Tech Law in Sweden: An Overview

Sweden’s technological landscape is undergoing significant change, marked by increasing regulatory demands on both public and private entities as a result of sweeping EU legislation on AI, cybersecurity and data management. At the same time, Sweden’s culture of digital innovation continues to thrive, driven by advancements in AI applications and a surge in investments in fintech solutions. Sweden also stands at the forefront of health data usage, demonstrating a robust readiness for upcoming EU regulations. This article delves into the commercial and legal dimensions of these digital advancements in the Swedish market, with a focus on sectors such as AI, health data, cybersecurity, protective security, the gaming industry, and fintech.

AI’s Impact on Swedish Business and Law

The AI Act was formally adopted by the European Parliament in March 2024 and came into force on 1 August 2024. The AI Act employs a risk-based approach, categorising AI usage into levels of risk. Unacceptable uses of AI are prohibited, and high-risk uses are subject to specific obligations. Key provisions of the AI Act include transparency requirements for basic models, limitations on biometric identification systems, clarification of specific requirements for high-risk models, and enhanced rights for individuals. With the Act now in force, member states must begin implementing the necessary measures to align their national legislation with the regulation and ensure compliance. Obligations for unacceptable uses of AI will be applicable from February 2025, while the bulk of the Act’s provisions will apply from August 2027.

In Sweden, the AI industry is undergoing rapid growth and development. In line with this, the Swedish government has launched the AI Commission, an initiative aimed at harnessing AI to strengthen Swedish welfare and enhance national competitiveness. This reflects the government’s commitment to integrating AI across diverse sectors.

A key player in this development is AI Sweden, the Swedish national centre for applied AI. With backing from the Swedish government, AI Sweden collaborates with both public and private sector partners throughout the country. Its mission is to accelerate the adoption and use of AI to boost Sweden’s competitiveness. Among its significant initiatives, AI Sweden introduced GPT-SW3, the first large Nordic language model, offering businesses and organisations access to this open model in order to integrate AI into their products and services. This development opens up substantial opportunities for technological advancement within the region.

Another noteworthy initiative from AI Sweden is the Data Factory, designed to drive AI innovation. The Data Factory provides infrastructure and a collaborative environment for organisations from various sectors to engage with AI Sweden’s team of technical, strategic and legal experts with the aim of supporting the acceleration of AI innovation.

Despite these initiatives, Sweden has ranked relatively low in several international comparisons assessing a country’s capacity to leverage AI. In response, the Swedish AI Commission decided to bring forward the release of its report Färdplan för Sverige, releasing the report in November 2024 instead of summer 2025 as planned. While the report highlights that Sweden is well positioned to use AI and has historically emerged as stronger through technological shifts, it emphasises that this cannot be taken for granted. According to the report, society at large – and political leadership in particular – needs to drive both development and adoption. Failure to do so could make it difficult for Swedish companies to compete on the global market, potentially leading to reduced national prosperity.

Cybersecurity and National Security: Safeguarding Digital Infrastructure

In Sweden, cybersecurity has become a significant issue due to a series of prominent cyber-attacks and IT disruptions. In early 2024, the prominent Nordic IT services provider Tietoevry experienced a major cybersecurity incident which disrupted critical operations, prompting an investigation into potential breaches of data protection regulations, and underscoring the importance of robust cyber-resilience in regulated industries. While such disruptions to essential systems pose serious cybersecurity challenges, they are just one facet of the problem. Other major threats include data breaches, exposure of sensitive information, substantial administrative penalties, and potential harm to public trust.

The regulatory landscape for cybersecurity in Sweden is still developing, heavily influenced by EU directives such as NIS1 and NIS2, DORA, the EU Cybersecurity Act, and the GDPR. These regulations not only have a direct impact but also indirectly affect contractual obligations. A key regulatory focus will be the introduction of supply chain control as a fundamental aspect of cybersecurity requirements. These regulatory measures often require organisations to negotiate with their suppliers to ensure compliance. Some of the most critical areas of cybersecurity requirements are discussed below.

Protection of national security interests

A topic closely linked to cybersecurity is protective security. In Sweden, protective security involves measures designed to safeguard the security-sensitive operations of public authorities and private companies from threats such as espionage, sabotage and criminal activities that could undermine their functions. These security-sensitive operations include activities critical to Sweden’s national security or those tied to international protective security commitments binding on Sweden. They also encompass the protection of classified and sensitive information.

The scope of the Swedish Protective Security Act (2018:585) (Säkerhetsskyddslagen), however, is not entirely clear. Determining whether an organisation is subject to the Act depends on whether its activities are deemed essential to Sweden’s internal or external security. This likely applies to sectors like defence, energy, water supply, banking, healthcare, digital infrastructure, artificial intelligence, and the automotive industry. Organisations must individually assess whether their operations qualify as security-sensitive, making the determination on a case-by-case basis.

Under the Act, public authorities and companies involved in security-sensitive operations are required to implement adequate protective measures. Key obligations include entering into protective security agreements, conducting security vetting of personnel, and screening contracts. The Act also imposes restrictions on how suppliers and subcontractors are selected, to ensure compliance with security standards.

