SWEDEN: An Introduction to Information Technology

Issues such as data sovereignty and national security interests continue to be hot topics affecting the IT/technology market and many other parts of society and businesses. Forecasts for 2025 are a bit more positive as inflation and interest rates decreased significantly in the second half of 2024.

Traditional IT Outsourcing Is Not Dead

Despite the shift to the cloud that has been a clear focus in recent years, traditional IT outsourcing is still happening. Over the past year, we have seen large deals covering multiple jurisdictions and functions. Infrastructure outsourcing is the most prevalent, typically creating a hybrid infrastructure architecture where the benefits of cloud services are combined with the use of local datacentres. There are, of course, several reasons for larger companies remaining in control of their infrastructure. Firstly, the financial benefits of using cloud services have decreased in recent years. Secondly, there is a clear increased focus on security, data management and data sovereignty. The contractual focus for these infrastructure deals has been flexibility, security, management, compliance and control.

Heavy Regulatory Focus

New legislation as a result of the EU Digital Decade has had a massive impact on Swedish companies.

DORA for example is the word of the year for financial entities in Sweden and will continue to be their main regulatory focus during 2025. The road to DORA implementation has been far from straight, due to the lack of clear guidelines on its application. Several so-called delegated acts have been introduced by the European supervisory authorities during the course of 2024. One of the central delegated acts regarding engagement of critical subcontractors has still not been adopted by the European Commission. Since DORA could lead to sanctions up to 10% of the revenue on group level, one could question how financial entities are supposed to adapt its agreements before 17 January 2025, given the lack of clear and foreseeable guidance.

For those entities which are not fully compliant yet, there should be two main focus areas: (i) the information register, as it is key for financial entities’ overall overview of its ICT third-party risks and (ii) update of contracts with ICT third-party suppliers to comply with contractual requirements in DORA, as the contract is the key to managing the ICT third-party risks. 

Additional legislation with a similar cybersecurity focus to DORA has been introduced through the NIS2 Directive. NIS2 has a wider scope than DORA and affects many different industries, including those which have not been subject to similar regulatory requirements previously. During 2024, the interest for NIS2 has been growing with questions focusing on its scope and application. As it is planned to be implemented in Sweden in 2025, we foresee that questions relating to NIS2 implementation will be the regulatory focus of the affected entities during this year, with the focus shifting more towards what exact requirements that such entities must fulfil as many requirements in NIS2 are generic to its nature without further specifications (such as the requirement on ensuring “supply chain security”).

Data Is Driving AI Development

The EU legal landscape related to development and use of AI and other digital technologies seems to be ever-expanding. With the enactment of several new regulations and directives as part of the EU Digital Decade – such as the AI Act, the Data Act, DORA and the Data Governance Act – the EU seems determined to set a global precedent on how to regulate digital and data-driven technology. These regulations mean that compliance aspects and legal reviews are becoming increasingly important for technology sourcing and IT development projects in Sweden.

In order to be able to comply with these new regulations, many organisations will need to create and implement comprehensive policies related to issues such as data management, data quality and compliance. In many cases, this will also require significant investments throughout all levels in the technology stack (infrastructure, platform and application level).

Access to high-quality data is a key driver for AI development. The legal discussion around data has historically focused almost exclusively on use of personal data, but this is rapidly changing. In particular, we believe that the recently enacted Data Act will impact the work of tech lawyers in coming years. The overall purpose of this piece of legislation is to protect EU consumers and EU businesses from “unfair” business practices related to use and commercialisation of (non-personal) data – eg, within cloud computing and IoT product and services.

Although many important aspects of the Data Act, such as supervision and sanctions, are still yet to be seen in Sweden, the Data Act will introduce several new interesting concepts and provisions such as:

• new roles (data holder, data recipient and user);
• data-sharing obligations;
• mandatory data licensing contracts;
• new unfair contractual provisions for contracts entered into after 12 September 2025;
• mandatory exit contracts for cloud/IoT service; and
• interoperability requirements to facilitate switching between different cloud/IoT services.

We anticipate that the Data Act will challenge traditional business models (for example within the process industry) for the sales departments of companies that sell IoT products at the same time, as it will enable the R&D and procurement departments to gain access to crucial supplier data that was not previously available to them. Such development is likely to increase the need for specialised legal advice with high industrial knowledge and awareness of data management. 

There has also been a revival of interest in additive manufacturing (ie, 3D-printing). This was a hot topic some ten years ago but since then, has mostly been used for consumer goods or R&D projects. The recent interest in additive manufacturing is driven by an increasing focus in Sweden on civil defence and resilience. In particular, additive manufacturing is being considered as a method to increase flexibility and resilience in vulnerable supply chains, without completely surrendering the concept of just-in-time production. The development is still at an early stage and is, in our opinion, being held back by several issues, including (i) lack of adequate security for the IPR-holders, (ii) the legal framework regarding liability and certification and (iii) a business model that provides sufficient profitability for the OEMs to accept just-in-time production instead of the customary sales concepts for aftersales where a customer is obliged to keep large stock of wear and spare parts. We anticipate that it would be possible to overcome these obstacles if a trusted institution (for example a Swedish or EU-funded organisation) created a standardised platform for encrypted digital drawings, models, etc, potentially levering new technologies such as blockchain/NFTs. Such a platform does not exist currently, but we believe that additive manufacturing will play an increasingly important role as Swedish public authorities (and Swedish society as a whole) strives to become more robust and self-sufficient.