EU AI Act in Sweden: Enforcement, Authorities, and Business Obligations

Sweden's proposed model for the EU AI Act contains a genuine surprise: the government inquiry SOU 2025:101 proposes putting the telecom regulator — PTS, the Post- och telestyrelsen — at the centre of AI Act supervision, not the data protection authority IMY that most practitioners had expected to lead. That proposal is in consultation and has not been enacted. But it signals a deliberate structural choice, and companies operating in Sweden need to understand both the current legal position and the direction of travel.

The EU AI Act — Regulation (EU) 2024/1689 — applies directly in Sweden without any Swedish transposition, by virtue of Article 288 TFEU. Article 5's prohibited practices have been enforceable since 2 February 2025. GPAI model obligations under Chapter V have applied since 2 August 2025. Those obligations are live today, regardless of where Sweden's national implementation process stands.

---

A Regulation, Not a Directive: No Swedish Transposition Required

The EU AI Act is a Regulation. Article 288 TFEU gives it direct legal effect across all Member States, including Sweden. Swedish companies do not need to wait for a Swedish implementing law before obligations bite — the relevant question for any company is which obligations apply now, not whether Sweden has acted.

What Sweden does need to provide, under Article 70 of the Regulation, is the designation of national competent authorities — a market surveillance authority, a notifying authority, and a single point of contact for the EU AI Office — and the domestic legal framework to grant those authorities enforcement powers. Sweden did not finalise those designations by the 2 August 2025 deadline set by the Regulation. The SOU 2025:101 inquiry is the vehicle for addressing that gap, but it is a proposal in consultation, not concluded law.

For Swedish companies, the practical implication is this: the obligations are real and running, but the enforcement infrastructure that will operationalise them domestically is not yet in place. That does not make compliance optional — it makes the period between now and the national law's entry into force a window to build the programme before an authority is in a position to audit it.

---

Sweden's Proposed Model (SOU 2025:101)

In 2025, the Swedish government commissioned an official inquiry into how Sweden should structure its implementation of the EU AI Act. That inquiry produced SOU 2025:101, which proposes a national law and a complementary ordinance intended to enter into force in time for 2 August 2026 — the date general application of the Act commences.

The central structural choice in SOU 2025:101 is the proposal that PTS (Post- och telestyrelsen — the Swedish Post and Telecom Authority) serve as:

• the primary supervisory authority for the EU AI Act in Sweden, responsible for issuing regulations and guidance;
• the coordinating authority, responsible for ensuring coherence between the various Swedish authorities with sectoral competence; and
• the single point of contact (SPoC) for the EU AI Office in Brussels.

This is a significant departure from what many observers assumed. The IMY (Integritetsskyddsmyndigheten — Sweden's data protection authority) is experienced in cross-cutting technology regulation, has a wide public profile, and supervises AI systems that process personal data. It would have been a natural choice for the lead supervisory role. SOU 2025:101 proposes otherwise, placing the broadest mandate — including high-risk AI in the workplace, AI literacy obligations, and transparency requirements — with PTS.

Under SOU 2025:101's proposal, PTS would hold the primary responsibility for issuing binding regulations and non-binding guidance to organisations subject to the Act, and would function as the domestic coordination hub for cross-authority enforcement.

This is a proposal. The inquiry is in consultation; if adopted through Sweden's ordinary legislative process, the new law and ordinance are targeted to take effect in time for 2 August 2026. Until that legislation is enacted, PTS has no formal EU AI Act mandate beyond what the Regulation itself confers on the Member State as a whole.

---

Who Will Supervise the EU AI Act in Sweden?

PTS: Proposed Primary Authority

Under SOU 2025:101, PTS would be Sweden's market surveillance authority, coordinating authority, and single point of contact. Its proposed mandate covers high-risk AI systems in the workplace (Annex III point 4 — recruitment, task allocation, monitoring, performance and termination tools), AI literacy obligations under Article 4, and transparency obligations under Article 50 for limited-risk systems. PTS already has experience regulating electronic communications and digital infrastructure, and the inquiry concluded that its technical capacity and cross-sectoral coordination role made it better suited to the broadest-mandate position than any single-sector authority.