Outsourcing in the public sector: new rules and key challenges

An authority considering outsourcing is often faced with a number of different questions: what business needs exist, security considerations and, not least, what the legal conditions are. The complexity of the requirements for outsourcing has increased significantly over the years. However, in 2023, a new confidentiality-breaking provision was added to the Public Access to Information and Secrecy Act (2009:400) (Offentlighets- och sekretesslagen, or OSL), aiming to create better conditions for public authorities to outsource or co-ordinate their IT operations and to strengthen the protection of data when outsourcing IT operations.

However, the regulatory framework is relatively complex and, in many respects, difficult to interpret. For example, outsourcing is not allowed unless it cannot be deemed as inappropriate (this rather peculiar language used by the legislator infers that “not inappropriate” is not equivalent to “appropriate”). Whether outsourcing is considered inappropriate or not depends on an overall assessment of the relevant circumstances. These include the sensitivity of the data disclosed, the applicable contractual terms, the supplier’s ability to protect the data, where the data is processed geographically, and the existence of subcontractors, etc.

Swedish implementation of the NIS2 and CER Directives

The NIS2 Directive, effective as of 17 October 2024, introduces enhanced security requirements for essential and important services. The directive brings significant changes, with a broader scope and more detailed security requirements than its predecessor, the NIS1 Directive. Many operators in critical sectors may need substantial resources to comply, particularly when renegotiating agreements to align with the new regulatory requirements. The directive’s broadened scope, which includes the first tier of the supply chain, means that many companies not directly subject to the regulation will still be impacted. Although no government bill for incorporating the NIS2 Directive into Swedish law had been published as of February 2025, it is expected to be introduced during the first half of the year and implemented through the proposed Swedish Cybersecurity Act (Cybersäkerhetslagen).

Closely related to the NIS2 Directive is the Critical Entities Resilience (CER) Directive. The CER Directive complements the NIS2 Directive’s focus on cybersecurity by addressing broader physical and operational risks to critical entities. The directive aims to strengthen the resilience of critical infrastructure in sectors essential to society, such as energy, transport and healthcare. However, as the CER Directive is being implemented together with the NIS2 Directive, the Swedish implementation of the CER Directive is likewise facing significant delays.

In general, cybersecurity in Sweden faces significant challenges due to the inherent vulnerabilities of digital solutions. Although often regarded as an IT issue for individual organisations to address, recent legislative initiatives – primarily driven by the EU – seek to enhance protection for operators in critical sectors. The regulatory landscape remains dynamic, with ongoing negotiations and legal uncertainties influencing the adoption and implementation of cybersecurity measures. Future and recent EU initiatives, such as the Cyber Resilience Act which came into force on 10 December 2024, are expected to further shape this evolving field.

Swedish organisations generally demonstrate a strong commitment to complying with cybersecurity laws and maintaining high standards. However, greater focus is needed on the contractual implications of regulatory demands, particularly regarding the cascading of requirements to suppliers. These aspects frequently involve complex negotiations around risk allocation. Given the growing complexity of regulations and the increasing obligations stemming from EU directives, it is more important than ever to prioritise cybersecurity at all levels of corporate management and governance. Cybersecurity should be viewed as a strategic issue, not merely an operational concern of the IT department.

Fintech: Navigating Regulatory Challenges

Sweden has long been a standout in the tech world, boasting a remarkably large tech sector relative to the size of the economy. The country has also made significant strides in fintech, serving as the birthplace of globally recognised companies like Klarna, Zettle (formerly iZettle), and Trustly. However, this dynamic sector faces hurdles, including an increasingly complex regulatory environment and economic pressures. Rising interest rates have made it harder for start-ups to secure venture capital, with funding now more closely tied to profitability rather than to pure growth. Despite these challenges, many fintech companies remain optimistic about future growth, with plans to expand their workforce. Some of the key regulatory developments shaping the fintech landscape are outlined below.

DORA is here: what this means for compliance

The Digital Operational Resilience Act (DORA), effective from 17 January 2025, introduces extensive IT security requirements for financial entities such as banks, insurance firms, and investment companies. Its objective is to ensure that the financial sector can withstand severe operational disruptions.

In Sweden, DORA is expected to enhance the oversight powers of both Swedish and European supervisory authorities. Financial entities must comply with obligations including information and communication technology (ICT) risk management, incident reporting, third-party risk monitoring, and operational resilience testing. This necessitates transparent communication with supervisory bodies to keep them informed about compliance status and major ICT developments.

A key emphasis of DORA is on supply chain control, which, among other things, requires significant investment from financial entities to renegotiate supplier contracts to meet the Act’s requirements on obligations related to, for example, service levels, business continuity measures, audit rights, and termination clauses tied to compliance. Consequently, this has forced suppliers who are not covered to align with stricter cybersecurity standards, as the requirements are passed down through contractual arrangements.

Blockchain: driving innovation and regulation

Sweden’s strong commitment to innovation is reflected in its continued investment in blockchain technology. Both the public and private sectors are exploring blockchain’s potential to enhance trust and security through traceability. Projects such as the Swedish Land Registry’s (Lantmäteriet) blockchain experiments and the Swedish Companies Registration Office’s (Bolagsverket) Proof of Business initiative showcase blockchain’s diverse applications, from land transfers to real-time company data access.

