Financial Crime World

Cybercrime and Financial Crimes on the Rise in Sweden: A Look at the Legal Framework and Key Cases

Sweden’s Cybersecurity Challenges

Sweden, renowned for its strong commitment to digital innovation and cybersecurity, now faces an increasing issue with financial crimes and cybercrimes. In this article, we explore the legal framework surrounding these issues and provide high-profile case examples.

Cybercrime

Offences and Penalties

Sweden’s legal approach to cybercrime is based mainly on the Swedish Criminal Code. Some common cybercrimes, such as hacking, DOS attacks, phishing, and identity theft, are punishable by fines or imprisonment, with harsher penalties for more severe offenses.

Hacking

Hacking carries a maximum penalty of imprisonment for up to six years.

Denial-of-Service Attacks and Phishing

Denial-of-service attacks and phishing offenses can result in fines or imprisonment for up to two years.

Identity Theft

Identity theft, a form of unlawful identity use, is punishable with fines or up to two years in prison.

Certain high-profile cybercrime cases emerged in Sweden:

  • In 2014, a Swedish police officer was sentenced to a fine for hacking into the police force’s IT system for personal reasons.
  • In 2021, a hacking group targeted Swedish hospitals, causing disruptions to their digital infrastructure and patient care.

Cybersecurity Laws

Applicable Laws

Sweden’s legal framework related to cybersecurity is extensive and covers various aspects. The GDPR and the Swedish Data Protection Act regulate data protection and personal data processing, ensuring individuals’ privacy rights are upheld. The Swedish Act on Criminal Responsibility for Terrorist Offences criminalizes acts of terrorism, including cyber-attacks.

Additionally, the EU Directive on Security of Network and Information Systems (NIS) and the Swedish Act on Information Security Regarding Providers of Critical Infrastructure and Digital Services (NIS Act) impose security obligations on providers of essential services and digital services.

Critical Infrastructure and Services

The Swedish Protective Security Act and the Protective Security Ordinance require security-sensitive entities and businesses to prevent information security incidents and classify sensitive data.

The NIS Act requires providers of essential services and digital services to undertake adequate technical and organizational measures to maintain security and mitigate incidents, reporting significant security incidents to relevant authorities. Similarly, the Swedish Act on Electronic Communication mandates that providers of public electronic communication services and electronic communication networks implement measures to prevent and mitigate risks to their networks and services.

Note: From October 2024, the NIS2 directive will bring changes to reporting requirements.

Security Measures and Reporting

Entities involved in security-sensitive activities under the Swedish Protective Security Act must report incidents to relevant supervisory authorities, establish and document security measures, and follow up on their security work. All governmental authorities in Sweden must draft security policies and document the security measures they implement.

Reporting to Authorities

Under the GDPR, data controllers must report personal data incidents to the Swedish Authority for Privacy Protection. Whereas, providers of essential services and digital services under the NIS Act must report incidents to the Swedish Civil Contingencies Agency.

Financial institutions falling under the EU regulation Digital Operational Resilience Act (DORA) are expected to report major ICT-related incidents and significant cyber threats to the relevant authorities.

Reporting to Affected Individuals or Third Parties

Entities subject to the Swedish Act on Electronic Communications may be required to report incidents directly to affected subscribers if mandated by the supervisory authority or if the incident has adverse impacts. Providers of payment services must report incidents to users potentially affecting their financial interests.

Responsible Authorities

The Swedish Post and Telecom Authority and the Swedish Authority for Privacy Protection oversee various aspects of cybersecurity in Sweden. Responsibilities related to the NIS Act are shared between these two bodies and the Swedish Civil Contingencies Agency.

Penalties for Non-Compliance

Failure to comply with the GDPR and its reporting requirements could result in administrative fines with the maximum payable amount depending on the extent and gravity of the infringement. The NIS Act, along with the Swedish Act on Payment Services, also imposes fines for non-compliance. From January 2025, financial institutions may face fines, withdrawal of authorization, and compensatory measures for DORA failures to comply.

Preventing Attacks

Protection Measures

Swedish organizations can use beacons, honeypots, and sinkholes to protect their IT systems, as per the Swedish Act on Electronic Communication and GDPR regulations.

Monitoring and Interception

Employers in Sweden are allowed to monitor and intercept employees’ electronic communications, provided they adhere to relevant laws and inform employees of potential monitoring. Employees also have a general duty of loyalty towards their employers, which may include reporting cyber incidents.

Export and Import Restrictions

Swedish technology designed to prevent or mitigate cyber-attacks may be subject to export restrictions due to its potential use as military equipment. EU legislation regulates the control of such dual-use items. Certain cryptographic equipment may also be among the restricted items but not for private use.