European Commission Publishes Draft Guidelines on High-Risk AI Systems
The long-awaited guidelines on high-risk AI systems under the EU AI Act have now been published in draft form by the European Commission. The draft guidelines concern the classification of high-risk AI systems, including the interpretation of Article 6 of the AI Act and the use cases listed in Annex III. They are intended to […]
EU Institutions Reach Preliminary Political Agreement on AI Act Omnibus
The EU institutions have reached a preliminary political agreement on the AI Act Omnibus, following intensive trilogue negotiations and a failed “final” negotiating round last week. The agreement is not yet final. It must still undergo review and formal adoption by the Council and Parliament before entering into force. However, the political deal provides the […]
Sweden’s updated NIS2 draft regulation on training and security measures: broader flexibility, targeted tightening on supply chain security
The Swedish Civil Defence and Resilience Agency (MCF, formerly MSB) has recently published an updated draft regulation on training and security measures under Sweden’s NIS2 framework. Although the regulation has not yet been finalised, it gives a clearer indication of the security and training measures that in-scope entities are expected to implement. The draft regulation is currently subject […]
Swedish DPA: Priorities for 2026
The Swedish Authority for Privacy Protection (“IMY“) has published its priorities for guidance and supervisory activities in 2026. IMY will focus its efforts on three areas where it identifies heightened privacy risks and a need for increased compliance with data protection rules. The overarching objective is to ensure that individuals can act safely and independently […]
Swedish Government Submits Bill on New Cybersecurity Act to Implement NIS 2
The Swedish Government has published the bill to implement the NIS 2 directive (2022/2555) into Swedish law. The proposal includes amongst other things the introduction of a new law, the Swedish Cybersecurity Act – which will replace the current Swedish Act (2018:1174) that implemented the previous NIS directive. The Cybersecurity Act largely aligns with the […]
Sweden Proposes National AI Legislation to Supplement the EU AI Act
Sweden has published its long-awaited government inquiry concerning the AI Act (SOU 2025:101). The inquiry essentially recommends that a new Swedish AI law and ordinance should supplement the AI Act, along with certain adjustments relating to national rules on secrecy and confidentiality. The proposed Swedish AI law and ordinance are relatively straightforward as they primarily […]
Proposed Amendments to the Swedish Gambling Act to Address Unlicensed Gambling
A new Swedish government inquiry has proposed significant amendments to the Gambling Act (Sw. spellagen (2018:1138)) in order to combat unlicensed gambling more effectively. Under the current Swedish law, companies that offer gambling services directed at the Swedish market are required to hold a Swedish license. This so-called “directional criterion” has been difficult to apply […]
New Government Inquiry May Broaden Swedish Employers’ Right to Background Checks, But Legislative Reform Will Likely Take Years
Background checks that involve criminal convictions and offences (i.e. personal data subject to Article 10 GDPR) have historically been difficult to process by Swedish employers. This has been particularly challenging in the private sector. The legal barriers to conduct background checks have increased due to recent developments in case law, such as the Swedish Supreme […]
European Commission Publishes Updated FAQ (v. 1.3) on the Data Act
On 12 September 2025, the European Commission published version 1.3 of the FAQ on the Data Act (Regulation 2023/2854). Click here to read the latest FAQ in its entirety. Click here to read our article on notable findings from the previous version. As with earlier iterations, the FAQ is not legally binding, but it serves […]
No Revolution in Sight: EU Court Upholds Narrow Interpretation on Pseudonymised Data
On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-413/23 P, European Data Protection Supervisor (EDPS) v. Single Resolution Board (SRB), clarifying when pseudonymised data may fall outside the scope of EU data protection law. The CJEU confirmed that pseudonymisation can, in principle, result in data […]