There are several Swedish laws relevant to the conduct of business online, some of which are specific to online trade, whereas others apply to all business activities.

Relevant regulations include:

The parliament (Riksdagen) is responsible for passing all legislation in Sweden. The government (Regeringen) and authorities may issue ordinances and regulations based on statutory authorisation. In terms of industry bodies, the Swedish Digital Commerce Association (Svensk Digital Handel), which is a part of the Swedish Trade Federation (Svensk Handel), manages a trust mark called "Secure E-commerce" (Trygg E-handel) that businesses can display on their website, if they meet the requirements set out by the association.

The business must first be organised under a legal entity through which the business will operate, for example a limited liability company (aktiebolag).

The website through which the business will be conducted must be designed and developed. This can be done with in-house expertise or by engaging a third party provider.

Further, a number of documents and texts must be prepared and made available on the website. These include:

The parties that the legal entity that carries out the online business typically contracts with include:

Some regulations directly or indirectly imply that users' accessibility must be considered when designing websites and apps. The European Accessibility Act ((EU) 2019/882) aims to increase the accessibility for certain products and services within the EU. It particularly aims to meet the needs of people with disabilities. It covers products and services relating to bank, travel, communication, e-commerce, and so on.

To implement the European Accessibility Act into Swedish law, the Swedish Government published a government Bill proposing a new Act on Digital Accessibility to Products and Services on 23 December 2022 (Prop. 2022/23:42). The requirements of the proposed Act are expected to be effective from 28 June 2025. For services, a later entry into force applies in certain cases, but no later than 27 June 2030. Self-service terminals can, under certain circumstances, continue to be used for 20 years after their entry into service.

Marketing, consumer and e-commerce regulations may need to be considered when designing websites and apps.

Regarding entities in the public sector, the Swedish Act on Accessibility to Digital Public Services (2018:1937) should be considered. It is the Swedish implementation of the Web Accessibility Directive ((EU) 2016/2102) and specially regulates accessibility of websites and apps of entities in the public sector. It applies to digital services, such as websites and apps, provided by public entities and certain private entities funded by public means. These digital services must fulfil certain standards, give users the opportunity to comment on the service's accessibility and provide users with information about the supervising authority (that is, the Agency for Digital Government).

The Swedish Discrimination Act (2008:567) applies to certain sectors and businesses (for example, education, healthcare, and supply of products and services). Although the Act does not specifically refer to digital services, lack of accessibility is considered a general form of discrimination.

Regulation ((EU) 2022/2065) on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) imposes an obligation on providers of online platforms to put in place appropriate measures to avoid illegal content online and empower recipients of online services (see Question 44). The Digital Services Act also bans targeted advertising to minors (those under 18) based on profiling using the personal data of users of the services when it can be established with reasonable certainty that the recipient of the service is a minor.

A potential consequence of the Digital Services Act is that an age-verification or age-gating tool might be needed to ensure the compliance with these obligations (see Question 22).

If the app is developed by a third party provider, the legal entity that carries out the business should enter into an agreement with the third party, for example, a project agreement. This agreement should include clear expectations regarding the delivery and execution of the project as well as potential consequences if the developer does not deliver on time.

The agreement should state that the copyright to the app belongs to the legal entity that carries out the business. Otherwise, the copyright vests with the developer even though the developer has been engaged to develop the app on behalf of the legal entity. In any event, the legal entity that carries out the business must make sure that it has the necessary rights under copyright and intellectual property law to use the app in accordance with its needs and that any third party intellectual property (IP) rights are handled accordingly. If software from a third party provider is to be used in the app, licensing issues should also be handled.

If the legal entity that carries out the business wishes to distribute the app through a commercial app platform (for example, Apple, Google and/or Microsoft), it is necessary to conclude an agreement regarding that distribution. Standard agreements including the technical requirements to fulfil are usually publicly available on the app platform's website.

It should be considered whether the developer will get access to confidential information or personal data. If that is the case, a confidentiality clause should be included in the agreement and the legal entity’s personal data responsibilities should be handled accordingly.

In general, there are no formal requirements with respect to the conclusion of contracts under Swedish law and, therefore, it is in most cases possible to form a contract electronically. There are a few exceptions to this main rule, for example transfer of real property requires wet ink signatures by both parties.

A contract is binding when an offer from one party has been accepted by the receiving party. An offer that a trader directs to the public, for example through a website, is in general not regarded as a binding offer but merely a request to make an offer.