Regulatory oversight is increasing, particularly in the crypto-space. The Swedish Financial Supervisory Authority (Finansinspektionen) or SFSA is intensifying its focus on anti-money laundering compliance, supported by the EU’s Markets in Crypto-Assets Regulation (MiCA). MiCA, effective since summer 2024, will expand the SFSA’s supervision of crypto-related activities, providing enhanced consumer protection while fostering industry stability.

The Swedish Central Bank’s (Riksbanken) e-krona project is another significant initiative, exploring a blockchain-based digital currency. Pilot phases have examined the feasibility of integrating the e-krona into banking systems and enabling offline transactions. In 2024, the work on the technical e-krona pilot was completed and the Central Bank is now focusing on fundamental design and policy issues for a possible e-krona while urging the legislator to begin the legislative work as soon as possible in order to avoid excessive lead times if the Swedish parliament (Riksdagen) were to approve the issuing of the e-krona.

Open finance – PSD3, FIDA and PSR

The evolution from open banking under PSD2 to open finance under proposed frameworks such as PSD3, the Payment Services Regulation (PSR), and Financial Data Access Regulation (FIDA) marks a significant shift. PSD2, which opened payment account data to third-party providers, spurred competition in payments but did not extend to other financial services.

The proposed FIDA framework aims to address this limitation, enabling broader financial data access and unlocking innovation across the financial sector. A 2023 report by the SFSA highlights Sweden’s early adoption of open financial services, driven by a highly digitised financial industry, fintech innovation, and widespread use of mobile e-IDs. However, competition in payment initiation services underscores the need for FIDA to expand opportunities beyond payments.

Gaming Industry: Trends and Legal Challenges

In recent years, Swedish game developers have witnessed growth in the number of companies involved and their revenue, workforce and gender diversity, despite facing challenges like a persistent skills shortage. According to the 2024 report by the trade organisation, The Swedish Games Industry, the industry’s domestic revenue increased by 6.4%. However, the growth is tempered by the increasingly strong euro against the SEK, converting to a slight decrease to EUR3 billion. Including subsidiaries abroad, the total industry revenue was EUR7.9 billion, which converts to a 4.5% increase in SEK. The sector employed over 9,000 people in Sweden and approximately 16,000 abroad.

Gaming companies in Sweden must navigate various legal considerations, including compliance with consumer protection laws, ensuring clear information, warranties and product quality for digital content. Adherence to the GDPR, which imposes strict rules on collecting and processing personal data, as well as copyright and intellectual property laws, is essential. It has become increasingly crucial for gaming companies to adhere, in particular, to IP rights, driven by the rapid growth of AI-powered tools and technologies that facilitate content creation, modification and distribution.

Additionally, gaming companies seeking to raise capital in the EU must comply with the EU Foreign Subsidies Regulation (FSR), applicable since 12 July 2023. The FSR aims to ensure fair competition between European and non-European companies by monitoring significant transactions and public procurement procedures to address distortions in competition arising from subsidies granted by non-EU countries to companies in the EU single market.

Health Data Usage: Sweden Leads the Way

The sharing of health data holds significant potential within precision medicine. While the EU is in the midst of adopting legislation to regulate health data through the European Health Data Space proposal, Sweden is already ahead. A recent public inquiry addressing current issues in the Swedish health data infrastructure, suggested amendments to Swedish legislation, particularly the Patient Data Act (Patientdatalagen), to cover the secondary use of health data for healthcare and research purposes. Although the Swedish report focuses on national legislation, it anticipates adjustments in response to forthcoming EU regulations. The report also highlights implications for the private sector, noting the competitive disadvantage that current proposals might create for private healthcare and pharmaceutical companies, as the proposals currently apply only to the public healthcare sector.

Concluding Remarks

Sweden continues to excel in digital innovation, driven by its thriving tech and financial sectors. The technological optimism encompasses both the private and public sector, as evidenced by the collaborative efforts undertaken to propel the country’s success in innovation. Clearly, the willingness to invest and create space for digital start-ups still very much exists. However, it appears that a significant chunk of the available resources is being geared towards AI projects, making it more challenging for start-ups in other areas to raise capital. Similarly, companies choosing to prioritise investments in AI projects, for example, may find themselves facing underfunding or deferment of compliance initiatives. This poses a substantial risk, as such companies could face non-compliance with both national and European regulatory frameworks.

As the push for continuous growth and progress in the digital space continues, significant regulatory changes and challenges are on the horizon. As explored in this article, these changes aim to ensure a competitive and stable digital market within the EU, while safeguarding fundamental rights, enforcing clear security protocols, and protecting national security interests.

It is imperative that compliance efforts are encouraged and supported by the public sector to make it easier for companies to work within the complex framework, and significant efforts and investments will be required to ensure compliance. While these obligations may be challenging, particularly for smaller companies, they will ultimately strengthen individual players and bolster Sweden’s position as a global hub for digital innovation.