Frequently Asked Questions

Sweden's Cybersecurity Act (SFS 2025:1506) entered into force on 15 January 2026 and partly implements the EU NIS2 Directive (2022/2555) in Swedish law. MCF opened the registration service on 2 February 2026 and says covered operators should register as soon as possible; if registration is not submitted within 14 days, supervisory authorities may take action. The act sets baseline cybersecurity, incident-reporting, and management-accountability obligations for covered operators in Sweden.

Read more — NIS2 & Cybersäkerhetslagen hub →

Supervision is split across sector-specific authorities (tillsynsmyndigheter) coordinated by MCF (Myndigheten för civilt försvar). MCF also runs CERT-SE, the national CSIRT that receives incident notifications. The Swedish Post and Telecom Authority (PTS) supervises the digital-infrastructure sector. Other sectors map to their own regulators — energy to Energimyndigheten, healthcare to IVO, finance to Finansinspektionen, etc.

NIS2 Article 3 splits entities into two tiers based on sector criticality and size. Essential entities are large operators in highly critical sectors (energy, transport, banking, financial-market infrastructure, health, drinking water, waste water, digital infrastructure, ICT-service management, public administration, space). Important entities are medium-sized operators in those sectors plus operators in other critical sectors (postal, waste management, chemicals, food, manufacturing, digital providers, research). Both tiers have the same baseline security obligations under Article 21; supervision intensity and fine ceilings differ.

Article 23 requires notification of any incident with significant impact on service continuity or recipients. The clock is tight: an early warning to the CSIRT/competent authority within 24 hours of awareness, an incident notification within 72 hours, and a final report within one month. In Sweden, notifications go to CERT-SE (operated by MCF) and the relevant sector authority. 'Significant impact' is defined in Article 23(3) — disruption of service, financial loss, harm to others.

NIS2 Article 34 sets two ceilings, both transposed into Cybersäkerhetslagen. Essential entities: up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities: up to EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher. Management bodies can be held liable under Article 20 for failure to oversee implementation, and Article 32(5)(b) allows temporary prohibition of management functions.

Spotify AB was fined 58 million SEK — the largest upheld GDPR fine from IMY (Google was initially fined 75 million SEK in 2020, later reduced to 50 million on appeal). The decision (DI-2019-6696, 12 June 2023) cited failures around the right of access under GDPR Article 15 and information transparency under Article 12. Förvaltningsrätten initially reduced the fine to 40 million SEK, but Kammarrätten reinstated the full 58 million SEK on 3 June 2025 in case 4512-24.

IMY follows GDPR Article 83(2), which lists eleven factors (sub-paragraphs a–k) a supervisory authority must consider. Key factors include:

• nature, gravity and duration of the infringement
• intentional or negligent character
• categories of personal data affected
• degree of responsibility
• cooperation with the authority
• mitigation actions taken
• previous infringements
• any financial benefit derived
• manner in which the infringement became known to the authority
• compliance with previously ordered measures
• adherence to approved codes of conduct or certification mechanisms

The ceiling is the higher of EUR 20 million or 4% of worldwide annual turnover for the most serious infringements (Article 83(5)) and EUR 10 million or 2% for the lesser tier (Article 83(4)).

For Meta Pixel, IMY has published several GDPR decisions: Avanza Bank AB received a 15 million SEK sanction fee in DI-2021-5544 (assessed under Article 5(1)(f) and Article 32), Apoteket AB received 37 million SEK in IMY-2022-3270, Apohem AB received 8 million SEK in IMY-2022-3272, and Apotea AB received a reprimand in December 2024. The pharmacy cases were assessed mainly under GDPR Article 32 and related security/confidentiality rules. These decisions concerned inappropriate transfer or exposure of personal data through Meta Pixel. Other Swedish web-tracking cases, such as Tele2's Google Analytics transfer decision (12 million SEK, upheld by Kammarrätten October 2025), sit in the same operational risk area but should not be described as Meta Pixel cases.

Read more — IMY Enforcement hub →

Yes, where Swedish-resident data subjects are affected. GDPR Article 56 establishes the one-stop-shop with the lead supervisory authority in the company's main establishment, but IMY can act as concerned authority in cross-border cases and as lead authority for any controller or processor with its main establishment in Sweden. Non-EU controllers offering goods or services to people in Sweden fall under GDPR Article 3(2) and IMY's territorial reach.

There is no statutory time limit, though under Förvaltningslagen (2017:900) Section 12 a complainant can demand a decision within four weeks if a case has been pending longer than six months. Published decisions show wide variation: the Apoteket Meta Pixel decision (IMY-2022-3270) was issued on 29 August 2024 after an investigation opened in 2022. The Spotify access-rights case (DI-2019-6696) ran from a January 2019 noyb complaint to a 12 June 2023 decision — roughly four years. Complexity, cross-border coordination under the EDPB consistency mechanism, and respondent cooperation all affect timelines.

No. Showing a banner does not by itself create lawful processing. The banner must obtain freely given, specific, informed and unambiguous consent (GDPR Art 4(11) and Art 7) before any non-essential cookies or trackers are set. Pre-ticked boxes, accept-all-only buttons, dark patterns that make rejection harder than acceptance, and cookies set before the user interacts with the banner all fail the test. The EDPB Cookie Banner Taskforce Report (January 2023) spells out specific banner-design failures, and EDPB Guidelines 03/2022 on deceptive design patterns provides broader guidance on manipulative UI practices.