The E-commerce Act sets out information requirements applicable to services provided at a distance by electronic means, among other things, through a website. For example, there must be technical aids in place making it possible for the customer to identify and correct information errors before the order is submitted. The customer must also receive a confirmation of the order by e-mail.

For consumer contracts concluded at a distance (for example, online and not at the physical store of the trader), the trader must also comply with the requirements in the Distance and Off-Premises Contracts Act. The Act applies when the consumer is obliged to pay for goods, digital content or digital services or when digital content and digital services are supplied in exchange for the consumer’s personal data. Among other things, the Act lays down rules on pre-contractual information and the right of withdrawal for the consumer.

Under the Distance and Off-Premises Contracts Act, the consumer can, regardless of the reason, withdraw from the contract within 14 days from either:

Further, the trader must provide a standard form for the exercise of the right of withdrawal. There are several exceptions to the right of withdrawal, for example if the customer has consented to the trader starting the service provision and agreed that the right of withdrawal does not apply when the service is fulfilled.

The enforceability of click-wrap, shrink-wrap and browse-wrap contracts has been debated in the B2C context. The common understanding is that a consumer must actively agree to be bound by an agreement. Click-wrap agreements are therefore generally enforceable against a consumer while shrink-wrap and browse-wrap agreements likely are not.

Most contracts can be formed electronically. However, some contracts must be signed in wet ink, for example transfer of real property (fast egendom), site-leasehold right (tomträtt) and ownership of an apartment (bostadsrätt).

Contract formation and validity in general is regulated by the Contracts Act. If the contract is concluded by electronic means, for example through a website, the trader must also comply with the information requirements set out in the E-commerce Act.

When contracting with consumers, the following legislation also applies which stipulates requirements on pre-contractual information, the right of withdrawal, remedies in event of defects and so on:

For B2B contracts regarding the sale of goods, the Sales of Goods Act applies unless the parties have agreed otherwise. The Sale of Goods Act includes provisions on warranty and remedies in event of defects etc.

Regulation ((EU) 2019/1150) (Platform to Business Regulation) applies in Sweden, but has not resulted in any changes to the legislation governing contracting on the internet.

The GDPR applies in Sweden. Therefore, the general principles relating to processing of personal data must be complied with, specifically the data minimisation and storage limitation principles in reference to data retention requirements. In general, personal data may only be retained for as long as necessary to fulfil the specific purpose for which the personal data was first collected (for example, performance of the contract).

The general recommendation from the Swedish Authority for Privacy Protection is that personal data regarding customers (whether B2C or B2B) is deleted when the contract relationship expires. However, due to the statute of limitation for monetary claims being 10 years in Sweden, customer contracts are generally stored for this period.

Further, sector specific law may require certain information to be retained for a longer period (for example, bookkeeping information must be stored for seven years).

The European eCommerce and Omni-Channel Trade Association (EMOTA) is the European level umbrella federation representing Online and Omni Channel trade across Europe. The EMOTA members provide trustmarks that are based on EMOTA's European standard for safe e-commerce. The Swedish Digital Commerce Association (Svensk Digital Handel) is an EMOTA member and provides the trustmark called "Secure E-commerce" (Trygg E-handel). More information on the trustmark can be found at: www.tryggehandel.se.

The remedies available for breach of an electronic contract are the same as for any other type of contract. Swedish law provides for a number of remedies, including the right to:

If a trader does not abide by the E-commerce Act, this can be regarded as misleading advertising under the Marketing Practices Act. Misleading advertising can result in:

Regulation ((EU) 910/2014) (eIDAS Regulation) applies in Sweden and digital signatures are widely used in Sweden.

An electronic signature is defined as data in electronic form which is attached to, or logically associated with, other data in electronic form, and which is used by the signatory to sign.

An advanced electronic signature is defined as an electronic signature that is uniquely linked to the signatory, capable of identifying the signatory, created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control. An advanced electronic signature is linked to the data signed in such a way that any subsequent change in the data is detectable.

A qualified electronic signature is defined as an advanced electronic signature that is created by a qualified electronic signature creation device, and based on a qualified certificate for electronic signatures.

There are three types of digital signatures in Sweden:

Most contracts can be entered into with the use of digital signatures. However, some contracts must be signed in wet ink, for example transfer of real property (fast egendom), site-leasehold right (tomträtt) and ownership of an apartment (bostadsrätt).

Also, certain legislation may stipulate requirements on the type of electronic signature. For example, the contract formation under the Consumer Credit Act requires advanced electronic signature.

