Internet & Online Safety · Sweden
Online safety & content laws in Sweden (2026)
Sweden shaded by its internet & online safety status
Sweden operates under the EU Digital Services Act as its primary online content-moderation and platform-safety regime, reinforced by national supplementing legislation (SFS 2024:954/958) that entered into force on 1 December 2024. PTS (Swedish Post and Telecom Authority) is designated as the national Digital Services Coordinator with enforcement, inspection, and trusted-flagger certification powers. Sweden additionally applies GDPR via IMY (Swedish Authority for Privacy Protection), which has a dedicated 2026 supervisory focus on children and young people on digital platforms.
Key points
The EU Digital Services Act is directly applicable in Sweden. National law SFS 2024:954 and accompanying regulation SFS 2024:958, in force since 1 December 2024, specify supervisory powers, enforcement measures, judicial review procedures, and sanctions, including fines for intermediary services established in Sweden.
Post- och telestyrelsen (PTS) is designated as Sweden's DSC under Article 49 DSA. It has powers to request data access, order inspections, impose fines on intermediary service providers established in Sweden, and appoint and certify trusted flaggers under Article 22 DSA.
IMY (Swedish Authority for Privacy Protection / Integritetsskyddsmyndigheten) has designated children and young people on digital platforms as a priority supervisory focus for 2026, issuing a stakeholder guide on their rights under GDPR and the DSA. Swedish law sets 13 as the minimum age for consent to information-society services such as social media.
The Swedish Parliament voted in May 2025 to extend the existing sex-purchase prohibition to live commissioned online sexual performances (cam shows); the amendment entered into force on 1 July 2025, with penalties of up to one year in prison for buyers and liability for platforms that promote or profit from such acts.
Draft legislation Ju2024/02286 ('Datalagring och åtkomst till elektronisk information') would require platforms to store and provide law enforcement access to electronic communications, including end-to-end encrypted messages. As of April 2025 it remained under parliamentary consideration, facing significant opposition from over 400 civil society organisations, cybersecurity experts, and the Global Encryption Coalition.
The European Commission's age-verification blueprint, published in July 2025, was developed by the T-Scy consortium led by Swedish firm Scytales AB. The privacy-preserving, open-source tool enables users to prove they are over 18 for access to restricted adult content under DSA Article 28 obligations, and is designed to be interoperable with European Digital Identity Wallets.
Timeline - major decisions & events
Sweden's Cybersecurity Act, implementing the EU NIS2 Directive, took effect after Sweden missed the October 2024 transposition deadline and received a European Commission reasoned opinion in May 2025. It applies risk-based cybersecurity obligations to entities in 18 critical sectors with 50+ employees and designates PTS and other authorities as supervisors.
Sveriges Riksdag ↗Sweden's Social Democrat opposition submitted a proposal to ban under-15s from social media and require Bank-ID or EU digital wallet age verification for all accounts. The government simultaneously appointed a special investigator to evaluate the feasibility of an age limit following concerns over gang recruitment and youth mental health.
The Local Sweden ↗Sweden enacted complementary legislation to the EU Digital Services Act, designating national supervisory authorities (including PTS as Digital Services Coordinator), establishing enforcement powers, judicial review procedures, and a national sanctions regime. This resolved the EU infringement proceedings opened earlier in 2024.
Government of Sweden ↗Regulation (EU) 2022/2065 (DSA) entered into force for VLOPs and very large search engines, directly binding platforms serving Swedish users with transparency, illegal-content removal, and algorithmic-risk obligations. Full application to all intermediary services followed in February 2024.
EUR-Lex ↗Sweden enacted legislation making the UN Convention on the Rights of the Child (Barnkonventionen) a directly applicable Swedish law, strengthening the legal basis for protecting minors from harmful online content, cyberbullying, and digital exploitation across all public authorities and courts.
Government of Sweden ↗In Case C-203/15 (Tele2 Sverige AB v Post- och telestyrelsen), the European Court of Justice ruled that Sweden's general and indiscriminate retention of all subscribers' traffic and location data was incompatible with EU fundamental rights law, invalidating core provisions of Sweden's Electronic Communications Act and forcing a legislative overhaul of surveillance-enabling rules.
Court of Justice of the European Union ↗After years of delay and a €3 million penalty from the EU Court of Justice, Sweden amended its Electronic Communications Act (LEK) to mandate six-month retention of internet and telephone metadata by ISPs for law-enforcement access. This was the minimum period under the 2006 EU Directive and set Sweden's surveillance-capability baseline.
Hunton Andrews Kurth LLP ↗Sweden became the first EU member state to implement the Intellectual Property Rights Enforcement Directive (IPRED), allowing rights-holders to obtain court orders forcing ISPs to reveal the identities behind IP addresses used for file sharing. Swedish internet traffic fell by roughly one-third on the day of enactment, marking one of the most immediate regulatory impacts on online behaviour in Swedish history.
Library of Congress Global Legal Monitor ↗Sweden enacted Act 2008:717 on Signals Intelligence, granting the National Defence Radio Establishment (FRA) authority to intercept all cross-border internet cable traffic without a warrant and store metadata for up to one year. The law passed narrowly after fierce domestic debate and was later revealed to involve cooperation with the NSA, making it a landmark — and controversial — cornerstone of Sweden's online surveillance architecture.
Sveriges Riksdag ↗Sweden enacted the Electronic Communications Act, creating the framework for regulated, secure internet access and designating the Post and Telecom Authority (PTS) as the primary internet and telecoms supervisor. The LEK became the vehicle for subsequent data-retention obligations and consumer-protection rules and remains the foundational statute of Swedish telecoms governance.
Sveriges Riksdag ↗Sweden replaced its 1973 Data Act with the Personal Data Act, transposing the EU's 1995 Data Protection Directive and extending data-privacy obligations to online services. It established the Data Inspection Board (Datainspektionen, now IMY) as the supervisory authority and governed Swedish internet privacy for two decades until GDPR.
Sveriges Riksdag ↗Sweden's Data Act (Datalagen, SFS 1973:289) was the first statute in the world to protect the privacy of personal data processed on computers, requiring mandatory licensing of data systems and creating the Data Inspection Board. It established Sweden as a global pioneer in digital privacy and laid the template for the EU data-protection framework that governs online safety to this day.
Sveriges Riksdag ↗Sweden - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →