Regulatory Cyber Law News 2025

2025 has brought several significant changes in cybersecurity and cyber law. New laws and updated regulations have entered into force as part of the EU’s Digital Decade, and further regulations are expected to be transposed during the year. The pace of change in this area is rapid, and it has become increasingly important for businesses to keep up to date. Magnusson is continuously following the implementation of the EU Digital Decade step by step, and we look forward to following how further regulations are incorporated into Swedish law in the coming period.
In this overview, we highlight the most significant legislative developments in cyber law from spring 2025 and outline the regulatory updates that will be particularly important to monitor going forward.

NEW LEGISLATION DURING SPRING 2025

After a long wait, the DORA regulation Digital Operational Resilience Act (DORA)
has now entered into force. As of January 17, 2025, the regulations became applicable. Concurrently, a number of new and amended regulations from The Swedish Financial Supervisory Authority (Swe. Finansinspektionen) also entered into force. Notably, a new special reporting procedure for ICT-related incidents has been introduced, and as a result, an exemption was introduced in FFFS 2015:13 The Swedish Financial Supervisory Authority’s regulations and general guidelines on supervisory reporting for insurance operations (amended by FFFS 2024:30). The exemption means that the provisions in Chapter 4 of FFFS 2015:13 shall not be applied to the reporting of such serious ICT-related incidents as referred to in Article 19 of the DORA Regulation, but that insurance undertakings shall instead handle such incidents in accordance with the special procedure in accordance with the DORA regulations. Similar adjustments have also been made in other regulations with regards to other types of financial undertakings affected by DORA.

Since February 2, 2025, AI systems that are deemed to pose an unacceptable risk under Article 5 of the AI Act have been prohibited within the EU.
AI that are deemed to pose an unacceptable risk under Article 5 of the AI Act are prohibited within the EU. Additionally, for suppliers and providers (users) of AI systems, Article 4 of the AI Act requires that, from February 2, 2025, employees or other persons working on behalf of the undertaking in the operation and use of AI systems possess sufficient AI knowledge, taking into account their technical knowledge, experience, and training. Thus, February 2, 2025 was the first applicability deadline of the AI Act, which will become fully applicable on August 2, 2026.

Recently, The Swedish Authority for Privacy Protection (Swe. Integritetsskyddsmyndigheten) and the Agency for Digital Authority (Swe. Myndigheten för digital förvaltning)
have presented national guidelines on generative AI in the public sector to the government. A total of 18 guidelines have been developed, covering seven different areas (governance and accountability; information security; copyright; data protection/GDPR; ethics; labor law; procurement). These guidelines aim to provide support and guidance to employees in municipalities and public authorities, among others, in order to help increase the use of generative AI to address legal, ethical and security issues.

New rules for camera surveillance
applied as of April 1, 2025. The changes mean, among other things, that the previous authorization requirement in the Camera Surveillance Act (2018:1200) will be removed, and that law enforcement authorities have increased opportunities to conduct camera surveillance. Consequently, applications for permission from the Swedish Authority for Privacy Protection are no longer required, instead, the person who previously needed to apply must now carry out and document a balancing of interests before camera surveillance begins. The Swedish Authority for Privacy Protection continues to have supervisory responsibility for all camera surveillance.

UPCOMING LEGISLATION IN 2025

Cybersecurity Act (NIS 2 Directive)
The EU’s revised cybersecurity directive, the NIS 2 Directive, was adopted on December 14, 2022 and should have been implemented in the national legislation of the Member States by October 17, 2024. In Sweden, an Official Reports of the Swedish Government was presented in March 2024 (SOU 2024:18), where a new Cybersecurity Act (swe. Cybersäkerhetslagen) is proposed to replace the current NIS Act. However, the process has been delayed – the government submitted a referral with a new proposal for a cybersecurity law to the Council of Legislation, which is proposed to enter into force on January 15, 2026. The proposed law expands the scope of application compared to the current NIS Act and covers more sectors and actors. The Act also imposes more far-reaching requirements on risk management measures in order to raise the national cybersecurity level of operators of vital importance to society. When the Cybersecurity Act enters into force, it will apply immediately, without a transition period. This requires that the relevant actors prepare to ensure that the upcoming requirements are met in terms of risk management measures, incident management, training and continuous preventive security work.

Critical Operators Resilience Act (CER Directive)
At the same time as the NIS 2 Directive was adopted in December 2022, the European Parliament and the Council also adopted the CER Directive, which aims to strengthen the physical resilience of critical operators and their ability to provide essential services in the internal market. A legislative proposal was presented in September 2024 (SOU 2024:64) and the new law is expected to enter into force on August 1, 2025. It includes requirements for risk assessments, incident reporting and security measures for actors in sectors such as energy, transport, healthcare and digital infrastructure.

Data Act
The EU Data Act entered into force on January 11, 2024 and the main part of the regulation will become applicable on September 12, 2025. The regulation aims to promote a fair and innovative data economy in the European single market and sets out, among other things, rules for accessing, using and sharing data. Users of data processing services are given greater opportunities to access and transfer data generated by their connected products, enabling greater competition and innovation. Some provisions, such as the prohibition of exchange fees and measures against the abuse of contractual imbalances, will not be fully applicable immediately but will be phased in gradually. The Data Act will have a significant impact on cloud service providers.

AI Act
The AI Act’s rules on the development, provision and use of AI for public purposes will become applicable on August 2, 2025. The regulation distinguishes between AI systems used for a specific purpose – Single-Purpose AI (SPAI) – and those intended for general purposes – General Purpose AI (GPAI). Where rules specifically refer to GPAI, this is explicitly stated in the regulation. Generative AI is considered a type of GPAI and is therefore subject to these specific provisions of the regulation which become applicable on August 2, 2025.

Welcome to contact us
Magnusson follows regulatory developments with great interest and looks forward to contributing with our analysis and insights as changes occur. We also provide legal advice and support on cyber law matters and can organize customized training in this area, adapted to your company and your needs.

Do you have questions or want to know more? You are welcome to contact Helena Rönqvist, Caroline Landerfors, Susanna Norelid or Marie Segerholm for more information.

Do you want to stay up to date with the latest cyber security, compliance and threat trends? We now offer a Cyber Security newsletter that is sent out a couple of times a year. Click here to subscribe and benefit from our expertise.