injunctions with fines, and impose administrative sanction fees. MCF is designated as Sweden’s CSIRT unit under the Act, receiving incident reports, supporting affected entities, sharing incident information with supervisory authorities, and collecting and analysing forensic data.

GDPR and the Data Protection Act

IMY has the supervision mandate in Sweden. The Swedish Authority for Privacy Protection ensures that organisations implement robust security measures to protect personal data. Their authority covers all personal data processing activities within Sweden. IMY has investigative powers (ordering provision of information, conducting audits, and accessing personal data and premises), corrective powers (warnings, reprimands, compliance orders, processing bans, administrative fines, and suspension of data flows), authorisation and advisory powers. The GDPR and Swedish Data Protection Act do not establish cyber-incident response teams.

The Patient Data Act

IMY is the supervisory authority that supervises the application of data protection rules by healthcare providers, which means, for example, checking that healthcare providers take security measures to protect patient data. The Inspectorate for Health and Care (Sw: Inspektionen för vård och omsorg, IVO) exercises certain supervisory powers, including adjudication of questions concerning disclosure of patient records from private healthcare, and powers to require provision of documents and information. IVO may also order seizure of patient records if there are probable grounds that they will not be handled in accordance with the law.

CER

Sweden’s implementation of the CER is expected to follow a sector-based supervisory model, aligned with the national structure proposed for NIS2. A single “common contact point” is to be designated for cross-border co-ordination and liaison at EU level, and MCF is proposed to take that role. Supervision and enforcement are intended to sit with sector competent authorities.

CRA

In Sweden, the official inquiry proposes a complementary national framework in which the Swedish Board for Accreditation and Conformity Assessment (“Swedac”) is designated as the notifying authority responsible for notification/oversight arrangements for conformity assessment bodies. For market surveillance, the inquiry proposes that the PTS be designated as the primary market surveillance authority for the CRA. For products that are also classified as high-risk AI systems, the CRA provides that the AI Act market surveillance authorities should carry out the CRA market surveillance tasks for those products. CRA also relies on a national CSIRT function as the recipient of vulnerability and incident reporting flows referenced in the regulation; where MCF is the proposed CSIRT in Sweden.

DORA

The Swedish Financial Supervisory Authority (Sw: Finansinspektionen) is the supervisory authority that ensures that financial entities comply with DORA. The Swedish Financial Supervisory Authority has supervisory, investigatory and sanctioning powers, including access to documents and data, on-site inspections and investigations, deciding on the conducting of threat-led penetration tests, requiring corrective and remedial measures, cease-and-desist orders, and measures to ensure compliance. DORA provides for co-operation with CSIRTs designated under the NIS 2 Directive (in Sweden: MCF), including consultation, information-sharing, requests for technical advice and assistance, and establishment of co-operation arrangements for fast-response co-ordination.

The Cybersecurity Act

The ENISA is the key regulator for the Cybersecurity Act. ENISA develops cybersecurity certification frameworks to enhance trust and security in the digital market. Their authority covers ICT products and services across the EU, promoting a common approach to cybersecurity certification. The Swedish Defence Materiel Administration (Sw: Försvarets materielverk, FMV) is the Swedish cybersecurity certification authority under the Cybersecurity Act, exercising supervisory powers including information requests, on-site inspections, enforcement orders with penalty fines, certificate withdrawal, and administrative sanction fees.

The AI Act

The AI Act includes security requirements to ensure AI systems are safe and trustworthy, integral to cybersecurity. Its scope covers AI systems and applications throughout the EU. No supplementary acts have yet been decided in Sweden. However, the Swedish Government Official Report proposes a system for market surveillance, market control, governance, and compliance monitoring consisting of eleven market control authorities and two notifying authorities. Furthermore, the report proposes that the PTS be given primary responsibility for market control in accordance with the AI Act.

The eIDAS

PTS is the supervisory authority under the eIDAS, with a mandate to fulfil the supervisory body’s tasks under the eIDAS and related implementing acts and to supervise compliance with Swedish supplementary legislation. PTS has investigative powers to request information and documents, and access premises, and may issue enforcement orders and prohibitions with penalty fines to ensure compliance with the eIDAS and Swedish law. The Swedish Agency for Digital Government (Sw. Myndigheten för digital förvaltning, DIGG) fulfils Sweden’s co-operation obligations and serves as the common contact point for co-operation, and DIGG is responsible for managing security incidents and notifying electronic identification systems.

