Data protection and cybersecurity laws in Sweden

The main local data protection laws are the following;

• The EU General Data Protection Regulation 2016/679 (“GDPR”).
  The main acts supplementing the GDPR in Sweden are the following;
• Act containing supplementary provisions to the GDPR (Lag (2018:218) med kompletterande bestämmelser till EU: s dataskyddsförordning) (“Supplementary GDPR Act”).
  A non-official translation is available here.
• The Camera Surveillance Act (Kamerabevakningslag (2018:1200)) regulates how camera surveillance may be conducted.
  The Camera Surveillance Act supersedes provisions in the Supplementary GDPR Act and the Criminal Data Act (see below), if applicable.
• The Criminal Data Act (Brottsdatalag (2018:1177)) implements the Directive (EU) 2016/680 (Law Enforcement Directive).
• The Patient Data Act (Patientdatalag (2008:355)) regulates how personal data may be processed within health care.
  The Patient Data Act supersedes the Supplementary GDPR Act.

The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

An anticipated change to Swedish law is a new act on class actions to protect the collective interets of consumers.

The government bill Grupptalan till skydd för konsumenters kollektiva intressen (prop. 2022/23:136) introduces provisions regarding approval of entities that should be able to bring injunction claims and claims for compensation (example for damages) on behalf of a group of consumers. The scope is broad and includes data protection matters.  

The proposal implements the Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representatives actions for the protection of the collective interests of consumers.

The new act is proposed to enter into force on 1 January 2024.

Changes to Swedish law recently made include:

• The government bill Sekretessgenombrott vid utlämnande för teknisk bearbetning eller teknisk lagring av uppgifter (prop. 2022/23:97), proposed a new provision that overrides secrecy and enables authorities to provide information subject to confidentiality to a service provider or another authority tasked with technically processing or to technically store the information on behalf of the providing authority.
  
  The aim is to create better conditions for authorities to outsource or coordinate their IT operations and to strengthen the protection of the information provided to a service provider when outsourcing IT operations.
  
  The information may not be disclosed if it is inappropriate due to the circumstances. Circumstances that may be of importance are for example the type of data involved, such as data concerning national security, or where the data will be handled geographically. 
  
  The provision entered into force and was introduced in the Public Access to Information and Secrecy Act (Offentlighets- och sekretesslag (2009:400)) on 1 July 2023.
   
• The government bill Utökade polisiära befogenheter i gränsnära områden (prop. 2022/23:109), proposed legislative changes that provides law enforcement authorities with greater possibilities to carry out camera surveillance in areas close to the Swedish border.
  
  Firstly, the general obligation for law enforcement authorities to carry out a balancing test prior to initiating camera surveillance, shall not apply to areas close to the border. This since the government deems that the interest in carrying out camera surveillance in such areas regularly outweighs the individual's interest in not being monitored. Secondly, personal data related to vehicles collected through camera surveillance in areas close to the border, shall always be allowed to be processed for up to 6 months if the purpose of the processing is to combat crime.
  
  The aim is to create better conditions for law enforcement authorities to combat cross-border crime and illegal residency in Sweden.
  
  The provision entered into force on 1 August 2023 and were introduced in a new law on police powers in areas close to the border, and through amendments of the Camera Surveillance Act.

The administrative fine that IMY may impose on a public authority for violations as referred to in article 83.4, 83.5 and 83.6 of the GDPR is set at a maximum of SEK 5 000 000 for violations referred to in article 83.4 of the GDPR and a maximum of SEK 10 000 000 for violations referred to in article 83.5 and 83.6 of the GDPR.

(Chapter 6 section 2 of the Supplementary GDPR Act)

IMY may also impose an administrative fine for violations of article 10 of the GDPR. In such cases, article 83.1, 83.2 and 83.3 of the GDPR applies. The size of the fine is set pursuant to article 83.5 of the GDPR.

(Chapter 6 section 3 of the Supplementary GDPR Act)

The Supreme Adminstrative Court in Sweden (Högsta förvaltningsdomstolen) has recently concluded that a decision from IMY not to further investigate a complaint and a decision from IMY to close a supervisory matter without any action, is appelable.

(The Supreme Administrative Court in Sweden, case number 3691-22 and case number 6193-22)

Public authorities as well as others performing a task carried out in the interest of the general public, require a permit to use video-surveillance of areas to which the general public has access. The requirement for a permit only applies when video-surveillance of persons is carried out regularly or for an extended period of time.

