Tech Law in Sweden: An Overview

Sweden is undergoing a broad digital transformation, driven by comprehensive EU legislation imposing increased regulatory demands on both private and public entities regarding AI, cybersecurity and data management, necessitating national adaptation and implementation measures. Concurrently, Sweden’s culture of digital innovation continues to flourish, and the country remains among the world’s most highly digitalised nations. This trajectory is further supported by advancements in AI applications and a surge in investments in fintech solutions. This article examines the legal and commercial dimensions of these developments in the Swedish market, with particular focus on AI, data governance, cybersecurity, protective security, the gaming industry and fintech.

AI’s Impact on Swedish Business and Law

The EU AI Act is the first comprehensive regulatory framework for artificial intelligence, and entered into force on 1 August 2024. It employs a risk-based approach, categorising AI usage into levels of risk. Unacceptable uses of AI are prohibited, and high-risk uses are subject to specific obligations. Key provisions include:

• transparency requirements for general-purpose AI models;
• limitations on biometric identification systems;
• specific requirements for high-risk models; and
• enhanced individual rights.

With the AI Act now in force, member states are required to implement the necessary measures to align their national legislation and ensure compliance.

The AI Act’s provisions are being phased in over time:

• prohibitions on AI systems posing unacceptable risks became enforceable in February 2025;
• rules governing general-purpose AI models and the penalty framework took effect in August 2025; and
• most remaining provisions will apply fully from August 2026.

In recent years, Sweden has witnessed rapid growth and development in the AI industry, marked by the emergence of innovative companies such as Legora, known for its AI-driven automation tools used for legal work, and Lovable, which focuses on AI-generated software, alongside numerous other AI-focused ventures that are reshaping the technological landscape.

As AI assumes an increasingly prominent role in Sweden, several public initiatives have emerged to support its development and governance. In February 2025, the Swedish Agency for Digital Government (Myndigheten för digital förvaltning) and the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) issued guidance on the use of generative AI in public administration. In October 2025, the Ministry of Finance published the inquiry Anpassningar till AI-förordningen, outlining a national implementation framework for the AI Act, including provisions for market surveillance and regulatory sandboxes. In addition, the Swedish Agency for Economic and Regional Growth (Tillväxtverket) published a report examining how AI can streamline business operations. These developments indicate an increasingly co-ordinated national approach to AI governance.

However, despite its robust digital infrastructure, Sweden has ranked comparatively low in several international assessments of national capacity to leverage AI. In response, the Swedish government established the AI Commission, an initiative aimed at harnessing AI to strengthen national welfare and competitiveness. In November 2024, the AI Commission published its “Roadmap for Sweden” report, providing strategic direction for AI development. While the report highlights that Sweden is well positioned to utilise AI and has historically emerged stronger through technological transitions, it emphasises that continued success cannot be taken for granted. According to the report, society at large – and political leadership in particular – needs to drive both development and adoption. Failure to do so could make it difficult for Swedish companies to compete on the global market, potentially leading to reduced national prosperity. Nevertheless, several of the AI Commission’s proposals have since been advanced by the government, with certain measures already under implementation.

Cybersecurity and National Security: Safeguarding Digital Infrastructure

Cybersecurity has emerged as an increasingly critical priority in Sweden, driven by a series of significant cyber-incidents and technology-related disruptions. In January 2025, personal data concerning around two million individuals was extracted from SportAdmin, a digital platform for sports and association management. In August 2025, system provider Miljödata experienced a cyber-attack, resulting in significant volumes of personal data being exposed on the darknet. Both incidents prompted investigations by the Swedish Authority for Privacy Protection into potential breaches of data protection regulations, underscoring the importance of robust cyber-resilience. Beyond disruptions to essential systems, cybersecurity threats also encompass data breaches, the exposure of sensitive information, and substantial administrative penalties.

