Data protection and cybersecurity laws in Sweden

The main local data protection laws are the following:

• The EU General Data Protection Regulation 2016/679 ("GDPR").

The main acts supplementing the GDPR in Sweden are the following:

• Act containing supplementary provisions to the GDPR (Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) ("Supplementary GDPR Act"). A non-official translation is available here.
• The Camera Surveillance Act (Kamerabevakningslag (2018:1200)) regulates how camera surveillance may be conducted.
• The Camera Surveillance Act supersedes provisions in the Supplementary GDPR Act and the Criminal Data Act (see below), if applicable.
• The Criminal Data Act (Brottsdatalag (2018:1177)) implements the Directive (EU) 2016/680 (Law Enforcement Directive).
• The Patient Data Act (Patientdatalag (2008:355)) regulates how personal data may be processed within health care. The Patient Data Act supersedes the Supplementary GDPR Act.

The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

Some of the anticipated changes to local laws include:

• A Swedish Government official report, Personuppgifter och mediagrundlagarna (SOU 2024:75), proposes to strengthen the protection of privacy when personal data is published on search services online through the current constitutional protection regarding freedom of press/freedom of expression to request, publish and/or to use publicly available data. The new provisions are proposed to enter into force on 1 January 2027.
• A Ministry Publications Series, Utökade registerkontroller vid anställning i kommun (DS 2024:24), proposes to provide the municipalities to complete checks on criminal records on employees and job applicants to, amongst others, reduce the risk of infiltration and insider influence. The new act has been proposed to enter into force on 1 June 2025, however it has not yet been approved.
• The Swedish Supreme Court (Högsta domstolen) has recently ruled on the compatibility between the Swedish constitution and GDPR regarding companies that, inter alia, process data on criminal convictions to provide background checks (the Swedish Supreme Court on 25 February 2025 in case numbers Ä 3457-24 and Ä 3169-24). IMY has previously submitted a request to the Swedish Government regarding the need for an investigation for an appropriate balance of the need for general background checks and the privacy. However, the Swedish Government has not yet acted on this.

Changes to Swedish law recently made include:

• As of the 1^st of April 2025, no permissions to carry out camera surveillance are required. Those previously required to apply for permissions (e.g. authorities), must however complete and document a balancing test and maintain a register over ongoing surveillance. (Sections 1, 7 - 10 of the Camera Surveillance Act)

The administrative fine that IMY may impose on a public authority for violations as referred to in article 83.4, 83.5 and 83.6 of the GDPR is set at a maximum of SEK 5 000 000 for violations referred to in article 83.4 of the GDPR and a maximum of SEK 10 000 000 for violations referred to in article 83.5 and 83.6 of the GDPR. 

(Chapter 6, section 2 of the Supplementary GDPR Act) 

IMY may also impose an administrative fine for violations of article 10 of the GDPR. In such cases, article 83.1, 83.2 and 83.3 of the GDPR applies. The size of the fine is set pursuant to article 83.5 of the GDPR. 

(Chapter 6, section 3 of the Supplementary GDPR Act)

As of the 1^st of April 2025, no permissions to carry out camera surveillance are required. Those previously required to apply for permissions (e.g. authorities), must however complete and document a balancing test and maintain a register over ongoing surveillance. 

(Sections 1, 7, 8, 9 and 10 of the Camera Surveillance Act)

IMY has, in accordance with articles 35.4 and 35.5 of the GDPR, published lists of the kind of processing operations which are, and which are not, subject to the requirements for a Data Protection Impact Assessment. The lists are available in Swedish here.

The Supplementary GDPR Act sets out the conditions for when a legal obligation may constitute a legal basis for processing of personal data under Swedish law, in accordance with article 6.1 (c) of the GDPR. According to the act, the legal obligation must stem from law or regulation, a collective agreement or a decision adopted pursuant to a law or regulation.

It is also specified when a task carried out in the public interest as well as the exercise of official authority, is considered to be laid down by Union law or Member state law in accordance with article 6.3 of the GDPR. The task carried out in public interest must stem from law or regulation, a collective agreement or a decision adopted pursuant to a law or regulation and the controllers exercise of official authority must stem from a law or other statute.