There are some exemptions from the requirement to apply for a permit, for example with regards to some law enforcement authorities and public transport operators.

(Section 1, 7 and 9 of the Camera Surveillance Act)

IMY has, in accordance with articles 35.4 and 35.5 of the GDPR, published lists of the kind of processing operations which are, and which are not, subject to the requirements for a Data Protection Impact Assessment. The lists are available in Swedish here.

The Supplementary GDPR Act sets out the conditions for when a legal obligation may constitute a legal basis for processing of personal data under Swedish law, in accordance with article 6.1 (c) of the GDPR.  According to the act, the legal obligation must stem from law or regulation, a collective agreement or a decision adopted pursuant to a law or regulation.

It is also specified when a task carried out in the public interest as well as the exercise of official authority, is considered to be laid down by Union law or Member state law in accordance with article 6.3 of the GDPR. The task carried out in public interest must stem from law or regulation, a collective agreement or a decision adopted pursuant to a law or regulation and the controllers exercise of official authority must stem from a law or other statute.

(Chapter 2 section 1 and 2 of the Supplementary GDPR Act)

When offering information society services directly to a child living in Sweden, processing of personal data is permitted pursuant to the child’s consent, if the child is at least 13 years of age. If the child is under 13, the processing of such data is only permitted if consent is given or approved by the person who has parental responsibility for the child.

(Chapter 2 section 4 of the Supplementary GDPR Act)

Personal data relating to criminal convictions and offences as referred to in article 10 of the GDPR may be processed by public authorities. Others than public authorities may also process such categories of personal data if the processing is necessary for the controller to be able to follow the provisions on archives.

(Chapter 3 section 8 of the Supplementary GDPR Act)

Personal identity numbers and coordination numbers may only be processed without consent if this is clearly justified in view of the purpose of the processing, the importance of secure identification or any other significant reason.

(Chapter 3 section 10 of the Supplementary GDPR Act)

Articles 13, 14 and 15 of the GDPR concerning information to data subjects and the right to access to personal data, do not apply to personal data that the data controller is not permitted to disclose to the data subject under an act or other statue, or under a decision issued pursuant to a statue. If the controller is not a public authority, the exception also applies to data that would have been subject to secrecy at a public authority under the Public Access to Information and Secrecy Act.

(Chapter 5 section 1 of the Supplementary GDPR Act)

Article 15 of the GDPR concerning the right to access by the data subject does not apply to personal data in running text that has not taken on its final form when the request is made, or if it constitutes a note or similar. This exception does not apply if the personal data:

1. has been disclosed to a third party;
2. is being processed only for archiving purposes in the public interest or for statistical purposes; or
3. has been processed over a period of more than one year in running text that has not taken on its final form.

(Chapter 5 section 2 of the Supplementary GDPR Act)

According to Swedish case law, information to be provided under article 13 and 14 of the GDPR includes information on the name of the third countries to which personal data may be transferred, the retention period or the criteria used to determine the retention period for each specific purpose of the processing, and information on data subject’s rights that is detailed enough for data subjects to understand their meaning.

(The Administrative Court in Stockholm, case number 7679-22)

Special categories of personal data may be processed pursuant to article 9.2 (b) of the GDPR if the processing is necessary for the data controller or the data subject to be able to fulfil their obligations and exercise their special rights within labour law and in the areas of social security and social protection.

Personal data that is subject to such processing may be disclosed to a third party only if there is an obligation within labour law or in the areas of social security and social protection for the data controller to do so, or if the data subject has expressly given their consent to the disclosure.

(Chapter 3 section 2 of the Supplementary GDPR Act)

There are no derogations from the GDPR.

A person who fulfils the task of Data Protection Officer under article 37 of the GDPR may not unauthorised disclose anything they become aware of in the exercise of their task. Within the public sector, the Public Access to Information and Secrecy Act applies instead.

(Chapter 1 section 8 of the Supplementary GDPR Act)

Information on the communication of the Data Protection Officer is to be completed through IMY’s form (only in Swedish), see here.  

There are no derogations from the GDPR.