The Swedish Cybersecurity Act

Sweden’s primary cybersecurity framework for essential and critical entities is the Swedish Cybersecurity Act, which entered into force on 15 January 2026, together with the accompanying Cybersecurity Regulation and implements the NIS2 Directive (Directive (EU) 2022/2555, (NIS2)). The Swedish Cybersecurity Act also repealed Sweden’s prior NIS implementation, Information Security for Critical and Digital Services Act (Sw. Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster).

Public Sector Entities

The Swedish Cybersecurity Act applies to state authorities with decision-making powers affecting rights concerning cross-border movement of persons, goods, services or capital, as well as to regions, municipalities and municipal federations. The government may designate additional state authorities as covered, and the regulation specifies that state authorities listed in Annex 1 to the Regulation on the preparedness of government agencies (Sw. Förordning (2022:524) om statliga myndigheters beredskap) are within scope.

Private Sector Entities

Private entities are covered if they fall within NIS2 Annex I or Annex II, are established in Sweden, and are at least the size of a medium-sized enterprise. Even if the size threshold is not met, an entity meeting the sector and establishment criteria can be covered if it is the sole provider in Sweden of an essential service, if disruption could significantly affect life, health, public security or public health or create significant systemic risk, or if it is of particular national or regional importance for a sector or for other dependent sectors. Providers of trust services are also covered under this provision. The law also applies to providers that in Sweden provide public electronic communications networks or publicly available electronic communications services.

Sectors

The private-sector scope is anchored to the sectors and types of entities listed in NIS2 Annex I (sectors of high criticality) and Annex II (other critical sectors). NIS2 Annex I sectors of high criticality include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (business-to-business), public administration and space. Annex II other critical sectors include postal and courier services, waste management, manufacture and production of chemicals, food production and distribution, manufacturing of certain products (medical devices, computers, electronics, machinery, motor vehicles and transport equipment), digital providers, and research.

Uncertainties Regarding Scope and Applicability

Certain aspects are explicitly left for future supplementary rules. The regulation empowers MCF and PTS to issue such supplementary regulations in their respective sectors. So far, only one supplementary regulation on notification and identification has been decided on, with current proposals on incident reporting and information obligations, and security measures and training out for consultation.

Baseline Risk-Management

Entities covered by the Swedish Cybersecurity Act must implement appropriate and proportionate technical, operational and organisational measures to protect the network and information systems they use in their operations and/or to provide their services, and the physical environment supporting those systems, against incidents. The approach is risk-based and aims to create a security level appropriate to the risks and the entity’s dependencies.

Governance and Accountability

Management is expected to ensure the organisation can implement and maintain the required measures. Training is mandatory for persons in the entity’s leadership, and entities are encouraged to organise relevant training more broadly to support compliance in day-to-day operations.

Asset Management and Risk Assessment

Entities must have policies and routines for risk analysis and information system security that are proportionate to their operations and service criticality. Baseline control areas include asset management, access control and personnel security, for example role-based access, life cycle management of identities and controls tied to sensitive functions. Entities must also be able to demonstrate that measures are effective, which in practice requires continuous control evaluation such as testing, audits, monitoring and improvement processes.

Supply-Chain Security

Supply-chain security covers security-related aspects of relationships with suppliers and service providers that affect the entity’s systems and services. In practice, this typically entails supplier risk assessment, security requirements in procurement and contracts, appropriate assurance and oversight, and ensuring that supplier practices, including secure development and maintenance, do not introduce unacceptable risk.

Vulnerability Handling and Secure Life Cycle Management

Entities must address security in the acquisition, development and maintenance of network and information systems. This supports a life cycle approach including secure configuration, change control, patch and remediation processes, and verification that remediation is effective. Vulnerability handling is typically treated as part of this life cycle requirement and the broader requirement to maintain effective measures over time, including routine identification, prioritisation and remediation of vulnerabilities, and controlled disclosure and handling processes.

