Tech Law in Sweden: An Introduction

Sweden’s technological landscape is undergoing rapid transformation, marked by growth, a significant increase of regulatory requirements, and the increasing importance of digital innovation – not least by different AI applications. The following article delves into various commercial and legal aspects of this development, including matters related to the gaming industry, advancements in AI, considerations in cybersecurity and protective security, and the field of fintech.

Considerations for Gaming Companies Operating in Sweden

The last few years have seen Swedish game developers experience growth in terms of number of companies, revenue, employees, and gender diversity, despite challenges, primarily the persistent skills shortage. According to the report Swedish Games Industry 2023 from the trade organisation The Swedish Games Industry (Dataspelsbranschen), the industry’s revenue reached EUR3.1 billion (a 13% increase for Swedish-registered companies) in 2022. Including subsidiaries, the total industry revenue was EUR8.1 billion; a 40% rise. The sector employed over 8,000 people in Sweden and roughly 16,000 abroad, with a global increase fuelled by several acquisition-driven leading Swedish gaming companies.

Gaming companies operating in Sweden must navigate various legal considerations. These include adherence to consumer protection laws, ensuring clear information, warranties, and product quality for digital content. Compliance with the GDPR, imposing strict rules on collecting and processing personal data, is crucial. Furthermore, companies must respect copyright and intellectual property laws.

Additionally, gaming companies looking to raise capital in the EU must adhere to the new EU Foreign Subsidies Regulation (FSR). The FSR, which entered into force on 12 January 2023, and has applied since 12 July 2023, aims to ensure fair competition between European and non-European companies by monitoring significant transactions and public procurement procedures to address distortions in competition arising from subsidies granted by non-EU countries to companies in the EU single market.

The regulation introduces procedures in which the Commission can investigate concentrations where the acquired company, one of the merging parties or the joint venture generates an EU turnover of at least EUR500 million and the parties were granted foreign financial contributions of more than EUR50 million in the last three years. A similar procedure can be used to investigate public procurement bids where the estimated contract value is at least EUR250 million and the bid involves a foreign financial contribution of at least EUR4 million per third country in the last three years. Additionally, the Commission can initiate an ex officio procedure to investigate all other market situations. If the Commission finds that such financial contributions constitute distortive subsidies, it can impose measures to redress their distortive effects.

Gaming companies should also be mindful of competition laws to avoid anti-competitive practices and ensure compliance. The Digital Single Market (DSM) initiative seeks to harmonise digital regulations across EU member states, impacting digital content distribution, copyrights, and cross-border access to online services.

Health Data Usage in Sweden

The sharing of health data offers great potential within precision medicine. While the EU is negotiating to regulate health data through the European Health Data Space proposal, Sweden is already one step ahead. A recent public inquiry addresses current problems in the Swedish health data infrastructure. It suggests amending Swedish legislation, particularly the Patient Data Act, to cover the secondary use of health data for health care and research purposes. While the Swedish report focuses on national legislation, it also anticipates adjustments in response to the forthcoming EU regulations. Furthermore, the report also touches upon the implications for the private sector, noting the competitive disadvantage that the current proposals might create for private healthcare and pharmaceutical companies. Currently, the proposals only apply to the public healthcare sector.

Artificial Intelligence in Sweden

On 9 December 2023, the Commission, Council of Ministers and Parliament reached an agreement on the EU AI Act. The new proposal includes transparency requirements for basic models, limitations on biometric identification systems, clarification of specific requirements for high-risk models, and enhanced rights for the individual. Once the regulation has been formally adopted, it is time for member states to take the necessary and appropriate implementation measures to ensure coherence in national legislation and compliance with the AI Act. The AI Regulation is characterised by a risk-based approach, dividing the usage of AI into levels of risk. Unacceptable uses of AI are prohibited, and high-risk uses of AI are subjected to certain obligations.

The AI industry in Sweden is experiencing significant growth and development. The Swedish government has recently established an AI Commission, focusing on leveraging AI to bolster Swedish welfare and competitiveness. The initiative indicates a firm commitment from the Swedish government to integrate AI into various sectors.