The collection and processing of personal data is regulated by the:

The Swedish Data Protection Legislation applies to personal data processed by an entity established in Sweden or when an entity established outside of Sweden offers or targets goods or services to, or monitors the behaviour of, Swedish residents.

The Swedish Data Protection Legislation, including the legal acts implementing the GDPR (see Question 14), applies to personal data, which is defined as data relating to an identified or identifiable natural person (a data subject). Data subjects or individuals can be identified for example by their name, photo or phone number, but also other identifiers such as IP addresses.

"Special category data" is personal data:

Specific requirements apply for the processing of special category data (including additional legal bases for processing such data).

Additional requirements apply to the processing of personal data relating to children (those under 18) and vulnerable individuals.

Information that cannot be used (either on its own or together with other information) to identify a living individual is not subject to the Swedish Data Protection Legislation.

Personal data relating to criminal convictions and offences does not constitute "special category data". However, the processing of such data is governed by analogous restrictions.

The GDPR sets out fundamental principles for processing personal data. The data must be processed lawfully, fairly and in a transparent manner, and for specific, explicit, and legitimate purposes. The data must be adequate, relevant, and limited to what is necessary, as well as being accurate and up-to-date. Data cannot be kept longer than necessary for the purposes, and it must be processed in a manner that ensures appropriate security. The controller must be able to demonstrate compliance with the GDPR.

In addition to the principles, there is a requirement for a specific legal basis for the processing. The GDPR provides for six lawful grounds for processing:

The processing of special categories of personal data (see Question 15) is subject to more stringent requirements and limitations (including an additional legal basis for processing such personal data).

If the planned processing of personal data is likely to result in a high risk to the rights and freedoms of individuals, a data protection impact assessment must be carried out before the processing begins. The risks associated with the planned processing should therefore also be analysed before the processing. The Swedish Authority for Privacy Protection has published a list of processing operations where an impact assessment is required.

There are no specific limitations on the storage of personal data in the cloud. However, the provisions on information security and secrecy in the Public Access to Information and Secrecy Act (2009:400) and the Protective Security Act (2018:585) may affect the choice and use of cloud solution in respect of classified data. Data processing agreements and the provisions on data transfers outside of the EEA may also affect the choice of cloud solutions, as various jurisdictions carry different levels of risk.

Government bodies can access or compel disclosure of personal data in some cases, for example:

Cookies and other tracking technology that is based on the placement of tracking technology on a device can only be used if the user is informed about the purpose of the use and consents to it (Electronic Communications Act). Consent for cookies and tracking technology must fulfil the requirements for consent set out in the GDPR, meaning that it must be freely given, specific, informed and unambiguous and obtained before any cookies or tracking technology being deployed. Consent is not, however, needed for such technology if it is strictly necessary to provide an online service expressly requested by the user.

Even where tracking technology is not deployed at device level (and the Electronic Communications Act is out of scope), information that is collected through cookies or tracking technology may be considered personal data under Swedish Data Protection Legislation, if it can be used to identify an individual. This includes, for example, IP addresses and other electronic identifiers. Therefore, the GDPR and the acts implementing the GDPR apply to the processing of such data. This should be taken into account when formulating a cookie notice or other information to the individuals.

Data subjects must be informed if any profiling is conducted based on personal data (GDPR) and a data processor is obliged to provide human intervention for all automated decisions (including profiling) to which data subjects are exposed. If personal data is processed based on a legitimate interest and used for profiling, the data subject can object to the processing. If personal data is processed for direct marketing purposes including profiling, the data subject can object at any time to the processing of their personal data for that marketing. Where the data subject objects to processing for direct marketing purposes, the personal data can no longer be processed for those purposes.

Businesses processing personal data are obliged under the GDPR to implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and the purposes of the processing.

The measures must ensure an appropriate level of security with regard to the technical options available, the costs, the specific risks associated with the treatment of the personal data, and how sensitive the personal data is.

If the business engages a service provider to process personal data on its behalf, a data processing agreement must be in place.

Under the Act on Information Security (2018:1174), operators of essential services must:

The Act on Information Security also stipulates that providers of digital services must:

Payment service providers must fulfil the requirements set out in the Payment Services Act (2010:751) and the Financial Supervisory Authority's (Finansinspektionen) regulatory code regarding payment services (FFFS 2010:3). For example, payment service providers must have a system of appropriate measures and control mechanisms to manage operational risks and security risks associated with the payment services provided. Within the framework of this system, the payment service provider must regulate how incidents are to be handled.