Article 33 and 34 of the GDPR do not apply with regards to personal data breaches that are to be reported in accordance with the Protective Security Act (Säkerhetsskyddslag (2018:585)), Protective Security Act in the Swedish Parliament and its authorities (Lag om (2019:109) säkerhetsskydd i riksdagen och dess myndigheter), or reported in accordance with provisions issued in connection to those acts.

(Chapter 1 section 4 of the Supplementary GDPR Act)

Notifications on personal data breaches are to be completed through IMY’s e-service here.

In short, processing for direct marketing purposes can normally be based on several of the legal grounds listed of the GDPR in addition to consent. However, consent may still be required according to the Marketing Act (Marknadsföringslag (2008:486)).

A non-official translation of the Marketing Act is available at https://www.government.se/government-policy/consumer-affairs/the-marketing-act-marknadsforingslagen/.

According to the Marketing Act and/or the Swedish Data Marketing Association’s (SWEDMA) Swedish Industry code for privacy protection in marketing, the following applies. 

1. Digital direct advertising (email, text messages etc.)

As a general rule, unsolicited advertising requires the consent of recipients in advance (opt-in).

Consent is not required if:

• the contact information (for example email address or phone number) has been collected from the recipient itself in connection with the sale of a product or a service from the sending company,
• the recipient has been informed in connection with the sale that the contact details may be used for marketing purposes and at the same time has been given the opportunity to waive future contact,
• the marketing concerns the company’s own similar goods and services, and
• the recipient is a customer or reasonable amount of time has passed since the agreement with recipient was completed (soft opt-in)

2. Analog direct advertising – mail (addressed or non-addressed) or phone calls

As a general rule, unsolicited advertising is permitted as long as the recipient has not clearly objected to it (opt-out).

a) Addressed direct advertising (ADR)

If the recipient clearly objects to being contacted through ADR, the marketer must respect such objection. The recipient can object directly to the marketer or by registering himself and his address to the NIX Blocking Service.

Before ADR is sent to recipients, the marketer must check whether the recipient is in the NIX Blocking list. If the recipient is not in the NIX Blocking list, the ADR may be sent to the recipient during three months (counting from the date of the version of the NIX Blocking list against which the check was made). Before ADR is sent after that time, a new check must be made in the NIX Blocking list.  

In the case of semi-addressed ADR, the check shall be made on the intended recipient. If more than one person is the intended recipient (e.g. two parents), the check should concern all of them. In this case, ADR should not be sent if any of the recipients' names/addresses is in the NIX Blocking list.

ADR can be sent to recipients even though they appear in the NIX Blocking list under the following conditions: 

• the recipient has given its express consent to the ADR being sent to it,
• there is an established customer relationship (entered agreement) between the marketer and the recipient. This exception may only be applied if the offer refers to the same type of goods or services. A customer relationship shall be considered to continue for some time after the contractual obligations have been fulfilled, but no longer than one year unless special reasons are applicable, or
• the customer has itself provided personal data to the marketer and in doing so has been informed about which contact methods (letter, telephone, etc) the marketer may wish to use and been given the opportunity to decline certain contact methods for marketing.

b) Non-addressed direct advertising (ODR)

 If the recipient has clearly objected to being contacted through ODR, the marketer must respect that. An objection may be made by putting up a sign/sticker on the mailbox showing that advertising is declined (a so called No thanks sign).

There are however exceptions to the obligation not to contact recipient through ODR in case of a No thanks sign. Such exceptions apply to: 

• non-commercial messages, such as information from public authorities and other social and political information,
• other social information and political information,
• periodical publications (free newspapers/publications) with more than an insignificant amount of editorial text and for which there is a publishing licence,
• co-produced parts of or commercial supplements to a periodical publication which are of the same format or paper quality and which can be clearly recognised as part of the periodical publication.

It is against good practice to deliberately design ODRs in such a manner that distribution should not be hindered by No thanks signs.

The use of cookies and similar technologies is regulated in chapter 9 section 28 in the Act on Electronic Communications (Lag (2022:482) om elektronisk kommunikation) that implements the Directive on privacy and electronic communications 2002/58/EC.

Data may by stored or retrieved from a subscriber’s or user’s terminal equipment only if the subscriber or user receives information on the use of the processing and consents to such processing.

Such storage and access of data is however permitted without consent if it is needed for the transmission of an electronic message via an electronic communication network (so called functional cookies) or is necessary for the provision of a service explicitly requested of the user or subscriber. 