(Chapter 2, section 1 and 2 of the Supplementary GDPR Act)

Personal data relating to criminal convictions and offences as referred to in article 10 of the GDPR may be processed by public authorities. Others than public authorities may also process such categories of personal data if the processing is necessary for the controller to be able to follow the provisions on archives, if IMY has issued regulations on when such processing is allowed or if IMY has specifically approved such processing, following an application. 

(Chapter 3, sections 8 and 9 of the Supplementary GDPR Act) 

Personal data relating to criminal convictions and offences as referred to in article 10 of the GDPR may be processed by public authorities. Others than public authorities may also process such categories of personal data if the processing is necessary for the controller to be able to follow the provisions on archives.

(Chapter 3, section 8 of the Supplementary GDPR Act)

Personal identity numbers and coordination numbers may only be processed without consent if this is clearly justified in view of the purpose of the processing, the importance of secure identification or any other significant reason.

(Chapter 3, section 10 of the Supplementary GDPR Act)

Articles 13, 14 and 15 of the GDPR concerning information to data subjects and the right to access to personal data, do not apply to personal data that the data controller is not permitted to disclose to the data subject under an act or other statue, or under a decision issued pursuant to a statue. If the controller is not a public authority, the exception also applies to data that would have been subject to secrecy at a public authority under the Public Access to Information and Secrecy Act.

(Chapter 5 section 1 of the Supplementary GDPR Act)

Article 15 of the GDPR concerning the right to access by the data subject does not apply to personal data in running text that has not taken on its final form when the request is made, or if it constitutes a note or similar. This exception does not apply if the personal data:

1. has been disclosed to a third party;
2. is being processed only for archiving purposes in the public interest or for statistical purposes; or
3. has been processed over a period of more than one year in running text that has not taken on its final form.

(Chapter 5 section 2 of the Supplementary GDPR Act)

According to Swedish case law, information to be provided under article 13 and 14 of the GDPR includes information on the name of the third countries to which personal data may be transferred, the retention period or the criteria used to determine the retention period for each specific purpose of the processing, and information on data subject’s rights that is detailed enough for data subjects to understand their meaning.

(The Administrative Court in Stockholm, case number 7679-22)

Special categories of personal data may be processed pursuant to article 9.2 (b) of the GDPR if the processing is necessary for the data controller or the data subject to be able to fulfil their obligations and exercise their special rights within labour law and in the areas of social security and social protection.

Personal data that is subject to such processing may be disclosed to a third party only if there is an obligation within labour law or in the areas of social security and social protection for the data controller to do so, or if the data subject has expressly given their consent to the disclosure.

(Chapter 3, section 2 of the Supplementary GDPR Act)

There are no derogations from the GDPR.

A person who fulfils the task of Data Protection Officer under article 37 of the GDPR may not unauthorised disclose anything they become aware of in the exercise of their task. Within the public sector, the Public Access to Information and Secrecy Act applies instead.

(Chapter 1, section 8 of the Supplementary GDPR Act)

Information on the communication of the Data Protection Officer is to be completed through IMY’s form (only in Swedish), see here. 

There are no derogations from the GDPR.

Article 33 and 34 of the GDPR do not apply with regards to personal data breaches that are to be reported in accordance with the Protective Security Act (Säkerhetsskyddslag (2018:585)), Protective Security Act in the Swedish Parliament and its authorities (Lag om (2019:109) säkerhetsskydd i riksdagen och dess myndigheter), or reported in accordance with provisions issued in connection to those acts.

(Chapter 1 section 4 of the Supplementary GDPR Act)

Notifications on personal data breaches are to be completed through IMY’s e-service here.

In short, processing for direct marketing purposes can normally be based on several of the legal grounds listed of the GDPR in addition to consent. However, consent may still be required according to the Marketing Act (Marknadsföringslag (2008:486)).

A non-official translation of the Marketing Act is available at https://www.government.se/government-policy/consumer-affairs/the-marketing-act-marknadsforingslagen/.

According to the Marketing Act and/or the Swedish Data Marketing Association’s (SWEDMA) Swedish Industry code for privacy protection in marketing, the following applies. 

1. Digital direct advertising (email, text messages etc.)

As a general rule, unsolicited advertising requires the consent of recipients in advance (opt-in).