Business Continuity and Disaster Recovery

Entities must be able to maintain or restore critical services during and after incidents. This normally includes backup management, recovery planning and testing, defined restoration priorities and operational crisis-management arrangements aligned with the entity’s risk profile and service criticality.

Outsourcing Controls

Whilst the Act does not contain specific provisions on outsourcing controls as a standalone requirement, the obligation to implement security measures covering supply chain security, asset management, and access control strategies implicitly extends to outsourced services and managed service providers.

Objectives

The incident-reporting regime under Sweden’s Cybersecurity Act is intended to give a fast and reliable picture of significant cyber incidents affecting essential/important services, enabling early co-ordination and supervisory follow-up. Reports are centralised via the national CSIRT to support operational handling while also ensuring that the relevant sector supervisor is informed for compliance oversight.

Key Obligations

In-scope entities must identify and classify “significant incidents” (Sw. betydande incidenter) and be able to report them promptly. The Swedish Cybersecurity Act’s significance test is effects-based: an incident is significant if it has caused or is capable of causing (i) serious operational disruption to the service, (ii) economic damage to the entity, or (iii) significant harm to others.

Reporting is made to MCF as Sweden’s CSIRT intake, and MCF then forwards information to the relevant sectoral supervisory authority which reviews the report in its supervisory capacity.

Incident and Reporting Obligations

Reportable incidents are those meeting the Act’s “significant incident” test and the legislation follows a staged model, first an early warning must be submitted as soon as possible and no later than 24 hours after awareness; thereafter, an incident notification must follow within 72 hours (but within 24 hours for trust service providers); and finally a final report is due within one month after the incident notification. If the incident is still ongoing at the one-month mark, a status/situation report is provided instead, and the final report is then due within one month after the incident has been handled.

Channels and Content

Notifications are filed to MCF via MCF’s incident-reporting process, and forwarded to the competent supervisor. The early warning is treated as a rapid “heads-up” and should indicate, at minimum, whether the incident is suspected malicious/unlawful and whether it is likely to have cross-border impact; the 72-hour (or 24-hour) incident notification should add an initial assessment of severity/consequences and relevant technical indicators; and the final report should describe the circumstances in more depth, including impact, likely cause, and measures taken.

Parallel Reporting

Depending on facts, entities may also have to notify (i) IMY under GDPR where the incident is a personal data breach (and the Swedish framework anticipates co-operation with IMY), and/or (ii) law enforcement if criminality is suspected (MCF notes it may pass on information indicating suspected offences and encourages police reporting). In addition, the Act includes duties to inform service recipients in certain cases.

State Responsibilities and Obligations

CERT-SE is Sweden’s national CSIRT, tasked with supporting society in managing and preventing IT incidents. CERT-SE is part of MCF, which helps integrate their efforts into the broader national security framework.

CERT-SE’s responsibilities include providing assistance and guidance to the public sector, private companies, and organisations in handling cybersecurity threats and incidents. They aim to enhance the overall cybersecurity posture by offering expertise, co-ordinating responses to incidents, and promoting best practices for IT security.

Supervisory authorities shall co-operate with the Data Protection Authority when handling incidents that also constitute personal data breaches, and if a supervisory authority becomes aware of a circumstance that may constitute a personal data breach reportable under the GDPR, the supervisory authority shall inform the Data Protection Authority about the incident as soon as possible.

If the supervisory authority exercises supervision over an entity identified as a critical third-party ICT service provider under the DORA Regulation, the supervisory authority shall inform the oversight forum established under that regulation.

Scope

In Sweden, the scope of financial sector operational resilience regulation is primarily governed by DORA. This regulation applies to a wide range of financial entities, including (but not limited to) banks, credit institutions, payment institutions, insurance companies, and alternative investment fund managers. DORA aims to enhance digital operational resilience by setting uniform requirements across the EU, and it is directly applicable in Sweden, requiring national legislation to supplement it.

Under DORA, third-party ICT service providers can be designated as “critical” if they provide ICT services to financial entities within the EU. Once designated as critical, these providers become subject to the EU oversight framework established under DORA, regardless of where they are established.