Encryption may constitute a necessary technical measure depending on the type of business and/or services provided by it. The legislation described in Question 19 does not explicitly prescribe encryption as a requirement and each business must determine on a case-by-case basis whether or not encryption is necessary based on the specific circumstances.

The provision of electronic payments is regulated in the Payment Services Act and the Financial Supervisory Authority's (Finansinspektionen) regulatory code regarding payment services (FFFS 2010:3). The general rule is that the provision of payment services requires authorisation from the Swedish Financial Supervisory Authority. The Payment Services Act and the Financial Supervisory Authority's regulatory code regarding payment services have been updated to correspond with Directive ((EU) 2015/2366) (PSD2).

Payment service provides are subject to the Swedish Money Laundering and Terrorist Financing Prevention Act (2017:630), and must comply with, for example, the requirements on identification and verification of customers and reporting, when conducting payment services.

In line with the UN Convention on the Rights of the Child, a child is considered any individual under the age of 18. Processing a child's personal data based on their consent is lawful under Swedish Data Protection Legislation if the child is at least 13 years old (GDPR and the Swedish act implementing the GDPR (2018:218)).

If the child is younger than 13, the processing is lawful only if the consent is given or authorised by the person who holds parental or guardian responsibility for the child (see Question 5).

The Swedish Data Protection Legislation recognises the need to place additional safeguards and protection around the processing of children’s data. The Swedish Authority for Privacy Protection identifies that transparency information (including in relation to consent and data subject rights) relating to the processing of personal data should be adapted in approach, style and format depending on the age of the child.

Under the Swedish Marketing Practices Act, marketing cannot be misleading or aggressive, and it may be prohibited if it affects the consumer's ability to make informed business decisions. If marketing is directed at children, an assessment should be made based on how children perceive the marketing. This assessment must take into account the age of the target audience since a child’s age influences how it perceives the advertising message. For example, marketing should be clear and not portrayed as a game. Direct marketing to children younger than 16 years old is forbidden (Patent and Market Court, B 4/11) and further restrictions are placed as a result of the Digital Services Act (see Question 5).

Persons younger than 18 years old are minors and cannot by themselves conclude agreements (Children and Parents Code (1949:381)). However, children between the ages of 16 and 18 years can in most cases decide how to spend money they themselves have earned (which includes entering into relevant agreements). The trader is liable for determining whether the customer is of legal age and competent to enter into a contract, and the mere belief that the customer is of a certain age is not enough for the agreement to be valid.

Further restrictions are provided by, for example, the Alcohol Act (2010:1622), the Tobacco Act (2018:2088) and the Gambling Act (2018:1138).

There are no Swedish laws specifically regulating service agreements in B2B situations. The Sales of Goods Act and the Act on Commissioner (2009:865) can, under certain circumstances, serve as guidance. The Commercial Agents Act (1991:351) regulates the relationship between a commercial agent and the principal in relation to the reselling of goods. The Commercial Agents Act includes mandatory provisions for the protection of the commercial agent. The mandatory provisions regulate terms related to, among others, term of notice and the agent's right to commission during the contract period.

Swedish copyright law does not provide specific rules regulating this matter. However, general rules regarding, for example, intellectual property (IP) rights and marketing may apply to the use of these practices.

The Court of Justice of the European Union (CJEU) has made framing, caching, spidering and the use of metatags the subject matter of its judgments in the form of preliminary rulings which must be followed by national courts:

The Marketing Practices Act requires that linking and framing is in accordance with generally accepted marketing practices. All marketing must be formulated and presented in such a way that it clearly appears that marketing is involved. A link or frame that has a marketing purpose must therefore clearly be marked as marketing.

The Marketing Practices Act applies to all media. If the search hit which the metatags are used to promote is considered to be advertising, the Act is applicable. Therefore, the use of metatags must comply with generally accepted marketing practices as set out under section 5 of the Act. If the use contravenes these practices, it may be deemed unfair provided that it is considered likely to affect the recipients' ability to make a well-founded commercial decision.

There are some limitations on the use of advertising keywords. For example, the use of trade marks in advertising keywords by third parties may constitute trade mark infringement if the generated ad refers to products identical with the products provided by the trade mark holder and the ad does not enable or only with difficulty enables a user to distinguish the source of the goods or services offered.

The Act on National Top-Level Domains for Sweden on the Internet (2006:24) regulates the technical operations of country code top-level domains for Sweden and the assignment and registration of domain names.