Consent is not required if (so-called soft-opt in):

• the contact information (for example email address or phone number) has been collected from the recipient itself in connection with the sale of a product or a service from the sending company,
• the recipient has been informed in connection with the sale that the contact details may be used for marketing purposes and at the same time has been given the opportunity to waive future contact,
• the marketing concerns the company’s own similar goods and services, and
• the recipient is a customer or reasonable amount of time has passed since the agreement with recipient was completed (soft opt-in)

2. Analog direct advertising – mail (addressed or non-addressed) or phone calls

As a general rule, unsolicited advertising is permitted as long as the recipient has not clearly objected to it (opt-out).

a) Addressed direct advertising (ADR)

If the recipient clearly objects to being contacted through ADR, the marketer must respect such objection. The recipient can object directly to the marketer or by registering himself and his address to the NIX Blocking Service.

Before ADR is sent to recipients, the marketer must check whether the recipient is in the NIX Blocking list. If the recipient is not in the NIX Blocking list, the ADR may be sent to the recipient during three months (counting from the date of the version of the NIX Blocking list against which the check was made). Before ADR is sent after that time, a new check must be made in the NIX Blocking list. 

In the case of semi-addressed ADR, the check shall be made on the intended recipient. If more than one person is the intended recipient (e.g. two parents), the check should concern all of them. In this case, ADR should not be sent if any of the recipients' names/addresses is in the NIX Blocking list.

ADR can be sent to recipients even though they appear in the NIX Blocking list under the following conditions: 

• the recipient has given its express consent to the ADR being sent to it,
• there is an established customer relationship (entered agreement) between the marketer and the recipient. This exception may only be applied if the offer refers to the same type of goods or services. A customer relationship shall be considered to continue for some time after the contractual obligations have been fulfilled, but no longer than one year unless special reasons are applicable, or
• the customer has itself provided personal data to the marketer and in doing so has been informed about which contact methods (letter, telephone, etc) the marketer may wish to use and been given the opportunity to decline certain contact methods for marketing.

b) Non-addressed direct advertising (ODR) – advertising directly through the recipients mailbox (not through mail services)

If the recipient has clearly objected to being contacted through ODR, the marketer must respect that. An objection may be made by putting up a sign/sticker on the mailbox showing that advertising is declined (a so called No thanks sign).

There are however exceptions to the obligation not to contact recipient through ODR in case of a No thanks sign. Such exceptions apply to: 

• non-commercial messages, such as information from public authorities and other social and political information,
• other social information and political information,
• periodical publications (free newspapers/publications) with more than an insignificant amount of editorial text and for which there is a publishing licence,
• co-produced parts of or commercial supplements to a periodical publication which are of the same format or paper quality and which can be clearly recognised as part of the periodical publication.

It is against good practice to deliberately design ODRs in such a manner that distribution should not be hindered by No thanks signs.

The use of cookies and similar technologies is regulated in chapter 9 section 28 in the Act on Electronic Communications (Lag (2022:482) om elektronisk kommunikation) that implements the Directive on privacy and electronic communications 2002/58/EC.

Data may by stored or retrieved from a subscriber’s or user’s terminal equipment only if the subscriber or user receives information on the use of the processing and consents to such processing.

Such storage and access of data is however permitted without consent if it is needed for the transmission of an electronic message via an electronic communication network (so called functional cookies) or is necessary for the provision of a service explicitly requested of the user or subscriber. 

The provisions on rectification, erasure, restriction of processing and damages under the GDPR apply to processing of personal data under chapter 1, section 5 of the Act on Electronic Communications.

The Swedish Post and Telecom Authority (Post- och telestyrelsen, PTS) is the supervisory authority for the collection of cookies. PTS has as of 2022 published guidelines (in Swedish) on cookies: https://www.pts.se/kakor.

To summarize the guidelines, PTS states that the following information shall be provided:

• who stores or collects cookies,
• for what purposes (each purpose must be described),
• the validity period of the cookies, and
• if the information is shared with any other party (third party).

PTS further states that the consent shall

• be collected before the cookies are placed,
• not be conditioned (access to a service may not be conditional on the acceptance of cookies),
• specified for each purpose,
• be possible and easy to withdraw at any time, and
• be active

Pre-ticked boxes, blocking of the entire webpage, conditioned consent, consent through passivity and boxes that entail an understanding and not a consent, are not allowed.

IMY is the supervisory authority to the extent that personal data is processed, for example for analytics or profiling purposes.

Both PTS and IMY have in supervisions investigated how the targeted companies and/or authorities collection/use of cookie/cookie banners. PTS in 2022 and IMY in 2025. PTS ended the supervisions as it considered that the targets made corrections in accordance with PTS’ assessment. IMY criticised the companies (by issuing reprimands).