ICT Service Providers

In Sweden, under the framework of DORA, “ICT service providers” are defined broadly to encompass entities that offer information and communication technology services to financial institutions. This includes a wide range of services such as cloud computing, data analytics, software development, and cybersecurity services. The definition is intended to cover any third-party service that could impact the operational resilience of financial entities.

Critical ICT Services

Not all ICT services are classified as critical. The classification of an ICT service as critical depends on several factors, such as the systemic impact of a failure in providing the ICT services, the reliance of financial entities, the degree of substitutability and other relevant factors. While the definition of ICT service providers in Sweden is broad, the classification of services as critical is specific and based on the potential impact on financial operations and stability.

Cloud Service Providers

Not every cloud service provider will automatically be classified as critical. The criticality of a cloud service provider is assessed based on the same criteria mentioned above. For instance:

• if a cloud service provider supports a significant portion of a financial entity’s operations or hosts critical applications, it may be classified as critical; and
• cloud service providers offering infrastructure as a service (IaaS) or platform as a service (PaaS) that are integral to the financial entity’s operations are more likely to be considered critical compared to those offering less essential services.

Subcontracting and Chain Outsourcing

Financial entities must ensure that contracts with ICT third-party service providers include provisions on subcontracting, requiring the provider to notify the entity of any intended subcontracting and to ensure that subcontractors meet the same information security standards. Critical ICT third-party service providers must provide information on subcontracting arrangements to the Lead Overseer.

Access, Inspection, Audit and Testing Rights

Contractual arrangements must grant financial entities, their appointed third parties, and competent authorities full access and audit rights over the ICT third-party service provider’s performance, including access to data, premises, and personnel. Lead Overseers may conduct on-site inspections at critical providers’ premises.

Exit Strategies and Data Portability

Contracts must include appropriate termination rights and exit strategies, ensuring orderly transition and secure data retrieval upon contract termination. Financial entities must develop transition plans for critical ICT services.

Location of Data and Services

Contracts must specify data storage and processing locations. Financial entities must ensure compliance with applicable data protection and localisation requirements.

Concentration Risk Management

Financial entities must identify and monitor concentration risk arising from contractual arrangements with ICT third-party service providers, assess dependencies on critical providers, and implement mitigation measures including diversification strategies where feasible.

Objectives

DORA is directly applicable in Sweden and is intended to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions, thereby strengthening operational resilience and continuity of critical services. It also establishes a harmonised EU framework for ICT risk governance and controls across the financial sector, supporting consistent supervisory oversight by competent authorities such as the Swedish Financial Supervisory Authority.

Key Obligations

Financial entities must implement and maintain an ICT risk management framework with clear governance, defined roles and responsibilities, and management body oversight, supported by appropriate internal controls, continuous monitoring and resilience testing. They must also manage ICT third-party risk by identifying dependencies on external ICT service providers, ensuring contractual arrangements support security and resilience expectations, and maintaining required documentation (including a register of ICT third-party arrangements) in accordance with applicable supervisory requirements.

Incident and Reporting Obligations

Financial entities must detect, manage, and classify ICT-related incidents based on impact and severity, and report major ICT-related incidents to the Swedish Financial Supervisory Authority in line with DORA and the Regulatory Technical Standards (RTS), using the RTS materiality criteria and thresholds (including, for example, criteria relating to affected clients/transactions, service downtime, geographical spread, data losses and economic impact). An incident is classified as major where it has affected critical services and either (i) the malicious unauthorised access materiality threshold is met, or (ii) two or more of the other materiality thresholds are met. The malicious unauthorised access threshold is met where any successful, malicious and unauthorised access occurs to network and information systems, where such access may result in data losses. Major incident reporting follows a staged timeline: an initial notification as early as possible, in any case within four hours from classification as major and no later than 24 hours from awareness; an intermediate report at the latest within 72 hours from the initial notification; and a final report within one month thereafter.

Enforcement in Regards to Critical ICT Service Providers

The supervision of critical ICT service providers is to be carried out at Union level by the Lead Overseer. One of the three European Supervisory Authorities; European Banking Authority, European Securities and Markets Authority or European Insurance and Occupational Pensions Authority, is to be designated as Lead Overseer for each of the critical third-party service providers. In order to fulfil its tasks under DORA, the Lead Overseer may, inter alia, conduct general investigations and inspections. Within three months of the conclusion of an investigation or an inspection, the Lead Overseer shall adopt recommendations addressed to the critical third party provider.

