SWEDEN: An Introduction to Information Technology

Sweden’s economy and legal market remains adversely impacted by external factors such as increased global tension, high inflation and increased interest rates. In late 2023, several private sector companies were forced to make budget cuts and/or employee layoffs. These external factors have also slowed down or postponed several digital transformation initiatives and technology investment decisions.

Cybersecurity and Digital Operational Resilience

Cybersecurity remains a key focus area for lawyers and other professionals in the technology sector. Ransomware attacks against Swedish organisations are becoming increasingly more common, and in the past year we have seen several high-profile attacks on key IT infrastructure providers. This has caused a general increase in cyber-risk awareness, and has also escalated issues relating to cybersecurity protection, prevention and incident management for business-critical matters.

In addition, new legislation as a result of the so-called EU Digital Decade has clearly impacted on many organisations in Sweden. This includes, for example:

i) the AI Act;

ii) the Data Act;

iii) the NIS2 Directive;

iv) the Digital Operational Resilience Act (DORA); and

v) the Directive on the Resilience of Critical Entities (CER).

Compliance with these new pieces of legislation from the EU will require significant efforts and resources in 2024 and beyond.

Specifically, the implementation of DORA in the financial sector means that the regulatory requirements for Swedish banks and other financial entities continues to grow. A key aspect of DORA is the requirement of ensuring operational resilience throughout the supply chain, meaning that banks and financial institutions will – once again – need to revisit and renegotiate their supply agreements (following other recent and similar compliance activities connected to, for instance, the GDPR and EBA’s Guidelines on Outsourcing). We anticipate that many organisations in the financial sector will need to spend significant resources on DORA implementation during 2024.

Sweden’s New Defence Policy  

In 2024, Sweden is expected to become a full member of NATO. This constitutes a huge shift in Swedish defence policy, and signals the end of more than 200 years of Swedish foreign policy based on freedom of alliance. Sweden’s membership in NATO will have a significant impact on Swedish society as a whole, and we anticipate enormous investments in both military and civil defence in the coming years.

In terms of civil defence, the Swedish government plans to implement a comprehensive new strategy based on resilience and agility. This will place new technical and organisational requirements on both public and private companies to strengthen the resilience and robustness of their operations.

New Requirements for Public IT Outsourcing 

In the public sector, Sweden has introduced new laws and requirements related to IT outsourcing. According to these new requirements, Swedish governmental authorities and municipalities who wish to outsource IT operations are obliged to carefully assess:

(i) which data and data-processing activities the service provider will perform; and

(ii) whether it is generally “appropriate” for the authority to engage the particular service provider for the particular outsourcing activities.

Considering the current lack of further guidance on these matters, we anticipate that these new legal requirements will give rise to legal and compliance uncertainties for rather standardised IT outsourcing initiatives. The new requirements apply both to existing outsourced IT processes/operations and to new IT outsourcing initiatives in the public sector.

Generative AI 

As in the rest of the world, the use of generative AI exploded in Sweden during the last year. Even though the number of AI-based systems and applications is ever increasing, generative AI has not yet given rise to significant legal discussion in Sweden. Unlike in the USA, the public debate on copyright issues in relation to training of generative AI has only just started in Sweden. This is likely to change in the future, especially since Swedish copyright law does not currently recognise or apply a “fair use” doctrine.

On the contract side, provisions on data rights and data usage are now more or less standard in most advanced IT contracts, including AI contracts. Such contracts will also typically include some kind of IP indemnity covering AI output/results, but no clear market practice has yet been established when it comes to the scope of such indemnities. As generative AI continues to grow, we expect to see an industry practice on AI contracts developing rather quickly.

Data Transfers to the USA 

The challenges imposed by the Schrems II ruling have been mostly addressed by the US adequacy decision, and transfers to the USA are no longer the key issue in cloud migration projects. Since the adequacy decision, we see a growing trend of cloud vendors stating that all transfers of personal data from the EU are made to the USA, and that personal data is transferred from the USA onwards to other third countries.

A remaining concern for public authorities as well as regulated entities in Sweden, such as banks and insurance companies, is that US hyperscalers typically reserve in their contracts the right to disclose data stored within the EU to third-country governmental authorities, including US authorities, if such disclosure is required by third-country legislation to which the cloud vendor is subject. It should be noted that transfer of data stored in the EU to governmental authorities in the USA is not explicitly covered by the EU-US adequacy decision.

These concerns mean that governmental authorities and regulated entities remain cautious in relation to the use of public cloud services.

It is also clear that cloud vendors are becoming increasingly aware of the legal and compliance issues that cloud customers face. Our experience is that cloud vendors (including US hyperscalers) are more willing to negotiate their standard contracts, primarily in regard to customer expectations and requirements concerning data protection and regulatory requirements. Further, cloud vendors’ standard contracts are updated more frequently following regulatory developments and improved understanding of European law.

Another trend is that increasingly more Swedish companies are making investments to build, strengthen and support “hybrid cloud” environments, meaning that public cloud infrastructure is being considered as one of several alternative IT environments. This means, for example, that investments are being made in co-location services and data centre services with a view towards creating modern, secure and compliant private cloud environments. These developments are, in our view, in line with adopting a risk-based approach in relation to cloud services.