The provisions on rectification, erasure, restriction of processing and damages under the GDPR apply to processing of personal data under chapter 1 section 5 of the Act on Electronic Communications.

The Swedish Post and Telecom Authority (Post- och telestyrelsen, PTS) is the supervisory authority for the use of cookies and in October 2022.

PTS has as of 2022 published new guidelines (in Swedish) on cookies: https://www.pts.se/kakor. To summarize the guidelines, PTS states that the following information shall be provided:

• who stores or collects cookies,
• for what purposes (each purpose must be described),
• the validity period of the cookies, and
• if the information is shared with any other party (third party).

PTS further states that the consent shall

• be collected before the cookies are placed,
• not be conditioned (access to a service may not be conditional on the acceptance of cookies),
• specified for each purpose,
• be possible and easy to withdraw at any time, and
• be active

Pre-ticked boxes, blocking of the entire webpage, conditioned consent, consent through passivity and boxes that entail an understanding and not a consent, are not allowed.

N/A

• IMY: https://www.imy.se/en/
• PTS: https://pts.se/en/

There are no derogations from the GDPR.

The main local cybersecurity laws are the following;

• The EU Cybersecurity Act 2019/881 (Cybersäkerhetsförordningen)
  • The Act containing supplementary provisions to the EU Cybersecurity Act (Lag (2021:553) med kompletterande bestämmelser till EU:s cybersäkerhetsakt) (“Supplementary Cybersecurity Act”)
  • The Ordinance containing supplementary provisions to the EU Cybersecurity Act (Förordning (2021:555) med kompletterande bestämmelser till EU:s cybersäkerhetsakt)  (“Supplementary Cybersecurity Ordinance”)
• The Act on Information Security regarding providers of critical infrastructure and digital services (Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster) (“Information Security Act”)
  • The Ordinance on Information Security regarding providers of critical infrastructure and digital services (Förordning (2018:1175) om informationssäkerhet för samhällsviktiga och digitala tjänster) (“Information Security Ordinance”)
• The Protective Security Act (Säkerhetsskyddslag (2018:585))
  Non-official translation of the Protective Security Act is available: https://government.se/government-policy/foreign-and-security-policy/protective-security-act-2018-585/.  
• Act on Electronic Communications (Lag (2022:482) om elektronisk kommunikation)

In February 2023, the Swedish government appointed a special investigator who shall propose adjustments in Swedish law necessary to implement the of the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) as well as the EU directive on the resilience of critical entities 2022/2557 (CER) (Dir. 2023:30).

The investigator shall report on its task by 23 February 2024 at the latest. 

• The EU Cybersecurity Act strengthens the EU Agency for Cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.
  • The Supplementary Cybersecurity Act and the Supplementary Cybersecurity Ordinance determines the national authority for cybersecurity certification and lays down detailed provisions regarding the supervisory powers of such authority.
• The Information Security Act implements the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive).
  • The Information Security Ordinance sets out supplementary provisions to the Information Security Act and the NIS Directive.
• The Protective Security Act and the Protective Security Ordinance sets out provisions on protective security measures regarding information, personnel etc. required in security-sensitive activities.
• The Act on Electronic Communications sets out provisions aimed to ensure that individuals and public authorities have access to secure and efficient electronic communications.

• The EU Cyber Security Act
  • The Swedish Defense Materiel Administration (Försvarets materielverk, FMV)
• The Information Security Act
  • Energy – the Swedish Energy Agency (Statens energimyndighet)
  • Transport - The Swedish Transport Agency (Transportstyrelsen)
  • Banking and financial market infrastructures – The Swedish Financial Supervisory Authority (Finansinspektionen, FI)
  • Health sector – the Health and Social Care Inspectorate (Inspektionen för vård och omsorg, IVO)
  • Drinking water supply and distribution – the Swedish Food Agency (Livsmedelsverket)
  • Digital Infrastructure and digital services - PTS
• The Protective Security Act
  • The Protective Security Ordinance sets out different supervisory authorities for different supervisory areas and operators. 

(Chapter 8 section 1 of the Protective Security Ordinance)

The Swedish Security Service (Säkerhetspolisen, SÄPO) and the Swedish Armed Forces (Försvarsmakten, FM) are the coordinating authorities. In special circumstances, they may also take over the supervisory responsibilities of other supervisory authorities.  