AI Sweden, the Swedish National Centre for Applied AI, also plays an integral part in this development. The centre is supported by the Swedish government and collaborates with partners within the public as well as private sector across the country. Its mission is to increase and accelerate the use of AI to benefit Swedish competitiveness. Recently, AI Sweden and its partners have launched ground-breaking AI initiatives crucial for Sweden’s competitive edge and ability to deliver high-quality societal services.

One of the significant initiatives of AI Sweden is the release of GPT-SW3, the first large Nordic language model, as an open model for businesses and organisations to use in their products and services, providing significant opportunities for technological advancement in the region.

The Data Factory at AI Sweden is another initiative aimed at driving innovation and implementing AI. It serves as an infrastructure and a knowledge environment, enabling partners from various sectors to utilise state-of-the-art infrastructure and benefit from collaborations and interactions with AI Sweden’s technical, strategic, and legal experts.

One of the key aspects of the Data Factory is its ability to help organisations accelerate innovation, which is achieved through strategy development, projects, talent development, and research. The Data Factory offers open access to all partners, allowing them to use conference rooms, participate in events, test hardware, and engage in various expert groups.

Moreover, the Data Factory at AI Sweden simplifies turning ideas into fully running experiments through a streamlined process involving initial discussions, knowledge sharing, and recommendations on equipment and datasets. The Data Factory team helps partners formulate and advance their AI concepts quickly while also addressing legal considerations for innovation, particularly in relation to GDPR compliance, and offering “pre-approved” datasets to simplify the process.

These developments are part of a broader trend where AI is increasingly becoming an integral part of various industries and sectors in Sweden, reflecting the commitment to innovation and technology-driven growth.

Cybersecurity and Protective Security in Sweden

Cybersecurity has emerged as a pressing concern in Sweden, driven by a series of notable cyber-attacks and IT incidents. An illustrative case occurred in late 2022 when a suspected cyber-attack forced the Swedish federation of unemployment insurance funds (Sveriges A-kassor) to shut down a crucial IT system, causing delays in unemployment benefits payments. While disruptions to critical systems are severe cybersecurity risks, they represent just one aspect. Other significant threats include data loss, exposure of confidential information, hefty administrative fines, and potential damage to public goodwill.

In Sweden, cybersecurity regulation is still evolving, with a primary influence coming from EU directives like the NIS1 and NIS2 directives, the Cybersecurity Act, and the GDPR. Notably, these regulations not only have a direct impact but also exert an indirect effect through contractual agreements. Supply chain control will be introduced as a core element of regulatory requirements on cybersecurity. Regulatory initiatives often necessitate negotiations between organisations and their suppliers to ensure compliance. Below, we summarise some of the most important areas of cybersecurity requirements.

Protection of national security interests

A closely related issue to cybersecurity is protective security. In Sweden, protective security pertains to preventive measures safeguarding security-sensitive activities of public agencies and companies against espionage, sabotage, and various crimes that may jeopardise their operations. Security-sensitive activities are activities that are of importance to Sweden’s security or are covered by an international protective security commitment that is binding for Sweden. Additionally, protective security also refers to the protection of security-sensitive information.

However, the scope of the Swedish Protective Security Act (2018:585) (Säkerhetsskyddslagen) is somewhat vague. The assessment of whether an organisation falls under its scope is based on whether an activity is of importance to Sweden’s external or internal security. As such, this likely includes sectors such as defence, energy, water, banking, healthcare, digital infrastructure, AI, and automotive industries. The obligation falls on each organisation to determine if it conducts security-sensitive activities, requiring a case-by-case assessment.

The Protective Security Act mandates that all public authorities or companies engaged in security-sensitive activities ensure sufficient protection. The Act outlines essential provisions, including the obligation to enter into protective security agreements, security screening of personnel, and screening of contracts. Additionally, it imposes restrictions on which suppliers and subcontractors may be used.