The Lead Overseer can impose a periodic penalty payment on the critical ICT service providers. Decisions on periodic penalty payments taken by the Lead Overseer should therefore be enforceable under the Swedish Enforcement Code (Sw. Utsökningsbalken (1981:774)) in the same way as a Swedish judgment that has acquired legal force. The Swedish Enforcement Authority is the Swedish authority that will be responsible for the practical enforcement and its decisions can be appealed to the Swedish court.

Enforcement in Regards to Financial Entities

In regards to financial entities, the enforcement of operational resilience obligations is carried out by the Swedish Financial Supervisory Authority. The authority has the power to conduct inspections, request information, and impose sanctions or corrective measures on financial institutions and critical ICT service providers that fail to comply with operational resilience requirements. This includes fines, orders to cease certain activities, or other regulatory actions to ensure compliance.

DORA does not impose data localisation requirements (it “does not require data storage or processing to be undertaken in the Union”), so cross-border and third-country outsourcing is in principle possible, but must be managed as ICT third-party risk.

Contracts must specify the locations (countries/regions) where services are provided and where data is processed/stored, and require advance notice of changes. Where critical/important functions are outsourced to a third-country provider, entities must consider compliance with Union data-protection rules and the effective enforcement of law in that third country. Entities must also assess third-country subcontracting and whether subcontracting chains hinder monitoring/supervision. Before contracting, entities must assess criticality, supervisory conditions, concentration risk, due diligence, and conflicts of interest, and ensure appropriate information-security standards.

Threat-Led Penetration Testing

In Sweden, DORA mandates threat-led penetration testing (TLPT) for financial entities. These tests must be conducted every three years, or more frequently if required by the competent authority. The tests simulate cyberattacks to identify vulnerabilities in an organisation’s ICT infrastructure. Each test must cover several or all critical or important functions of the financial entity on live production systems, with entities identifying all relevant underlying ICT systems, processes and technologies.

The tests must be executed by an external party every third time, while internal testers can be used but require specific approval and must meet conflict-of-interest requirements. The Swedish authorities, primarily the Swedish Financial Supervisory Authority and the Swedish Central Bank, share responsibilities for the TLPT process. The Swedish Financial Supervisory Authority determines which entities must undergo testing and the frequency of tests, while the Swedish Central Bank co-ordinates and monitors the tests, ensuring compliance and certifying that the tests meet the required standards. Selection of entities to undergo testing is based on the extent to which their services impact the financial sector, potential financial stability concerns (including systemic character at Union or national level), and specific ICT risk profile, level of ICT maturity, or technology features involved. Microenterprises are excluded from advanced testing requirements.

Testers must be of the highest suitability and reputability; possess technical and organisational capabilities demonstrating expertise in threat intelligence, penetration testing and red team testing; be certified by an accreditation body or adhere to formal codes of conduct; provide independent assurance on sound risk management; and be fully covered by professional indemnity insurance. After completing the tests, entities must submit results, corrective action plans, and receive certification. This certification facilitates mutual recognition of tests across EU member states.

The CRA

On 10 December 2024 the Cyber Resilience Act entered into force. Its full implementation is phased across three key dates. The main obligations will apply from 11 December 2027, with the exception of Article 14 which will apply from 11 September 2026 and Chapter IV (Articles 35-51) which will apply from 11 June 2026.

Swedish Legislative Status (Supplementary Measures)

Sweden has initiated national work to put in place supplementary enforcement and institutional arrangements for the CRA. On 28 November 2024, the government appointed a special investigator and the assignment was reported in December 2025 through the Swedish Government Official Report (SOU) “Supplementary provisions to the EU Cyber Resilience Regulation (SOU 2025:115)”.

The SOU proposes a Swedish supplementary act and regulation to support enforcement of the CRA in Sweden, including national provisions on supervision and sanctions, and proposes institutional designations, including: (i) Swedac as notifying authority, and (ii) PTS as the market surveillance authority (with an express note that, for products that are high-risk AI systems under the AI Act, the AI Act market surveillance authorities apply). The SOU also notes that MCF is the Swedish CSIRT function in the context of the CRA framework.