• The Act on Electronic Communications
  • PTS

The EU Cybersecurity Act stipulates a number of obligations for ENISA. For example, ENISA shall assist and advise on the development and review of Union policy and law in the field of cybersecurity, assist member states in their efforts to improve the prevention, detection, analysis of, and the capability to respond to cyber threats. ENISA shall also strengthen the operational cooperation between Member States, Union institutions, bodies and agencies.

Member states must designate one or more national cybersecurity certification authorities. For example, such authorities shall monitor and control compliance with the provisions of European cybersecurity certification schemes and monitor relevant developments in the field of cybersecurity certification.

The EU Cybersecurity Act also lays down rules concerning what a European cybersecurity certification 

scheme must include and the security objectives such schemes shall be designed to achieve. For example, a European cybersecurity certification scheme shall be designed to protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure.

(Articles 5 - 7, 51 and 58 of the EU Cybersecurity Act)

Operators of essential services must conduct systematic and risk-based information security work regarding networks and information systems used to provide such services. They must also carry out a risk analysis which shall be the basis for choosing appropriate and proportionate technical and organisational measures to manage risks that threatens the security of networks and information systems used to provide essential services. A risk analysis is also required regarding the appropriate measures to prevent and minimize the effects of incidents affecting networks and information systems used to provide essential services.

Providers of digital services must adopt the technical and organisational measures they consider appropriate and proportionate and that manages risks that threatens the security of networks and information systems used when providing digital services within the EU. They must also undertake measures to prevent and minimise the effects of incidents that affect networks and information systems used. This obligation applies only in relation to the effects that such incidents have on digital services offered by the provider within the EU.  

Operators of essential services shall, without undue delay, report incidents that have a considerable impact on the continuity of the essential service they provide. Digital service providers shall, without undue delay, report incidents that have a significant impact on the provision of a digital service they offer in the EU.

(Sections 11 -16, 18 and 19 of the Information Security Act)

A person who conducts security-sensitive activities (operator) must investigate the need for protective security (protective security analysis). The protective security analysis must be documented.

Based on the protective security analysis, the operator must plan and adopt any protective security measures required considering the nature and scope of the activities, the presence of classified information and other circumstances. The operator must also undertake controls of protective security with regards to its own activities, notify and report anything that is of importance with regards to protective security and otherwise undertake any measures required under the Protective Security Act.

To the extent possible, protective security measures must be designed so they do not result in harm or inconvenience to other public or private interests.

An operator must without delay notify the supervisory authority of the fact that it is conducting security-sensitive activities.

A protective security manager (säkerhetsskyddschef) must be appointed with regards to activities covered by the Protective Security Act unless it is clearly unnecessary. The security manager shall lead and coordinate the security work and control that such activities are conducted in accordance with the Protective Security Act and regulations issued in connection with the Protective Security Act.

(Chapter 2 sections 1, 6 and 7 of the Protective Security Act)

As a main rule, public electronic communication networks normally provided for compensation and publicly available electronic communications services may be provided only after notification to PTS.

The usage of radio transmitters and numbers from a national numbering plan requires permission from PTS.

Providers of public electronic communication networks and publicly available electronic communication services must adopt appropriate and proportionate technical and organisational measures to adequately address risks to the security of networks and services. Such providers must also report security incidents which have had a significant impact on networks and security, to PTS.

Before concluding a contract with a consumer, the provider of a publicly available electronic communications service shall provide information about the contract in a clear and comprehensible manner and shall provide, free of charge, a concise and easy-to-read summary of the contract. If it is not technically possible to provide the summary before the conclusion of the contract, it shall be provided as soon as possible thereafter.

Rules on the usage of cookies are also stipulated in the Act on Electronic Communications. For more information on such obligations, please see above (the section on cookies and adtech).

(Chapter 2 section 1, chapter 3 section 1, chapter 4 section 3, chapter 7 section 1, chapter 8 section 1 and 3 of the Act on Electronic Communications)

Under the Supplementary Cybersecurity Act, fines may be set at a minimum of SEK 10 000 and a maximum of SEK 15 000 000, in case of violations of provisions set out in the provision. When determining the amount of the fine, particular consideration shall be taken of the circumstances. For example, the damage or risk of damage caused by the violation.