Sweden’s cybersecurity regulatory framework continues to evolve, shaped largely by EU legislation including NIS2, DORA, the EU Cybersecurity Act and the GDPR. These instruments impose direct legal obligations and give rise to corresponding contractual requirements. Supply chain control has become a key aspect, requiring organisations to review and, where necessary, renegotiate supplier agreements to ensure compliance. Key aspects of the cybersecurity regulatory framework are outlined below.

Swedish implementation of the NIS2 and CER Directives

The NIS2 Directive, effective as of 17 October 2024, introduces enhanced security requirements for essential and important services. The Directive brings significant changes, with a broader scope and more detailed security requirements than its predecessor, the NIS1 Directive. Many operators in critical sectors may need substantial resources to comply, particularly when renegotiating agreements to align with the new regulatory requirements. The Directive’s broadened scope, which includes the supply chain, means that many companies not directly subject to the regulation will still be impacted.

In December 2025, the Swedish government issued the new Cybersecurity Act, which implements the NIS2 Directive into national law. The new Act entered into force on 15 January 2026, with complementary regulation and guidance expected to follow in the near term.

In November 2025, the Swedish government decided to consolidate national cybersecurity activities by transferring the strategic and operational cybersecurity functions of the Swedish Civil Defence and Resilience Agency (Myndigheten för civilt försvar) to the National Cybersecurity Centre at the Swedish National Defence Radio Establishment (Försvarets radioanstalt). The transfer, aimed at clarifying responsibilities and strengthening Sweden’s national cybersecurity capabilities, is scheduled for completion by 1 July 2026.

Closely related to the NIS2 Directive is the Critical Entities Resilience (CER) Directive, which complements the NIS2 Directive’s focus on cybersecurity by addressing a broader range of physical and operational risks to critical entities. The CER Directive entered into application on 18 October 2024 and aims to strengthen the resilience of critical infrastructure in sectors essential to society, such as energy, transport and healthcare. Sweden has not yet transposed the CER Directive into domestic law, with the process remaining in the preparatory phase. Accordingly, Sweden is currently delayed in meeting its transposition obligations under the EU timeline.

Cybersecurity in Sweden continues to face significant challenges, largely attributable to the inherent vulnerabilities of digital solutions. While often perceived as an IT matter for individual organisations to address, recent legislative initiatives – primarily emanating from the EU – seek to enhance protection for operators in critical sectors. The regulatory landscape remains dynamic, with ongoing negotiations and legal uncertainties influencing the adoption and implementation of cybersecurity measures.

Protection of national security interests

Protective security is closely linked to cybersecurity. In Sweden, it involves measures designed to safeguard the security-sensitive operations of public authorities and private entities against threats such as espionage, sabotage and criminal activities that could undermine their functions. Such security-sensitive operations include activities critical to Sweden’s national security or those tied to international protective security commitments that are binding for Sweden. They also encompass the protection of classified and sensitive information.

The scope of the Swedish Protective Security Act (2018:585) (Säkerhetsskyddslagen), however, is not entirely clear. Determining whether an organisation is subject to the Protective Security Act depends on whether said company’s activities are deemed essential to Sweden’s internal or external security, which must be assessed on a case-by-case basis. Sectors likely to fall within the scope of the Act include defence, energy, water supply, banking, healthcare, digital infrastructure, artificial intelligence and the automotive industry.

Under the Act, public authorities and companies involved in security-sensitive operations are required to implement adequate protective measures. Key obligations include entering into protective security agreements, conducting security vetting of personnel, and screening contracts. The Act also imposes restrictions on how suppliers and subcontractors are selected, to ensure compliance with security standards.

In April 2025, the Swedish government published the inquiry Säkerhetsskyddslagen – ytterligare kompletteringar, which outlines proposed enhancements to the Protective Security Act intended to strengthen Sweden’s capacity to safeguard national security in light of the deteriorating security environment. The proposals include expanded supervisory powers for authorities and adjustments to security vetting processes, enabling more effective protection of security-sensitive operations.