Nasdaq’s requirements for governance and information security in the stock exchange

Another notable development related to cybersecurity is Nasdaq Stockholm’s (a major Swedish stock exchange) establishment of stringent governance and information security requirements for listed companies. These requirements include identifying material risks in IT systems, implementing internal governance control, including developing IT policies and information security guidelines, including cybersecurity measures, as well as monitoring thereof.

Confidentiality obligations for IT outsourcing suppliers

The Act on Secrecy in Public Sector Outsourcing of Technical Processing or Storage of Data (2020:914) (Lag om tystnadsplikt vid utkontraktering av teknisk bearbetning eller lagring av uppgifter), effective from January 2021, facilitates IT outsourcing for public authorities, imposing a duty of confidentiality on personnel involved in technical processing or storage of data. The obligation of professional secrecy extends to employees of private IT suppliers and subcontractors, mirroring the standards applicable to public employees.

Swedish implementation of the NIS2 directive

The NIS2 directive, effective in early 2023, introduces enhanced security requirements for essential and important services. This directive brings significant changes, with a broader scope and more detailed security requirements than its predecessor, the NIS1 directive. Many operators in critical sectors may need substantial resources to comply, particularly when renegotiating agreements to align with new regulatory requirements. NIS supervision in the digital infrastructure sector falls under the Swedish Post and Telecom Authority (Post och telestyrelsen).

The field of cybersecurity in Sweden faces challenges due to the vulnerability of digital solutions. While cybersecurity is commonly perceived as an IT matter to be handled individually by each organisation, there have been recent legislative initiatives, primarily driven by the EU, aiming to protect operators in key sectors. The landscape is dynamic, with ongoing negotiations and legal uncertainties impacting the implementation of cybersecurity measures. Future EU initiatives, such as the Cyber Resilience Act, are expected to play a crucial role in shaping the cybersecurity landscape further.

In Sweden, organisations generally show a strong commitment to cybersecurity laws, striving to meet high standards. However, there is a need for more attention to how regulatory demands impact contracts, particularly in terms of passing on requirements to suppliers. This aspect often involves substantial negotiation on the allocation of risks. Due to the level of complexity involved, as well as the ever-increasing obligations coming from the EU, it is more important than ever that cybersecurity is taken seriously and put on the agenda across all levels of company management and governance teams. It is a topic that can no longer be seen as an IT department issue.

Fintech: Staying Ahead of Regulations

Sweden has a robust fintech ecosystem, with a considerable number of startups and innovative ventures. According to fintech Baltic, the country was home to 332 fintech companies as of 2022, accounting for 27.5% of all fintech startups across the Nordics and Baltics. However, the fintech sector faces challenges due to an increasingly complex regulatory environment. Higher interest rates make it difficult for start-ups to access venture capital funding, and the funding is linked to profitability rather than just growth. Despite regulatory challenges and economic recession, most companies in the industry believe their business will see increased growth in 2024, and many plan to expand their workforce. Below, we summarise some of the most important areas related to fintech.

DORA

The Digital Operational Resilience Act (DORA) is set to bring significant changes to the financial sector. The Act, which entered into force on 16 January 2023, and will apply from 17 January 2025, aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms. It focuses on ensuring that the financial sector in Europe can remain resilient in the event of severe operational disruptions.

In Sweden, major changes in the powers of the Swedish as well as European supervisory authorities are expected. DORA mandates closer monitoring and regulation of financial entities by supervisory authorities. This includes regular checks to ensure compliance with DORA’s requirements, such as ICT risk management, third-party risk management, incident reporting, and digital operational resilience testing. Companies will need to maintain transparent and open communication with these authorities, regularly updating them on their compliance status and any significant ICT-related developments.

Blockchain

Sweden’s commitment to technical innovation is evident in its stable investments in research and development, with blockchain technology emerging as a key area of interest. Both private and public sectors are exploring blockchain’s potential, recognising its ability to add trust and security to information through traceability. Despite global market fluctuations, Sweden continues to invest in blockchain, with new startups and projects illustrating the technology’s diverse applications, from finance to healthcare. At the same time, regulatory challenges like GDPR compliance remain vital considerations.