Read more — Cookie & Consent Compliance hub →

Section 28 of Chapter 9 of the Swedish Electronic Communications Act (lag 2022:482 om elektronisk kommunikation, LEK) implements ePrivacy Directive Article 5(3). It requires informed consent before storing information on, or accessing information from, a user's terminal equipment. This covers cookies, localStorage, sessionStorage, IndexedDB, and device-fingerprinting. The only exemptions are strictly necessary for transmission of a communication or strictly necessary to provide a service the user has explicitly requested.

Read more — Cookie & Consent Compliance hub →

Under Swedish LEK 9 kap. 28 §, analytics cookies normally require prior consent unless they are strictly necessary for transmitting a communication or for a service the user explicitly requested. There is no general 'legitimate interest' carve-out for placing or reading analytics cookies on a user's device. Do not copy France into Sweden: CNIL allows a narrow audience-measurement exemption under strict conditions in France, but PTS's Swedish cookie supervision has treated non-essential statistics cookies as consent-based.

Read more — Cookie & Consent Compliance hub →

Consent theater is when a site shows a consent banner, but the underlying behaviour does not respect the user's choice — for example, tracking cookies are set before the banner is interacted with, the reject button does not stop tracking, or the consent state is not propagated to embedded third parties. In Sweden, PTS supervises the storage/access rule in LEK 9 kap. 28 §, while IMY supervises the GDPR processing that can follow. The practical point is the same: banner text is not enough if the observed behaviour contradicts the user's choice.

Read more — Policy vs Reality hub →

Vakteye runs a suite of scanners against your site to surface compliance and security issues. The compliance set covers cookie-consent enforcement (banner detection, reject-button function, tracker-after-rejection monitoring, Google Consent Mode v2 signal validation, TCF v2.2 decoding, geo-aware scans), third-party data flow, data-residency claims, accessibility (WCAG 2.1 AA), policy presence, and form-leakage. The security set covers CVE and misconfiguration templates, passive web-application checks, hardcoded secret detection, vulnerable-library detection enriched with public CVE databases, and exposure checks. Findings are mapped to GDPR, ePrivacy, LEK, NIS2 and Cybersäkerhetslagen articles.

Run Vakteye only against sites you own or are authorised to test. Vakteye operates a public scanner-disclosure page at vakteye.com/audit explaining who we are, our User-Agent (Vakteye/1.0), and the egress IP pool we use (current list in our Data Processing Agreement). Site operators can opt out at vakteye.com/audit/opt-out — a verified, single-use email-token form that adds the domain to a server-enforced exclusion list. We honour robots.txt at scan time. The compliance-mode scanner relies on GDPR Article 6(1)(f) legitimate interest for outbound non-intrusive scanning of publicly reachable URLs; full-mode, EASM and pentest scans run only under a signed customer agreement.

No. Vakteye is an independent auditor, not a CMP. We test whether the CMP you have deployed (OneTrust, Cookiebot, TrustArc, Usercentrics, Iubenda, your own implementation) actually behaves as it claims when a real visitor clicks Reject. Vakteye and your CMP are complementary: the CMP collects and signals consent; Vakteye verifies that the signals are honoured downstream and that no tracker fires before consent.

Each scan produces a verified findings list with confidence labels (Certain, Firm, Tentative), citations to the relevant article in a curated legal corpus covering GDPR, ePrivacy, NIS2, Swedish equivalents (Cybersäkerhetslagen, LEK 9 kap.) and EDPB guidelines, and forensic artefacts: a replayable browser-session trace (.zip), HAR 1.2 recordings phase-marked across the consent flow, a smoking-gun timeline reconstructed from the HAR, and a SHA-256 manifested forensic-bundle download for approved review states. Findings can be downloaded as PDF or CSV.

Three layers. First, a pattern prefilter catches CERTAIN findings (proven by behavioural test or tracker-database match) and auto-confirms them without further cost. Second, pattern-based verification sub-tasks run behavioural tests against tracker databases and DOM checks. Third, a multimodal verifier with screenshot input handles ambiguous cases. A second-pass auditor with tool use (DNS, HTTP HEAD, DOM-query, cross-finding query, and others) re-investigates the final clustered findings. Reviewer corrections are recorded, and findings with sufficient recent false-positive history are auto-downgraded on subsequent scans via a temporally weighted scoring system.

All scanner data — findings, evidence, HAR recordings, traces — is stored in the EU. Workers and egress run from EU data centers. The full sub-processor list, locations and transfer mechanisms are itemised in the Data Processing Agreement.

Customer scan data — findings, evidence, HAR recordings, traces — is processed and stored within the EU by every sub-processor. The only narrow non-EU routing is the DNS provider's global anycast network for domain resolution and bot-challenge tokens. The complete sub-processor list, locations and transfer mechanisms are itemised in the Data Processing Agreement linked from your dashboard.

Yes. Point Vakteye at any HTTPS URL you control. Staging hosts that sit behind basic-auth, IP allowlisting, or a private network are reachable only if you allowlist our EU egress IPs (current list and rotation policy in our Data Processing Agreement) and our User-Agent (Vakteye/1.0). For sites behind a Web Application Firewall, the two-phase scan first runs an unauthenticated pass to capture the external compliance view, then a second allowlisted pass with RFC 9421 ed25519 request signing (the Enterprise authorized-security-test add-on adds a per-customer HMAC token for enhanced WAF bypass). WAF onboarding instructions are available in your dashboard.