For companies in Sweden deploying AI systems, PTS is the proposed domestic interlocutor for market surveillance, technical documentation audits, and first-instance enforcement proceedings — but only once the national legislation is in force.

IMY: Data Protection and Rights-Sensitive Areas

The IMY retains its competence over data protection matters under the GDPR and is expected to supervise certain rights-sensitive areas of AI Act application in Sweden. This includes AI systems that process personal data at scale, where the GDPR and EU AI Act overlap directly. For any high-risk AI system involving personal data — recruitment screening, credit assessment, public-benefit eligibility — IMY's involvement alongside the proposed PTS authority is the expected operating model.

The division of labour between PTS and IMY is one of the aspects still being worked through as part of the consultation process. Companies should plan for both authorities to take an interest in AI systems that combine high-risk classification with personal data processing.

Sectoral Authorities

Sweden's sectoral regulators will retain domain competence in their own areas, consistent with the Regulation's Article 70 framework for national competent authorities and Article 74's market surveillance provisions. Financial services AI — credit scoring models, insurance pricing tools covered by Annex III point 5 — sits within the natural orbit of Finansinspektionen. Healthcare AI intersects with IVO (Inspektionen för vård och omsorg). The precise allocation of sectoral responsibilities is expected to be addressed in the complementary ordinance accompanying the proposed national law.

EU AI Office: GPAI Supervision

Swedish companies that develop and place general-purpose AI models on the market are supervised directly by the EU AI Office in Brussels, not by PTS or any Swedish authority. GPAI model obligations under Articles 53 and 55 are the AI Office's domain. PTS, once designated, would act as the domestic SPoC for coordination, but primary oversight of GPAI providers remains at EU level.

---

How Sweden's Framework Interacts with the GDPR

The GDPR and the EU AI Act run in parallel for any AI system that processes personal data — and that is most Annex III high-risk systems. The IMY enforces the GDPR in Sweden, and its role does not diminish because the EU AI Act adds a further layer of obligations.

The most direct practical overlap is between the GDPR's Article 35 DPIA (Data Protection Impact Assessment) and the EU AI Act's Article 27 FRIA (Fundamental Rights Impact Assessment). Both are mandatory prior-to-deployment assessments; both assess risks to rights; both must be documented and available to supervisors. Article 27(4) of the EU AI Act explicitly allows the FRIA to build on an existing DPIA where the scope overlaps — a meaningful time-saver when both apply to the same system.

The Article 27 FRIA applies to public bodies deploying high-risk AI, and to any deployer — public or private — of AI systems in the Annex III creditworthiness (point 5(b)) or life and health insurance (point 5(c)) categories. A Swedish public authority deploying an AI tool to assess social-benefit eligibility faces both the DPIA obligation under GDPR Article 35 and the FRIA obligation under Article 27. These can share their factual foundation, but they are distinct assessments with distinct regulatory recipients.

Record-keeping obligations also intersect. Article 12 of the EU AI Act requires high-risk AI systems to generate logs capturing the operation of the system. GDPR Article 22 governs automated decision-making and requires that individuals receive meaningful information about the logic involved. A Swedish financial services company running an AI credit-scoring tool must satisfy both: logs under Article 12, and the GDPR Article 22 transparency and human-review requirements. The compliance documentation built for one framework directly informs the other.

---

The EU AI Act Timeline as It Applies in Sweden

Two dates deserve particular attention for Swedish companies.

Article 5 is already live. Prohibited practices — biometric categorisation by sensitive characteristics, real-time remote biometric identification in public spaces outside the law-enforcement carve-outs, social scoring, and manipulation of persons exploiting vulnerabilities — have been enforceable since 2 February 2025. No national authority designation is required for these obligations to apply. Any Swedish company whose AI touches those categories should have completed its review already.