Coverage/Scope

The CRA is a product-focused regime, it applies to “products with digital elements” (hardware and software) made available on the market whose intended purpose or reasonably foreseeable use includes a direct or indirect data connection. It also covers a product’s “remote data processing solutions” where they meet the CRA definition. Standalone software can be in scope. By contrast, standalone SaaS/cloud solutions developed outside the responsibility of a product manufacturer are not themselves “products with digital elements”; however, where a service meets the definition of “remote data processing” for a product, it falls within scope.

Scope of Application

The CRA applies to “products with digital elements” whose purpose or use involves a logical or physical data connection to a device or network.

The CRA covers a wide range of software and hardware products that connect, either directly or indirectly, to other devices or networks. This includes smart home devices, wearable technology, internet-connected toys, and industrial Internet of Things (IoT) devices. Non-commercial open source software products are not covered by the CRA. The CRA targets manufacturers, producers, and importers, requiring them to ensure that their products are safe to use, resilient to cyber threats, and that their security features are properly disclosed.

Vulnerability Handling

Manufacturers must run a documented vulnerability-handling process for the support period, including a co-ordinated vulnerability disclosure (CVD) policy and a clear point of contact for vulnerability reports, as well as processes to assess, remediate, and document vulnerabilities.

Patching and Update Timelines

Manufacturers must provide security updates during a declared support period (generally at least five years, unless the product’s expected use is shorter). Security updates must remain available long-term (at least ten years or the remainder of the support period, whichever is longer). Certain exploited-vulnerability/severe-incident reporting has short statutory deadlines (including a 24-hour early warning).

Post-Market Surveillance/Ongoing Compliance

Manufacturers must monitor products after placing them on the market, keep technical documentation up to date where needed, and take corrective measures when issues arise.

Conformity Assessment

Before placing a product on the market, manufacturers must perform conformity assessment and maintain technical documentation. Many products can use internal control, but “important” and “critical” product categories may require stricter assessment routes, including third-party involvement and/or use of EU cybersecurity certification schemes where applicable.

Marking and Certifications

Compliant products require an EU declaration of conformity and CE marking (and, where a notified body is used, the CE mark may be accompanied by the notified body number). EU cybersecurity certification may be relevant/required for certain categories where schemes exist.

Recall/Withdrawal Duties

If a product is non-compliant or presents a significant cybersecurity risk, manufacturers (and other economic operators) must take corrective action and, where appropriate, withdraw or recall products and inform authorities/users.

Enforcement and Penalties

Enforcement is carried out by Swedish authorities (with, as mentioned above, proposed roles including PTS for market surveillance, Swedac for notified bodies, and MCF for receiving reports). Penalties are structured as administrative fines with EU-level maximum, that can reach EUR15 million/2.5%, EUR10 million/2%, or EUR5 million/1% of global turnover depending on the type of breach, alongside corrective actions such as restrictions, withdrawal, and recall.

The EU Cybersecurity Act

The EU Cybersecurity Act entered into force on 27 June 2019. The primary goal of the Cybersecurity Act is to enhance protection against cybersecurity threats across the EU. The Cybersecurity Act also enables manufacturers and service providers to use one mutually recognised certificate throughout the EU.

Under the Cybersecurity Act, European cybersecurity certification schemes may define assurance levels at “basic”, “substantial”, and “high”. In general terms, “basic” targets lower-risk use cases and may allow supplier self-assessment or an EU statement of conformity, whereas “substantial” and “high” imply increased rigour, typically through stricter evaluation and/or independent conformity assessment in accordance with the relevant scheme rules. Certification under the Cybersecurity Act is voluntary.

Main Elements

The regulation has two main functions and purposes.

• To give the EU Agency for Network and Information Security a permanent mandate, more resources and new tasks.
• To create a framework for certifying cybersecurity products and services. This framework sets up a system to govern the issuance of European cybersecurity certificates and declarations of conformity with security standards for ICT products, services, and processes. The purpose of the certification is to guarantee that users are provided with adequate information regarding the relevant cybersecurity features.