Outsourcing in the public sector: rules and key challenges

Public sector outsourcing necessitates careful consideration of operational requirements, security needs and applicable legal conditions. Over time, the regulatory landscape governing outsourcing has become more complex. In 2023, a new confidentiality-breaking provision was introduced in the Public Access to Information and Secrecy Act (2009:400) (Offentlighets- och sekretesslagen, or OSL), with the aim of facilitating conditions for public authorities to outsource or co-ordinate their IT operations while strengthening the protection of data in such arrangements.

The regulatory framework is complex and, in several respects, challenging to interpret. For example, outsourcing is not permitted unless it cannot be deemed inappropriate (this formulation, employed by the legislature, implies that “not inappropriate” is not equivalent to “appropriate”). Whether an outsourcing arrangement is deemed inappropriate depends on an overall assessment of the relevant circumstances, including:

• the sensitivity of the data disclosed;
• the applicable contractual terms;
• the supplier’s capacity to protect the data;
• the geographical location of data processing; and
• the involvement of subcontractors.

Fintech: Navigating Regulatory Challenges

Sweden has long occupied a prominent position in the technology sector, with a remarkably large tech industry relative to the size of its economy. The country has also made significant strides in fintech, serving as the birthplace of globally recognised companies like Klarna, Zettle (formerly iZettle), Tink and Trustly.

However, this dynamic sector faces challenges, including an increasingly complex regulatory environment and economic pressures. Rising interest rates have made it harder for start-ups to secure venture capital, with funding now more closely tied to profitability rather than to pure growth.

Notwithstanding these challenges, many fintech companies remain optimistic regarding future growth prospects, with plans to expand their workforce. Signs of recovery emerged in late 2024 and continued through 2025, with notable improvements in access to capital and increased hiring activity among Swedish fintech firms, reflecting growing confidence in the sector. Key regulatory developments shaping the fintech landscape are outlined below.

Lending and intermediation of consumer credit: new stricter regime

It has long been the Swedish government’s view that Swedish households are subject to over-indebtedness, partly due to the fact that the consumer loan market has grown rapidly in recent years. As a consequence, a new stricter regime has been adopted, with effect as of 1 July 2025. In short, the new regime states that any companies conducting lending or intermediation of consumer credit will be required to hold a banking licence or a credit market company licence, unless a specific exemption applies.

The new regime will have far-reaching consequences for companies in the consumer credit market, and particularly for many fintech companies that have previously operated under significantly lower requirements in terms of both operations and compliance. Thus, it is not unlikely that the new regime will be a driver for mergers, where larger players based in Sweden or abroad who already have relevant licences take over otherwise successful fintech companies that find it too burdensome to apply for licences themselves.

DORA is here: what it means for compliance

The Digital Operational Resilience Act (DORA) became applicable on 17 January 2025 and introduces comprehensive IT security requirements for financial entities, including banks, insurance undertakings and investment firms. Its objective is to ensure that the financial sector can withstand severe operational disruptions.

In Sweden, DORA enhances the oversight powers of both Swedish and European supervisory authorities. Financial entities must comply with obligations including information and communication technology (ICT) risk management, incident reporting, third-party risk monitoring and operational resilience testing. This necessitates transparent communication with supervisory authorities regarding compliance status and material ICT developments.

A key emphasis of DORA is supply chain oversight, which requires significant investment from financial entities to renegotiate supplier contracts in order to satisfy DORA’s requirements concerning service levels, business continuity measures, audit rights and termination clauses linked to compliance. Consequently, suppliers not directly subject to DORA have been compelled to align with stricter cybersecurity standards, as requirements are transmitted through contractual arrangements.

In June 2025, the Swedish Financial Supervisory Authority (Finansinspektionen, or SFSA) announced plans to conduct an in-depth analysis of how 50 selected Swedish financial entities – including banks, insurers, payment institutions and trading platforms – have implemented DORA. The multi-stage review will assess compliance with DORA’s core requirements. This initiative underscores the Authority’s commitment to establishing digital operational resilience as a key supervisory priority for the Swedish financial sector.