The high-risk deadline is not August 2026. Under the Digital Omnibus — the Commission amendment package for which Parliament and Council reached political agreement on 7 May 2026, with formal adoption expected before 2 August 2026 — stand-alone high-risk Annex III systems have until 2 December 2027, and high-risk AI embedded in Annex I regulated products have until 2 August 2028. The original August 2026 date has been deferred for those categories. But building an Article 9 risk management system, Annex IV technical documentation pack, Article 14 human oversight controls, and passing a conformity assessment under Article 43 is a six-to-twelve month programme for most organisations. The deferral creates time; it does not remove the work.

---

Penalties: What Companies in Sweden Face

The penalty framework is Article 99 of Regulation (EU) 2024/1689. Three tiers apply, each "whichever is higher" of a fixed amount or a percentage of total worldwide annual turnover:

• €35,000,000 or 7% — for violations of the Article 5 prohibited practices. This tier has applied since 2 August 2025, when Article 99 became enforceable.
• €15,000,000 or 3% — for non-compliance with most other obligations: high-risk AI requirements under Articles 9–15, provider obligations under Article 16, deployer obligations under Article 26, and Article 50 transparency duties.
• €7,500,000 or 1% — for supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.

For SMEs and start-ups, Article 99(6) provides a proportionality protection: the fine is capped at the lower of the fixed amount or the percentage. A Swedish company with €10 million turnover cannot face a €15 million fine for a high-risk obligation breach — 3% of €10 million is €300,000, and that is the ceiling.

These are maximum figures, not defaults. Enforcement authorities weigh proportionality factors — the duration of the infringement, the degree of responsibility, cooperation with the investigation, the scale of harm — before arriving at a specific amount. The ceilings are real; the base case for a first, cooperative infringement is substantially lower.

The national law proposed in SOU 2025:101 would establish the domestic legal basis for Swedish authorities to apply these Article 99 tiers in practice. Until that legislation is in force, enforcement at national level is procedurally constrained — but the underlying obligations, including the prohibition on Article 5 practices, are not.

GPAI-specific fines are a separate instrument: up to €15 million or 3%, imposed by the Commission directly on GPAI model providers under Article 101.

---

Sweden-Specific Compliance Considerations

The PTS-Not-IMY Surprise

The proposal to give PTS, rather than IMY, the primary supervisory mandate is the central surprise in SOU 2025:101 and should prompt Swedish compliance teams to reconsider their assumptions. If you assumed that your AI compliance work sat primarily within your GDPR programme, under IMY's oversight, you will need to revisit that framing. Under the proposed model, a high-risk AI employment tool, a chatbot subject to Article 50 transparency obligations, and an AI literacy programme under Article 4 would all fall primarily within PTS's remit — not IMY's. IMY retains data-protection competence, but the broadest AI Act mandate sits elsewhere.

This is still a proposal. Companies engaging proactively with Swedish authorities on AI compliance should watch the consultation outcome carefully, as the final law may adjust the proposed split between PTS and IMY.

Workplace AI: The Employment Focus

SOU 2025:101 specifically emphasises workplace AI as a priority area for PTS's proposed mandate. Annex III point 4 of the EU AI Act covers employment, worker management, and access to self-employment — including AI tools used for recruitment and screening (4(a)), task allocation and monitoring of performance, conduct, and worker behaviour (4(b)), and promotion and termination decisions (4(c)).

Swedish companies using AI in HR processes — applicant tracking systems with AI scoring, AI-assisted performance reviews, automated scheduling — need to assess whether those tools fall in Annex III point 4, whether the Article 6(3) exemption filter applies (for tools that genuinely only perform narrow procedural tasks without influencing assessments of natural persons), and if high-risk, what the full obligations stack entails. The proposed PTS leadership of this area, rather than a labour-market or employment authority, is an indicator that the first enforcement cases in Sweden may be workplace-AI focused.

Regulatory Sandbox by 2 August 2026

Articles 57–59 of the Regulation require each Member State to establish at least one AI regulatory sandbox by 2 August 2026. The proposed national law under SOU 2025:101 is expected to give effect to this obligation. Under Article 58, SMEs and start-ups must receive priority access to the sandbox and not be charged for participation. Swedish companies with novel AI systems that are difficult to classify, or that require regulatory clarity before a high-risk designation is confirmed, should monitor PTS's sandbox arrangements once the national law is in force.

