Plain answers on GDPR, NIS2, IMY enforcement, and how Vakteye works.
Sweden's Cybersecurity Act (SFS 2025:1506) entered into force on 1 January 2026. It transposes the EU NIS2 Directive (2022/2555) into Swedish law. Self-registration with the Swedish Civil Contingencies Agency (MSB) for entities falling under the law was due by 16 February 2026. The act sets baseline cybersecurity, incident-reporting, and management-accountability obligations for essential and important entities operating in Sweden.
Supervision is split across sector-specific authorities (tillsynsmyndigheter) coordinated by MSB (Myndigheten för samhällsskydd och beredskap). MSB also runs CERT-SE, the national CSIRT that receives incident notifications. The Swedish Post and Telecom Authority (PTS) supervises the digital-infrastructure sector. Other sectors map to their own regulators — energy to Energimyndigheten, healthcare to IVO, finance to Finansinspektionen, etc.
NIS2 Article 3 splits entities into two tiers based on sector criticality and size. Essential entities are large operators in highly critical sectors (energy, transport, banking, financial-market infrastructure, health, drinking water, waste water, digital infrastructure, ICT-service management, public administration, space). Important entities are medium-sized operators in those sectors plus operators in other critical sectors (postal, waste management, chemicals, food, manufacturing, digital providers, research). Both tiers have the same baseline security obligations under Article 21; supervision intensity and fine ceilings differ.
Article 23 requires notification of any incident with significant impact on service continuity or recipients. The clock is tight: an early warning to the CSIRT/competent authority within 24 hours of awareness, an incident notification within 72 hours, and a final report within one month. In Sweden, notifications go to CERT-SE (operated by MSB) and the relevant sector authority. 'Significant impact' is defined in Article 23(3) — disruption of service, financial loss, harm to others.
NIS2 Article 34 sets two ceilings, both transposed into Cybersäkerhetslagen. Essential entities: up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities: up to EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher. Management bodies can be held personally liable under Article 20 for failure to oversee implementation.
The largest fine on record is 58 million SEK against Spotify AB, decision DI-2021-2318 dated 13 June 2023, for failures around the right of access under GDPR Article 15 and information transparency under Article 12. Spotify has appealed the decision and the case is not final at the time of writing.
IMY follows GDPR Article 83(2), which lists the factors a supervisory authority must consider — nature, gravity and duration of the infringement; intentional or negligent character; categories of personal data affected; degree of responsibility; cooperation with the authority; mitigation; previous infringements; and any financial benefit derived. The ceiling is the higher of EUR 20 million or 4% of worldwide annual turnover for the most serious infringements (Article 83(5)) and EUR 10 million or 2% for the lesser tier (Article 83(4)).
Five companies were fined in IMY's Meta Pixel cluster, totalling 85 million SEK: Apoteket AB 37 million SEK (DI-2023-13015), Avanza Bank AB 15 million SEK (DI-2022-2177), Bonnier News (Dagens Industri) 13 million SEK (DI-2022-2178), Tele2 Sverige AB 12 million SEK (DI-2022-2175), and Apohem AB 8 million SEK (DI-2023-13016). The decisions cite GDPR Art 6(1)(a) lack of valid consent, with parallel breaches of LEK 9 kap. 28 § (Sweden's ePrivacy implementation) for the cookie cases and Art 32 security failures for Avanza, Bonnier and Tele2.
Yes, where Swedish-resident data subjects are affected. GDPR Article 56 establishes the one-stop-shop with the lead supervisory authority in the company's main establishment, but IMY can act as concerned authority in cross-border cases and as lead authority for any controller or processor with its main establishment in Sweden. Non-EU controllers offering goods or services to people in Sweden fall under GDPR Article 3(2) and IMY's territorial reach.
There is no statutory time limit. Recent published decisions show case durations from initiation to decision typically running 12 to 36 months. The Apoteket Meta Pixel decision (DI-2023-13015) was decided on 17 June 2024 after an investigation that began in 2023. The Spotify access-rights case (DI-2021-2318) ran from 2021 to a 13 June 2023 decision. Complexity, cross-border coordination under the EDPB consistency mechanism, and respondent cooperation all extend timelines.
No. Showing a banner does not by itself create lawful processing. The banner must obtain freely given, specific, informed and unambiguous consent (GDPR Art 4(11) and Art 7) before any non-essential cookies or trackers are set. Pre-ticked boxes, accept-all-only buttons, dark patterns that make rejection harder than acceptance, and cookies set before the user interacts with the banner all fail the test. The EDPB Guidelines 03/2022 on Deceptive Design Patterns spell out specific banner-design failures.
Section 28 of Chapter 9 of the Swedish Electronic Communications Act (lag 2022:482 om elektronisk kommunikation, LEK) implements ePrivacy Directive Article 5(3). It requires informed consent before storing information on, or accessing information from, a user's terminal equipment. This covers cookies, localStorage, sessionStorage, IndexedDB, and device-fingerprinting. The only exemptions are strictly necessary for transmission of a communication or strictly necessary to provide a service the user has explicitly requested.