(Sections 8 - 10 of the Supplementary Cybersecurity Act)

The supervisory authority may impose a fine on anyone who fails to comply with the requirements set out in the provision. The sanction fee shall be set at a minimum of SEK 5 000 and a maximum of SEK 10 000 000. When determining the amount of the fine, particular consideration shall be taken of the circumstances. For example, the damage or risk of damage caused by the violation.

(Sections 28 - 30 and 32 of the Information Security Act).

The supervisory authority may impose a fine on provider who fails to comply with requirements set out in the act. A fine may also be imposed on a stock or share owner.  The fine shall be set at a minimum of SEK 25 000 and a maximum of SEK 50 000. For authorities however, the fine may be set at a maximum of SEK 10 000 000. When determining whether a fine shall be imposed, particular consideration shall be taken of the circumstances. For example, the damage or vulnerability to the security of Sweden resulting from the violation.

(Chapter 7 sections 1 - 3 of the Protective Security Act)

The supervisory authority may impose a fine on operators who fail to comply with requirements set out in the act. The fine shall be set at a minimum of SEK 5 000 and a maximum of SEK 10 000 000. When determining the amount of the fine, particular consideration shall be taken of the circumstances. For example, the damage or risk of damage caused by the violation.

(Chapter 12 sections 1 and 2 of the Act on Electronic Communications)

The computer security incident response team (CSIRT) is called CERT-SE and is run by the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap, MSB), https://www.cert.se/om-cert-se.

CERT-SE is also the national and governmental CERT of Sweden.

CERT-SE shall:

1. Respond promptly when IT incidents occur by spreading information, and where needed work with the coordination of measures, and partake in work to remedy or mitigate the consequences of the incident.
2. Cooperate with authorities that have specific tasks in the field of information security, and
3. Act as Sweden’s point of contact for equivalent services in other countries, and develop cooperation and information exchanges with them.

Notification of an incident is to be reported to +46 10 240 40 40 or cert@cert.se.

CERT-SE’s incident management process consist of 5 steps:

1. Adoption of preventive measures
   Step 1 involves adoption of preventive measures such as establishment of escalation procedures, IT security policies and communication plans.
    
2. Identification of potential incidents
   Step 2 involves collection and analysis of information and data to determine whether an incident has occurred.
    
3. Mitigation of ongoing attacks
   Step 3 involves isolation and interruption of ongoing attacks, minimisation of their spread and collection of evidence for further analysis.
    
4. Recovery
   Step 4 addresses measures required to bring systems back to production level and procedures necessary to avoid future incidents.
    
5. Summary of experiences
   Step 5 summarises lessons learnt from the incident and how they may be used for future prevention purposes.

From 1 October 2022, MSB forwards reported incidents that have their basis in a criminal act to the Swedish Police.

• https://www.informationssakerhet.se/ is a cooperation between several Swedish governmental agencies and supports Information Security Management in the public sector with information material. 
• NCC-SE is Sweden’s national coordination centre for research and innovation in cybersecurity and promotes cooperation between Swedish research institutes, companies and authorities for the development of cybersecurity solutions, https://www.msb.se/ncc-se.
• Commissions Cybernode is a Swedish node for accelerating innovation and research in cybersecurity, https://cybernode.se/en/home/. 
• Nationellt center för cybersäkerhet is a national centre for cybersecurity established by several authorities that aims to strengthen the authorities’ abilities to solve their respective missions and providing improved opportunities to increase the national ability to prevent, detect and manage cyber-attacks and other IT incidents that risks damaging Sweden’s security. https://www.ncsc.se/ (in Swedish only)
• Ena, Sweden’s digital infrastructure for information exchange. The work is coordinated and led by the Agency for Digital Government (Myndigheten för digital förvaltning, DIGG: https://www.digg.se/en).  

• CERT-SE: https://cert.se/om-cert-se
• FI: https://www.fi.se/en/
• FM: https://www.forsvarsmakten.se/en/  
• FMV: https://www.fmv.se/
• IVO: https://www.ivo.se/om-ivo/other-languages/english/
• MSB: https://www.msb.se/en/
• PTS: https://pts.se/en/
• SÄPO: https://sakerhetspolisen.se/ovriga-sidor/other-languages/english-engelska.html
• The Swedish Energy Agency: https://www.energimyndigheten.se/en/
• The Swedish Transport Agency: https://www.transportstyrelsen.se/en/road/
• The Swedish Food Agency: https://www.livsmedelsverket.se/en