Public-Sector FRIA: A Mandatory Obligation

Swedish public bodies — government agencies, municipalities, and bodies performing public functions — deploying high-risk AI systems are subject to the Article 27 FRIA. This is mandatory, must be completed before deployment, and must be documented and made available to supervisors. Given that Swedish municipalities and national authorities operate AI tools in benefits administration, case management, and public-service allocation, the FRIA obligation has real operational weight in the Swedish public sector. Article 27(4) allows the FRIA to build on a GDPR Article 35 DPIA where one has been conducted — this coordination is practical, not optional, for systems handling personal data at scale.

Article 25 and the Role-Shift Risk

Most Swedish companies deploying third-party AI tools sit in the deployer role under Article 26. Deployer obligations are real — human oversight, monitoring, logs under Article 12 for six months, notifying the provider of risks and serious incidents — but lighter than the provider stack. The risk arises when companies go further: fine-tuning a model on proprietary data, configuring a third-party AI system for a specific purpose that differs materially from the provider's intended purpose, or placing a third-party AI system on the market under their own name. Any of those steps can trigger Article 25, converting the deployer into a provider with the full Article 16 obligation set. Swedish technology companies and any organisation customising AI tools extensively should run the Article 25 analysis before the national enforcement framework is operational.

---

How Confir Helps Companies in Sweden

Swedish compliance teams building their EU AI Act programmes face the same documentation-heavy obligation set as companies across the EU: Article 9 risk management records, Annex IV technical documentation, Article 27 FRIAs, Article 43 conformity preparation, Article 12 logging, and an AI inventory to underpin all of it.

Confir is an EU-hosted compliance tool purpose-built for this work. Its classification engine is rule-based and deterministic — it encodes Articles 5 and 6 with Annex III logic in explicit rules, producing the same finding from the same intake every time, with a human-readable explanation of which rule fired. That reproducibility matters for audit-defensibility: when PTS (or any national authority) asks you to demonstrate your classification rationale, the rule that produced the finding is visible and explainable.

Confir generates the full Annex IV technical documentation pack, the Article 47 / Annex V Declaration of Conformity, and the Article 27 FRIA. The structured assessment spans four areas: risk classification under Articles 5 and 6 (AIRC), data and technical robustness under Articles 10, 11, and 15 (AITR), transparency and human oversight under Articles 13, 14, and 27 (AITO), and governance and post-market monitoring under Articles 9, 72, and 73 (AIGM). Self-serve from €600 per year — no consulting engagement, no implementation project.

---

What Companies in Sweden Should Do Now

Immediately (Article 5 obligations already apply). Audit any AI system that might involve biometric categorisation by sensitive characteristics, social scoring, subliminal manipulation, exploitation of personal vulnerabilities, real-time biometric identification in public spaces, or emotion recognition in the workplace. If the system falls within an Article 5 category and no statutory exemption applies, stop using it or restructure it. The prohibition has been enforceable since 2 February 2025.

Before 2 August 2026 (Article 50 transparency and general application). Any AI system that interacts with natural persons — chatbots, voice assistants, AI-generated content tools — must comply with Article 50's disclosure requirements from that date. Users must know when they are interacting with an AI system, when content is synthetically generated, and when emotion recognition is in use. Additionally, monitor the progress of the SOU 2025:101 consultation. If the national law is enacted as proposed, PTS will have formal enforcement powers from that date.

2026–2027 (high-risk preparation, Annex III systems). Companies with stand-alone Annex III systems have until 2 December 2027 under the Digital Omnibus deferral. Use 2026 to build the AI inventory and classification, identify which systems actually fall in high-risk categories after applying the Article 6(3) filter, assign provider and deployer roles, and begin documentation. Workplace-AI tools under Annex III point 4 are likely to attract early PTS attention given the emphasis in SOU 2025:101 — prioritise those.

Ongoing. Track the SOU 2025:101 consultation outcome and the progress of the proposed national law through the Swedish legislative process. Watch for PTS's first formal steps in AI supervision once the law is enacted. Follow EU AI Office guidance on GPAI if your company develops or integrates foundation models.