The EU framework is implemented through specific European cybersecurity certification schemes adopted by the European Commission. The first adopted EU-wide scheme is the European Common Criteria-based cybersecurity certification scheme (EUCC), adopted in 2024 and amended in 2025. EUCC primarily targets ICT products and is intended to support mutual recognition across the EU. As with the overall framework, use of EUCC is generally voluntary, but it may be required in practice by customer requirements or procurement in high-assurance contexts.

National Cybersecurity Certification Authority

In Sweden, the Swedish Defence Materiel Administration acts as the national cybersecurity certification authority. It is the cybersecurity and certification department at the Swedish Defence Materiel Administration that is responsible for matters related to cybersecurity certification, supervision, collaboration, and external monitoring. The department consists of the Swedish Certification Body for IT Security and the Swedish Cyber Security Certification Authority.

Furthermore, the Swedish Defence Materiel Administration is tasked with overseeing and co-ordinating certification activities at the national level and collaborating with EU entities such as the EU Agency for Network and Information Security and the European Commission. It also serves as Sweden’s representative in the European Cybersecurity Certification Group.

Additionally, the Swedish Defence Materiel Administration is responsible for notifying the EU about accredited bodies and those authorised under the Cybersecurity Act.

GDPR and Swedish Supplementation

GDPR aims to protect natural persons when processing personal data. In Sweden, the GDPR is supplemented by the Data Protection Act, which contains supplementary provisions to the GDPR.

Controller Responsibilities and Data Processing Agreements

A legal entity that determines the purposes and means of processing personal data is a controller under GDPR. While a controller can appoint a processor to process data on its behalf, the ultimate responsibility for compliance remains with the controller. To ensure the processor adheres to GDPR requirements, the parties must enter into a data processing agreement that governs the processing activities and outlines both parties’ obligations and rights. A processor must notify the controller without undue delay after becoming aware of a personal data breach.

Protective Measures and Data Subject’s Rights

The GDPR requires controllers to implement appropriate technical and organisational measures to protect the processed personal data from unauthorised access. The appropriate measures should be determined based on the risk of the processing. (taking into account, eg, state of the art, implementation costs, and the nature, scope, context and purposes of processing). This may include:

• pseudonymisation and encryption of personal data;
• ensuring ongoing confidentiality, integrity, availability, and resilience;
• ensure data restoration, including timely restoration after an incident; and
• regularly test, assess, and evaluate measures.

The controller must also inform data subjects about the processing of their personal data and of their rights. The data subject’s rights include:

• right to access to personal data and information;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to data portability; and
• right to object.

Data Breaches and Thresholds

Entities processing personal data must adhere to GDPR’s specific provisions regarding personal data breaches. A personal data breach involves a security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.

A breach is reportable depending on the risk to individuals’ rights and freedoms: (i) notification to the supervisory authority is required unless the breach is unlikely to result in a risk; and (ii) communication to data subjects is generally required if the breach is likely to result in a high risk.

If a breach risks individuals’ rights and freedoms, the controller must notify IMY within 72 hours of awareness without undue delay and, where feasible, within 72 hours of becoming aware. If notification is made later than 72 hours, the controller shall be able to justify the delay. Where not all information is available at the same time, the notification may be provided in phases without undue further delay.

The notification shall at least include a description of:

• the nature of the breach, including (where possible) the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• the likely consequences of the breach;
• the measures taken or proposed to mitigate the consequences of the breach; and
• contact information for further inquiries (eg, data protection officer or other contact point).

If a breach likely poses a high risk to individuals’ rights and freedoms, the data subject should generally be informed without undue delay. The communication to data subjects should describe in clear and plain language the nature of the breach and include at least: contact information, the likely consequences, and the measures taken or proposed to mitigate the consequences.

However, communication to data subjects is generally not required if, for example:

• the controller has implemented appropriate technical and organisational protection measures (such as encryption) that render the personal data unintelligible to unauthorised persons;
• the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise; or
• it would involve disproportionate effort (in which case a public communication or similar measure may be used instead).

All breaches must be documented by the controller, regardless of risk level. This includes facts relating to the breach, its effects and the remedial action taken.

However, it should be noted that the Data Protection Act stipulates that if an incident which constitutes a personal data breach is to be notified under the Protective Security Act, then the notification and information obligations under Article 33 and 34 of the GDPR shall not be applicable.