Blockchain: driving innovation and regulation

Sweden’s strong commitment to innovation is reflected in its continued investment in blockchain technology. Both the public and private sectors are exploring blockchain’s potential to enhance trust and security through traceability. The Swedish Companies Registration Office (Bolagsverket) is advancing digital identity wallets, supported by EU initiatives, with SEK17 million in funding in 2025 to drive development in Europe, showcasing blockchain’s diverse applications, from secure digital identity solutions to enhanced traceability.

Regulatory oversight is increasing, particularly in the crypto space. The SFSA is intensifying its focus on anti-money laundering compliance, supported by the EU’s Markets in Crypto-Assets Regulation (MiCA). MiCA has been in effect since summer 2024 and expands the SFSA’s supervision of crypto-related activities, providing enhanced consumer protection while fostering industry stability.

Under the MiCA framework, from 1 October 2025 all crypto companies wishing to operate in Sweden are required to submit a licence application to the SFSA or cease their activities. Five companies applied for such a licence, and in October 2025 Sweden reached a milestone when the Authority granted MiCA authorisation to Safello, making it the first Swedish crypto-asset service provider to receive such a licence.

At the same time, innovation continues beyond licensing. Public and private collaboration has taken shape through initiatives like the Swedish innovation agency Vinnova’s National Platform for Blockchain Innovation, launched in late 2025 to accelerate blockchain research and implementation across strategic areas such as defence, finance, cybersecurity and sustainable supply chains.

Open finance – PSD3 and FIDA and PSR

The evolution from open banking under PSD2 to a broader open finance framework represents a significant shift in EU financial regulation. While PSD2 primarily enabled third-party access to payment account data, forthcoming reforms aim to strengthen consumer protection and extend data access across the financial sector.

In November 2025, the European Parliament and the Council reached a political agreement on a modernised Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3). The new framework is designed to improve protection against online fraud, increase transparency around fees and charges, and strengthen consumer rights in digital payments. It also seeks to enhance competition between banks and non-bank payment service providers, while clarifying rules on access to payment account data and improving the functioning of open banking.

PSD2 opened payment account data to third-party providers and spurred competition in payments, but did not extend to other financial services. The proposed Financial Data Access Regulation (FIDA) aims to address this limitation by enabling broader financial data access and facilitating innovation across the financial sector. A 2023 report by the SFSA highlights Sweden’s early adoption of open financial services, driven by a highly digitalised financial industry, fintech innovation and widespread use of mobile e-IDs. However, competition in payment initiation services underscores the need for FIDA to extend opportunities beyond the payments sector.

Gaming Industry: Trends and Legal Challenges

The Swedish gaming industry continued to expand throughout 2024 and 2025, with an increasing number of companies and rising revenues. According to a report from the Swedish Games Industry (Dataspelsbranschen), domestic revenues increased by 6.4% to SEK36.8 billion in 2024; including subsidiaries abroad, total industry revenues reached SEK74 billion, equivalent to about 3% of Swedish service exports.

New business formation remained robust, with 105 new gaming companies registered, bringing the total number of Swedish gaming companies to 1,101. Employment levels remained relatively stable with a modest increase, and women accounted for an estimated 23.5% of positions.

Beyond national figures, local and regional initiatives have become important to the industry’s development. For example, the northern city of Skellefteå has positioned gaming as a driver of local growth and attractiveness, supported by municipal investment, industry clusters and collaboration with universities.

At the same time, segments of the industry have criticised the absence of a coherent national strategy for game development, arguing that Sweden risks losing competitiveness despite its strong global position. This concern was also highlighted by the Swedish Parliament’s Cultural Committee in December 2025, which emphasised the importance of regional initiatives, public–private collaborations and educational programmes.

Gaming companies in Sweden must navigate various legal considerations, including compliance with consumer protection legislation, ensuring clear information, warranties and product quality for digital content. Adherence to the GDPR, which imposes stringent requirements on the collection and processing of personal data, as well as copyright and intellectual property laws, is essential. Compliance with intellectual property rights has become increasingly critical, driven by the rapid proliferation of AI-powered tools and technologies that facilitate content creation, modification and distribution.