N/A

• IMY: https://www.imy.se/en/
• PTS: https://pts.se/en/

There are no derogations from the GDPR.

The main local cybersecurity laws are the following:

• The EU Cybersecurity Act 2019/881 (Cybersäkerhetsförordningen)
  • The Act containing supplementary provisions to the EU Cybersecurity Act (Lag (2021:553) med kompletterande bestämmelser till EU:s cybersäkerhetsakt) ("Supplementary Cybersecurity Act")
  • The Ordinance containing supplementary provisions to the EU Cybersecurity Act (Förordning (2021:555) med kompletterande bestämmelser till EU:s cybersäkerhetsakt) ("Supplementary Cybersecurity Ordinance")
• The Act on Information Security regarding providers of critical infrastructure and digital services (Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster) ("Information Security Act")
  • The Ordinance on Information Security regarding providers of critical infrastructure and digital services (Förordning (2018:1175) om informationssäkerhet för samhällsviktiga och digitala tjänster) ("Information Security Ordinance")
• The Protective Security Act (Säkerhetsskyddslag (2018:585)) 
  Non-official translation of the Protective Security Act is available: https://government.se/government-policy/foreign-and-security-policy/protective-security-act-2018-585/.
• Act on Electronic Communications (Lag (2022:482) om elektronisk kommunikation)

• The Swedish Government’s official reports, Motståndskraft i samhällsviktiga tjänster, SOU 2024:18, and Nya regler om cybersäkerhet, SOU 2024:18, propose adjustments in Swedish law necessary to implement the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) (as well as the EU directive on the resilience of critical entities 2022/2557 (CER) (Dir. 2023:30)). The NIS2 Directive was to be implemented in Swedish legislation at the latest on 12 October 2024, however there has been major delay. According to the Swedish Government’s referral to the Council on Legislation (Lagrådet), Ett starkt skydd för nätverks- och informationssystem – en ny cybersäkerhetslag 12 June 2025, a new Swedish Cyber Security act that implements NIS2-directive (and replaces the Information Security Act) is proposed to be implemented 15 January 2026. Other proposals regarding the implementation of the CER are subject to further investigations at the Government Offices of Sweden (Regeringskansliet).
•  A Swedish Government official report, SOU 2025:42, proposes changes to the Protective Security Act in order to strengthen the protection of Sweden’s security, and this through the expanding of the applicability of the legislation, a system of coercive measures that can be applied in the event of risk of delay of procedures that can harm security and a potential expansion of the security screening. There is currently no information on when such changes may enter into force.

• The EU Cybersecurity Act strengthens the EU Agency for Cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.
  • The Supplementary Cybersecurity Act and the Supplementary Cybersecurity Ordinance determines the national authority for cybersecurity certification and lays down detailed provisions regarding the supervisory powers of such authority.
• The Information Security Act implements the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive).
  • The Information Security Ordinance sets out supplementary provisions to the Information Security Act and the NIS Directive.
• The Protective Security Act and the Protective Security Ordinance sets out provisions on protective security measures regarding information, personnel etc. required in security-sensitive activities.
• The Act on Electronic Communications sets out provisions aimed to ensure that individuals and public authorities have access to secure and efficient electronic communications.

• The EU Cyber Security Act
  • The Swedish Defense Materiel Administration (Försvarets materielverk, FMV)
• The Information Security Act
  • Energy – the Swedish Energy Agency (Statens energimyndighet)
  • Transport – The Swedish Transport Agency (Transportstyrelsen)
  • Banking and financial market infrastructures – The Swedish Financial Supervisory Authority (Finansinspektionen, FI)
  • Health sector – the Health and Social Care Inspectorate (Inspektionen för vård och omsorg, IVO)
  • Drinking water supply and distribution – the Swedish Food Agency (Livsmedelsverket)
• Digital Infrastructure and digital services – PTS The Protective Security Act
  • The Protective Security Ordinance sets out different supervisory authorities for different supervisory areas and operators. (Chapter 8, section 1 of the Protective Security Ordinance) The Swedish Security Service (Säkerhetspolisen, SÄPO) and the Swedish Armed Forces (Försvarsmakten, FM) are the coordinating authorities. In special circumstances, they may also take over the supervisory responsibilities of other supervisory authorities.
• The Act on Electronic Communications
  • PTS

The EU Cybersecurity Act stipulates a number of obligations for ENISA. For example, ENISA shall assist and advise on the development and review of Union policy and law in the field of cybersecurity, assist member states in their efforts to improve the prevention, detection, analysis of, and the capability to respond to cyber threats. ENISA shall also strengthen the operational cooperation between Member States, Union institutions, bodies and agencies.