The AI Act

The AI Act became effective from 1 August 2024 and is applied in phases, with most obligations applying from 2 August 2026 (and GP-AI model obligations from 2 August 2025) establishes a unified framework for AI development and use within the EU. It categorises AI systems based on risk levels, imposing stricter requirements on high-risk applications, such as those in critical infrastructure, healthcare, and law enforcement. For Sweden, this means adapting national regulations to comply with EU standards, ensuring AI systems are human-centred, reliable, and aligned with fundamental rights. This includes mechanisms for oversight and enforcement to maintain high protection levels for health, safety, and fundamental rights. Sweden is preparing supplementary national measures (including authority allocation and enforcement), and the inquiry’s final report SOU 2025:101 “Adaptations to the AI Regulation: Safe use, effective control and support for innovation” is currently out for consultation.

Under the AI Act, cybersecurity obligations arise primarily for providers (and, in some cases, deployers and other actors in the supply chain), in particular for high-risk AI systems and general-purpose AI (GPAI) models with systemic risk.

Security by Design

High-risk AI systems must be designed and developed to achieve an appropriate level of accuracy, robustness and cybersecurity and perform consistently throughout their life cycle, including resilience to faults and external interference. In addition, providers must operate a documented quality management system covering design and development controls, testing/validation, risk management, post-market monitoring and incident reporting procedures.

Supply-Chain and Model Component Security

The AI Act allocates responsibility along the AI supply chain and contemplates written arrangements with suppliers of tools, services, components or processes used or integrated into high-risk AI systems, including sharing necessary information/capabilities/technical access to enable compliance. The quality management system requirements also include resource management and security-of-supply related measures, which in practice supports supply-chain controls for AI development and deployment. For GPAI models with systemic risk, providers must ensure an adequate level of cybersecurity protection for the model and its physical infrastructure (alongside systemic-risk assessment/mitigation and adversarial testing).

Incident Reporting

Providers of high-risk AI systems must report serious incidents to the competent market surveillance authority in the member state where the incident occurred, with the AI Act setting deadlines and follow-on steps; the Commission has also issued draft guidance and a reporting template (noting these rules apply from August 2026). Separately, providers of GPAI models with systemic risk must track, document and report relevant information about serious incidents and corrective measures without undue delay to the AI Office (and, as appropriate, national competent authorities).

Parallel Regimes

AI Act requirements apply in parallel with other regimes. For example, where personal data is used in training or operation, GDPR security and breach-handling obligations continue to apply. For organisations in Sweden that are in scope of the Swedish Cybersecurity Act, AI-related incidents may also trigger incident reporting (eg, initial notice within 24 hours, then further reporting steps) and broader risk-based security duties. In addition, where AI is embedded in “products with digital elements”, the CRA may impose product cybersecurity/vulnerability-handling requirements alongside the AI Act.

Cybersecurity and the Healthcare Sector

Cybersecurity in healthcare focuses on safeguarding electronic information and assets against unauthorised access, use and disclosure. The healthcare sector must systematically address the security of healthcare information management.

The Patient Data Act contains explicit provisions to prevent unauthorised dissemination by electronic means of data relating to patients undergoing treatment. It contains the provisions specifically needed for the processing of patient data by healthcare providers in relation to other personal data processing. Otherwise, the provisions of the GDPR apply to the processing of patient data and other personal data by healthcare providers. The Patient Data Act governs several aspects, including:

• the ability of healthcare personnel involved in a patient’s care to access necessary medical records, even if those records were created by a different healthcare organisation;
• the regulations determining which individuals are permitted to access patient data as part of their duties within the healthcare system; and
• the patient’s right to restrict access to information in their medical records within an electronic records system.

Further, the Swedish Cybersecurity Act applies to in-scope entities in the health sector (which is treated as an essential sector under the NIS2 framework). Accordingly, healthcare providers and other covered organisations must comply with the cybersecurity-law requirements described above. Under NIS2, the health sector belongs to the category of highly critical entities, which is identified as a high-criticality (“essential”) sector under the NIS2 framework. However, whether a particular healthcare organisation is classified as a essential or important operator depends on the entity’s status and size under the Swedish implementation.