---

Frequently Asked Questions

Who is the proposed EU AI Act supervisory authority in Sweden?

Under government inquiry SOU 2025:101, PTS (Post- och telestyrelsen — the Swedish Post and Telecom Authority) is proposed as the primary supervisory authority, the coordinating authority, and the single point of contact for the EU AI Office. This is a proposal in consultation, not yet enacted. Many practitioners had expected the data protection authority IMY to lead, but SOU 2025:101 proposes giving the broadest mandate — including workplace AI, AI literacy, and transparency obligations — to PTS. IMY retains competence over data-protection aspects.

Has Sweden passed its EU AI Act national implementing law?

No — not as of June 2026. Sweden did not finalise authority designations by the 2 August 2025 deadline set by Article 70. SOU 2025:101 proposes a national law and complementary ordinance, currently in consultation, intended to enter into force in time for 2 August 2026 — but this depends on timely adoption through the ordinary legislative process. The EU AI Act's obligations apply regardless: the Regulation is directly effective under Article 288 TFEU.

Does the EU AI Act require any Swedish transposition?

No. As a Regulation under EU law, Regulation (EU) 2024/1689 applies directly in Sweden without being written into Swedish statute. What Sweden must provide — under Article 70 — is the designation of national competent authorities and the domestic legal framework to confer enforcement powers on them. The proposed national law does that; it does not create new substantive obligations, which are set by the Regulation itself.

What fines can Swedish companies face under the EU AI Act?

Article 99 sets three tiers, each "whichever is higher" of a fixed amount or a share of total worldwide annual turnover: €35 million or 7% for Article 5 prohibition breaches; €15 million or 3% for most other obligations including high-risk AI requirements, provider duties under Article 16, and deployer duties under Article 26; and €7.5 million or 1% for supplying incorrect or misleading information to authorities. For SMEs and start-ups, Article 99(6) caps fines at the lower of the fixed amount or the percentage. These figures apply across the EU — no Swedish-specific fine amounts exist.

When do high-risk AI obligations apply in Sweden?

Under the Digital Omnibus (political agreement reached 7 May 2026), stand-alone high-risk AI systems in the Annex III list — including recruitment, creditworthiness, and biometric systems — have until 2 December 2027. High-risk AI embedded in Annex I regulated products has until 2 August 2028. Article 5 prohibitions applied from 2 February 2025; GPAI and penalty provisions applied from 2 August 2025; and Article 50 limited-risk transparency applies from 2 August 2026.

Why is PTS proposed as lead authority instead of IMY?

SOU 2025:101 concluded that PTS's cross-sectoral technical mandate, its experience coordinating between different regulatory domains, and its institutional capacity for handling the broadest range of AI Act obligations made it the most appropriate lead authority. IMY's mandate is anchored in data protection specifically. The EU AI Act's scope is broader — covering AI uses that may not involve personal data but still affect fundamental rights, safety, or market fairness. The inquiry judged that a broader-mandate authority was the right structural choice for the primary coordinating role.

How does Sweden's framework interact with the GDPR?

The GDPR and EU AI Act stack for AI systems processing personal data. The key overlap is between GDPR Article 35 (DPIA) and EU AI Act Article 27 (FRIA) — both are mandatory pre-deployment assessments for the systems they cover, both assess fundamental-rights risks, and Article 27(4) explicitly allows the FRIA to build on a completed DPIA. IMY enforces the GDPR in Sweden; the proposed PTS mandate covers the AI Act's broader obligations. Companies should plan for both authorities to engage where personal data and high-risk AI classification coincide.

---

Related guides

• EU AI Act in Germany: enforcement and authority roles
• EU AI Act in the Netherlands: authorities and penalties
• What is the EU AI Act?
• EU AI Act summary and key obligations
• EU AI Act penalties explained (Article 99)
• EU AI Act timeline and application dates
• Annex III: high-risk AI use cases
• AI risk classification under Article 6
• Conformity assessment under Article 43
• EU AI Act extraterritorial scope
• Market surveillance authority — glossary