Member states must designate one or more national cybersecurity certification authorities. For example, such authorities shall monitor and control compliance with the provisions of European cybersecurity certification schemes and monitor relevant developments in the field of cybersecurity certification.

The EU Cybersecurity Act also lays down rules concerning what a European cybersecurity certification scheme must include and the security objectives such schemes shall be designed to achieve. 

For example, a European cybersecurity certification scheme shall be designed to protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure.

(Articles 5 - 7, 51 and 58 of the EU Cybersecurity Act)

Operators of essential services must conduct systematic and risk-based information security work regarding networks and information systems used to provide such services. They must also carry out a risk analysis which shall be the basis for choosing appropriate and proportionate technical and organisational measures to manage risks that threatens the security of networks and information systems used to provide essential services. A risk analysis is also required regarding the appropriate measures to prevent and minimize the effects of incidents affecting networks and information systems used to provide essential services.

Providers of digital services must adopt the technical and organisational measures they consider appropriate and proportionate and that manages risks that threatens the security of networks and information systems used when providing digital services within the EU. They must also undertake measures to prevent and minimise the effects of incidents that affect networks and information systems used. This obligation applies only in relation to the effects that such incidents have on digital services offered by the provider within the EU. 

Operators of essential services shall, without undue delay, report incidents that have a considerable impact on the continuity of the essential service they provide. Digital service providers shall, without undue delay, report incidents that have a significant impact on the provision of a digital service they offer in the EU.

(Sections 11 -16, 18 and 19 of the Information Security Act)

A person who conducts security-sensitive activities (operator) must investigate the need for protective security (protective security analysis). The protective security analysis must be documented.

Based on the protective security analysis, the operator must plan and adopt any protective security measures required considering the nature and scope of the activities, the presence of classified information and other circumstances. The operator must also undertake controls of protective security with regards to its own activities, notify and report anything that is of importance with regards to protective security and otherwise undertake any measures required under the Protective Security Act.

To the extent possible, protective security measures must be designed so they do not result in harm or inconvenience to other public or private interests.

An operator must without delay notify the supervisory authority of the fact that it is conducting security-sensitive activities.

A protective security manager (säkerhetsskyddschef) must be appointed with regards to activities covered by the Protective Security Act unless it is clearly unnecessary. The security manager shall lead and coordinate the security work and control that such activities are conducted in accordance with the Protective Security Act and regulations issued in connection with the Protective Security Act.

(Chapter 2, sections 1, 6 and 7 of the Protective Security Act)

As a main rule, public electronic communication networks normally provided for compensation and publicly available electronic communications services may be provided only after notification to PTS. The usage of radio transmitters and numbers from a national numbering plan requires permission from PTS.

Providers of public electronic communication networks and publicly available electronic communication services must adopt appropriate and proportionate technical and organisational measures to adequately address risks to the security of networks and services. Such providers must also report security incidents which have had a significant impact on networks and security, to PTS.

Before concluding a contract with a consumer, the provider of a publicly available electronic communications service shall provide information about the contract in a clear and comprehensible manner and shall provide, free of charge, a concise and easy-to-read summary of the contract. If it is not technically possible to provide the summary before the conclusion of the contract, it shall be provided as soon as possible thereafter.

Rules on the usage of cookies are also stipulated in the Act on Electronic Communications. For more information on such obligations, please see above (the section on cookies and adtech). 

(Chapter 2, section 1, chapter 3 section 1, chapter 4 section 3, chapter 7 section 1, chapter 8 section 1 and 3 of the Act on Electronic Communications)

Under the Supplementary Cybersecurity Act, fines may be set at a minimum of SEK 10 000 and a maximum of SEK 15 000 000, in case of violations of provisions set out in the provision. When determining the amount of the fine, particular consideration shall be taken of the circumstances. For example, the damage or risk of damage caused by the violation.