Health Data Usage: Sweden Leads the Way

The sharing of health data holds significant potential for precision medicine. At the EU level, the European Health Data Space (EHDS) was published in the Official Journal of the European Union in March 2025, and entered into force on 26 March 2025. The regulatory framework is intended to improve access to and cross-border sharing of electronic health data for both primary care and secondary purposes, such as research and innovation.

In Sweden, the 2023 public inquiry Vidareanvändning för vård och klinisk forskning has played a central role in national discussions on adapting the legal framework for health data reuse. The inquiry proposes a new law enabling secondary use of health data for clinical research, along with amendments to the Patient Data Act (2008:355) (Patientdatalagen) and provisions in the OSL to facilitate more efficient and secure sharing of health data while balancing privacy concerns.

Swedish authorities have been actively engaged in implementing and preparing for these developments. For example, the Swedish eHealth Agency (E-hälsomyndigheten) has welcomed proposals to establish a national data hub for secondary health data, which would provide shared infrastructure for health data utilisation across healthcare, research and public health purposes. In summer 2025, the government assigned the Swedish Authority for Privacy Protection and the Swedish eHealth Agency a joint mandate to provide legal guidance, identify legal uncertainties and investigate actual and perceived barriers to the use of health data, reflecting the need for clarity in a complex legal environment.

The Data Act: Unlocking the Value of Data

The Data Act entered into force on 11 January 2024 and became applicable on 12 September 2025. It is intended to afford consumers and businesses greater control over data generated by connected devices, ranging from smart appliances to industrial equipment. By facilitating access to valuable IoT-generated data, the Data Act is expected to foster innovation, strengthen competition and support more efficient, data-driven operations across multiple sectors.

In December 2025, a Swedish government inquiry proposed a new legislative framework to align domestic law with the Data Act. Key recommendations include:

• the designation of a competent supervisory authority;
• a certification process for dispute resolution bodies;
• the establishment of protocols for public sector data access in exceptional circumstances; and
• measures to minimise the administrative burden on enterprises.

Secrecy and Cloud Services

Throughout 2024 and 2025, Swedish public authorities continued to face uncertainty regarding the practical application of secrecy rules when procuring and utilising cloud services. While guidance exists, there is no fully settled legal position on all aspects of cloud usage, particularly where sensitive or classified information is involved. This has resulted in differing interpretations among authorities and a cautious approach to cloud adoption in certain sectors.

A notable example of this uncertainty is the disagreement between the Swedish Tax Agency (Skatteverket) and the Swedish Enforcement Authority (Kronofogdemyndigheten) regarding the Swedish Tax Agency’s procurement of Microsoft cloud services. The Swedish Enforcement Authority has taken the position that the use of such services may be incompatible with the requirements of the OSL, whereas the Swedish Tax Agency has assessed that the procurement can be conducted in compliance with applicable rules. This disagreement illustrates the lack of uniform interpretation, and the challenges authorities face in balancing operational requirements with secrecy obligations.

This demonstrates that the challenge for Sweden is no longer whether cloud services should be utilised, but rather under what legal, technical and organisational conditions they may be employed in a manner consistent with secrecy and data protection requirements.

Concluding Remarks

Sweden continues to excel in digital innovation, driven by its thriving technology and financial sectors. As one of the world’s most highly digitalised nations, the country exhibits technological optimism across both the private and public sectors, as evidenced by collaborative efforts to advance innovation.

Looking ahead, Sweden faces the dual challenge of maintaining its innovative position whilst navigating an increasingly complex regulatory landscape. Willingness to invest in and support digital start-ups remains strong, although a significant portion of available capital is being directed towards AI companies, making it more challenging for start-ups in other sectors to secure funding. Companies must balance innovation priorities with compliance obligations, ensuring adherence to both national and European regulatory frameworks. With continued public–private collaboration, strategic investment in emerging technologies and proactive regulatory adaptation, Sweden is well positioned to consolidate its role as a global hub for digital innovation whilst safeguarding fundamental rights, security and national interests.