No, not under Swedish law. LEK 9 kap. 28 § does not contain a 'legitimate interest' carve-out for analytics. Analytics cookies are storage on the user's terminal equipment that is not strictly necessary to provide the service the user requested, so they require prior consent. The CNIL and IMY have both rejected the argument that anonymised analytics escape the consent requirement; the consent obligation attaches to the act of storing or accessing data on the device, not to whether the data is later anonymised.
Consent theater is when a site shows a consent banner, but the underlying behaviour does not respect the user's choice — for example, tracking cookies are set before the banner is interacted with, the reject button does not actually stop tracking, or the consent state is not propagated to embedded third parties. IMY treats this as Article 6(1)(a) failure to obtain valid consent, not a procedural defect. All five Meta Pixel fines in 2023 and 2024 cited some variant of this pattern: a banner was present, but tracking happened anyway.
Vakteye runs a suite of scanners against your site to surface compliance and security issues. The compliance set covers cookie-consent enforcement (banner detection, reject-button function, tracker-after-rejection monitoring, Google Consent Mode v2 signal validation, TCF v2.2 decoding, geo-aware scans), third-party data flow, data-residency claims, accessibility (axe-core WCAG 2.1 AA), policy presence, and form-leakage. The security set covers Nuclei-based CVE/misconfig templates, ZAP passive checks, hardcoded secret detection (regex + gitleaks 8.30.1), Retire.js library vulnerabilities with OSV enrichment, and exposure checks. Findings are mapped to GDPR, ePrivacy, LEK, NIS2 and Cybersäkerhetslagen articles.
Run Vakteye only against sites you own or are authorised to test. Vakteye operates a public scanner-disclosure page at vakteye.com/audit explaining who we are, our User-Agent (Vakteye/1.0), and our two egress IP addresses in Frankfurt, Germany. Site operators can opt out at vakteye.com/audit/opt-out — a verified, single-use email-token form that adds the domain to a server-enforced exclusion list. We honour robots.txt at scan time. The compliance-mode scanner relies on GDPR Article 6(1)(f) legitimate interest for outbound non-intrusive scanning of publicly reachable URLs; full-mode, EASM and pentest scans run only under a signed customer agreement.
No. Vakteye is an independent auditor, not a CMP. We test whether the CMP you have deployed (OneTrust, Cookiebot, TrustArc, Usercentrics, Iubenda, your own implementation) actually behaves as it claims when a real visitor clicks Reject. Vakteye and your CMP are complementary: the CMP collects and signals consent; Vakteye verifies that the signals are honoured downstream and that no tracker fires before consent.
Each scan produces a verified findings list with confidence labels (Certain, Firm, Tentative), citations to the relevant article in the legal RAG corpus (1,662 chunks across 14 frameworks including GDPR, ePrivacy, NIS2, Cybersäkerhetslagen, LEK, EDPB guidelines, CJEU case law), and forensic artefacts: a Playwright trace replay (.zip), HAR 1.2 recordings phase-marked across the consent flow, a smoking-gun timeline reconstructed from the HAR, and a SHA-256 manifested forensic-bundle download for approved review states. Findings can be downloaded as PDF or CSV.
Three layers. First, a pattern prefilter catches CERTAIN findings (proven by behavioural test or tracker-DB match) and auto-confirms them without LLM cost. Second, pattern-based verification sub-tasks run behavioural tests against tracker DBs and DOM checks. Third, a Claude-based verifier with multimodal screenshot input handles ambiguous cases. A second-pass auditor with tool use (DNS, HTTP HEAD, DOM-query, cross-finding query) re-investigates the final clustered findings. Reviewer corrections are recorded in scanner_human_feedback, and findings flagged false-positive twice are auto-downgraded on subsequent scans.
All scanner data — findings, evidence, HAR recordings, traces — is stored in Supabase Postgres in the EU region. The Trigger.dev scanner workers run in the Frankfurt AWS region (eu-central-1). Two NAT-Gateway elastic IPs in Frankfurt are the egress identity. We do not transfer scanner data outside the EU/EEA in normal operation. Anthropic Claude calls (used for verification and the second-pass auditor) cross to a US endpoint under Anthropic's published GDPR posture.
Limited and disclosed. The verification and second-pass-auditor pipelines call Anthropic's Claude API. Anthropic processes API traffic in the United States; the data sent is the finding text, evidence excerpts, and where relevant a screenshot. Anthropic is signed up to the EU-US Data Privacy Framework and offers Standard Contractual Clauses; their published retention is 30 days for API logs unless abuse is detected. No customer scan data is sent to any other third country in normal operation.
Yes. Point Vakteye at any HTTPS URL you control. Staging hosts that sit behind basic-auth, IP allowlisting, or a private network are reachable only if you allowlist our two Frankfurt egress IPs and our User-Agent (Vakteye/1.0). For sites behind a Web Application Firewall, the two-phase scan first runs a naked pass to capture the external-attacker view, then a second allowlisted pass with a per-customer HMAC token plus RFC 9421 ed25519 request signing. Onboarding instructions ship with each customer account.