(Sections 8 - 10 of the Supplementary Cybersecurity Act)

The supervisory authority may impose a fine on anyone who fails to comply with the requirements set out in the provision. The sanction fee shall be set at a minimum of SEK 5 000 and a maximum of SEK 10 000 000. When determining the amount of the fine, particular consideration shall be taken of the circumstances. For example, the damage or risk of damage caused by the violation.

(Sections 28 - 30 and 32 of the Information Security Act).

The supervisory authority may impose a fine on provider who fails to comply with requirements set out in the act. A fine may also be imposed on a stock or share owner. The fine shall be set at a minimum of SEK 25 000 and a maximum of SEK 50 000. For authorities however, the fine may be set at a maximum of SEK 10 000 000. When determining whether a fine shall be imposed, particular consideration shall be taken of the circumstances. For example, the damage or vulnerability to the security of Sweden resulting from the violation.

(Chapter 7, sections 1 - 3 of the Protective Security Act)

The supervisory authority may impose a fine on operators who fail to comply with requirements set out in the act. The fine shall be set at a minimum of SEK 5 000 and a maximum of SEK 10 000 000. When determining the amount of the fine, particular consideration shall be taken of the circumstances. For example, the damage or risk of damage caused by the violation.

(Chapter 12, sections 1 and 2 of the Act on Electronic Communications)

The computer security incident response team (CSIRT) is called CERT-SE and is run by the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap, MSB), https://www.cert.se/om-cert-se.

CERT-SE is also the national and governmental CERT of Sweden.

CERT-SE shall:

1. Respond promptly when IT incidents occur by spreading information, and where needed work with the coordination of measures, and partake in work to remedy or mitigate the consequences of the incident.
2. Cooperate with authorities that have specific tasks in the field of information security, and
3. Act as Sweden’s point of contact for equivalent services in other countries, and develop cooperation and information exchanges with them.

Notification of an incident is to be reported to +46 10 240 40 40 or cert@cert.se.

CERT-SE’s incident management process consist of 5 steps:

1. Adoption of preventive measures
   Step 1 involves adoption of preventive measures such as establishment of escalation procedures, IT security policies and communication plans.
    
2. Identification of potential incidents
   Step 2 involves collection and analysis of information and data to determine whether an incident has occurred.
    
3. Mitigation of ongoing attacks
   Step 3 involves isolation and interruption of ongoing attacks, minimisation of their spread and collection of evidence for further analysis.
    
4. Recovery
   Step 4 addresses measures required to bring systems back to production level and procedures necessary to avoid future incidents.
    
5. Summary of experiences
   Step 5 summarises lessons learnt from the incident and how they may be used for future prevention purposes.

From 1 October 2022, MSB forwards reported incidents that have their basis in a criminal act to the Swedish Police.

• https://www.informationssakerhet.se/ is a cooperation between several Swedish governmental agencies and supports Information Security Management in the public sector with information material. 
• NCC-SE is Sweden’s national coordination centre for research and innovation in cybersecurity and promotes cooperation between Swedish research institutes, companies and authorities for the development of cybersecurity solutions, https://www.msb.se/ncc-se.
• Commissions Cybernode is a Swedish node for accelerating innovation and research in cybersecurity, https://cybernode.se/en/home/. 
• Nationellt center för cybersäkerhet is a national centre for cybersecurity established by several authorities that aims to strengthen the authorities’ abilities to solve their respective missions and providing improved opportunities to increase the national ability to prevent, detect and manage cyber-attacks and other IT incidents that risks damaging Sweden’s security. https://www.ncsc.se/ (in Swedish only)
• Ena, Sweden’s digital infrastructure for information exchange. The work is coordinated and led by the Agency for Digital Government (Myndigheten för digital förvaltning, DIGG: https://www.digg.se/en). 

• CERT-SE: https://cert.se/om-cert-se
• FI: https://www.fi.se/en/
• FM: https://www.forsvarsmakten.se/en/ 
• FMV: https://www.fmv.se/
• IVO: https://www.ivo.se/om-ivo/other-languages/english/
• MSB: https://www.msb.se/en/
• PTS: https://pts.se/en/
• SÄPO: https://sakerhetspolisen.se/ovriga-sidor/other-languages/english-engelska.html
• The Swedish Energy Agency: https://www.energimyndigheten.se/en/
• The Swedish Transport Agency: https://www.transportstyrelsen.se/en/road/
• The Swedish Food Agency: https://www.livsmedelsverket.se/en