The Swedish mapping, cadastral and land registration authority (Lantmäteriet) experiment with blockchain for land registry transfer is a notable example of public-private collaboration in the blockchain sector, as is the Swedish Companies Registrations Office’s (Bolagsverket) Proof of Business blockchain project which aims to offer real-time, accurate company information.

Regulatory oversight, particularly by the Swedish Financial Supervisory Authority (SFSA), is focused on AML compliance in the crypto space. Together with the EU’s Markets in Crypto-Assets (the “MiCA”) Regulation, which entered into force in June 2023, it indicates a growing need for clear regulations in the blockchain industry. When the provisions of the MiCA Regulation begin applying in the summer of 2024, more Swedish companies will fall under the supervision of the SFSA. However, the regulation is welcomed by many companies, as the blockchain industry benefits from more robust consumer protection and serious companies.

Another exciting development is the e-krona project, a significant initiative by the Swedish Central Bank (Riksbanken) which explores a blockchain-based digital currency. Its pilot phases have tested the feasibility and integration of e-krona in banking systems and the potential for offline transactions. Legal considerations, particularly concerning financial secrecy and data protection laws, are critical in this venture. Sweden’s participation in the European Blockchain Partnership (EBP) and projects like Icebreaker, focusing on Central Bank Digital Currencies (CBDCs) for cross-currency payments, further emphasise Sweden’s commitment to exploring blockchain’s potential in various domains.

Open finance – PSD3, FIDA and PSR

The PSD2, enacted in 2015, aims to level the playing field in EU payments, fostering competition and innovation by opening the market to new providers accessing financial data. It mandates banks to provide payment account data access via APIs to third-party providers. While PSD2 has advanced open banking in payments, it does not extend to the broader financial sector. In response, the Commission has proposed the third Payment Services Directive (PSD3), the Payment Services Regulation (PSR), and Financial Data Access (FIDA), transitioning from open banking to open finance, addressing the limitations identified in the PSD2.

On 28 June 2023, the SFSA released a report on open financial services in Sweden. The SFSA, on behalf of the Swedish government, surveyed Swedish fintech companies to analyse risks and opportunities associated with these services. The SFSA’s report concludes that Swedish fintech companies have been early adopters of open financial services compared to the rest of Europe, especially regarding payments. This is credited to the highly digitised nature of Sweden’s financial industry, the innovation within its fintech companies, and the widespread use of mobile e-IDs at an early stage. However, payment initiation services face stiff competition, indicating the need for the FIDA regulation to expand fintech services beyond payments.

The suggested framework for financial data access marks a positive step for innovation in the financial sector, opening avenues for already-established financial entities and emerging fintech firms. While FIDA is navigating the EU legislative process, potentially lengthened by the impending EU election, financial institutions must capitalise on this stretch and make proactive preparations to facilitate a seamless implementation when FIDA is eventually enacted.

Concluding Remarks

Sweden stands at the forefront of digital innovation, as evidenced by its tech and financial sectors. The spirit of technological optimism is not just confined to the private sector; politicians are enthusiastically on board as well, cultivating a dynamic collaboration between the public and private sectors, jointly guiding the country towards excelling in innovation.

While the strive for continuous innovation and growth keeps pushing private as well as public actors within the digital space, comprehensive regulatory changes are around the corner. As discussed in this article, the regulatory changes aim to secure a competitive and stable digital market within the EU while at the same time ensuring the protection of fundamental rights, ensuring implementation of well-structured and clear security processes and protecting matters of national security.

In order to ensure compliance with the ever-changing regulatory framework, significant efforts and investments will be required by organisations operating within digital markets. Delphi’s view is that, while burdensome, especially for smaller companies, the focus on these matters will continue to strengthen the individual actors, as well as Sweden’s position as a hub for digital innovation.