The Swedish country code top-level domain .se and the top-level domain .nu is run and administrated by the Internet Foundation in Sweden (Internetstiftelsen i Sverige) (IIS) and regulated by IIS Registration Conditions.

Anyone can register a ".se" or a ".nu" domain, whether based in Sweden or not.

A registered domain name must not infringe on someone else’s right, for example a brand, or contain words or phrases that constitute illegal content. The IIS offers an alternative dispute resolution process for disputes about domain name rights interference.

Registering a domain name does not confer any additional rights. There is, however, the possibility to obtain the rights to a word or name through the Trade Marks Act (2010:1877) or the Trade Names Act (2018:1653). These rights are acquired through registration and must fulfil certain requirements. An exclusive right can also be acquired without registration by means of establishment on the market. Trade marks are registered at the Swedish Patent and Registrations Office (Patent- och registreringsverket) and trade names are registered at the Swedish Companies Registration Office (Bolagsverket).

The exclusive rights to a business name are obtained by registration in the Swedish Companies Registration Office (Bolagsverket) or through establishment. A business name is considered established if a substantial part of the relevant public knows it as the name of the business for which it is used. The provisions regulating the registration and establishment of trade names are stated in the Trade Names Act.

The following restrictions apply to business names:

Under Swedish law, the general rule is that the defendant's jurisdiction applies. If the claimant is a consumer and the amount of the dispute does not exceed SEK24,540, the claimant's jurisdiction applies instead.

If the defendant or claimant is domiciled in a member state other than Sweden, Regulation ((EU) 1215/2012) Brussels I Regulation) applies. Under the Brussels I Regulation, the defendant's jurisdiction generally applies. However, in B2B agreements, parties are to a large extent free to agree on the applicable jurisdiction. Further, if the defendant is a consumer, under the Brussels I Regulation the consumer's jurisdiction generally applies.

If the defendant is domiciled in a country outside the EU that is a signatory to the Lugano Convention (2007), the Lugano Convention applies. The provisions of the Lugano Convention are similar to those of the Brussels I Regulation.

If the defendant is domiciled in a country to which neither the Lugano Convention nor the Brussels I applies, there is no generally applicable regulation on jurisdiction. Various Swedish laws do regulate jurisdiction for specific legal issues, but none is specifically aimed at internet transactions. When no relevant law on jurisdiction applies, guidance can be sought in the Swedish Code of Judicial Procedure (1942:740) and in the Brussels I Regulation.

For contract matters, Regulation ((EC) 593/2008) (Rome I Regulation) applies if the contract was entered into after 17 December 2009. For contracts entered into before this date, the Rome Convention applies. The provisions of the Rome Convention are essentially the same as the provisions of the Rome I Regulation.

The parties can generally choose which law governs the contract. When no applicable law has been chosen, the governing law is determined by the Rome Convention or Rome I Regulation. A contract for provision of services will generally be governed by the law of the country where the service provider has their habitual residence.

Specific rules and limitations apply to consumer contracts in both the Rome Convention and the Rome I Regulation. The law of the country where the consumer is habitually resident applies if the trader pursues commercial or professional activities or directs such activities to the country where the consumer is habitually resident.

If a consumer contract states that a law outside the EU will govern the contract, this provision is invalid under the Act on Unfair Consumer Terms (1994:1512) if the law that otherwise would have governed the contract is the law of an EU member state that provides better consumer protection.

B2B contracts regarding international sales of goods are governed by the Act on Applicable Law to International Sales of Goods (1964:528). This law takes precedence over the Rome Convention and the Rome I Regulation but however allows the parties to agree on the governing law.

The Act on Alternative Dispute Resolution in Consumer Relations (2015:671) implements the ADR Directive (2013/11/EU) and regulates ADR entities in Sweden. Seven different ADR entities have been approved under this law. In the context of online traders and their consumers, the General Complaints Board (Allmänna reklamationsnämnden) is the most relevant ADR entity.

Regulation ((EU) 524/2013) on online dispute resolution for consumer disputes (Online Dispute Resolution Regulation), which compliments the ADR Directive, establishes an "out of court" online platform for settling disputes that arise from cross-border online B2C transactions (ODR Platform). Through the ODR Platform, which is free of charge and available in all official languages of the EU, consumers can either settle the dispute with the trader or identify the relevant ADR entity for that particular dispute.

Traders must:

Failure to provide the required information may be regarded as a violation of the Marketing Practices Act. In this case, the trader may be required to provide relevant information under the penalty of a fine. If the trader intentionally or negligently violates such an order, the trader may also be obliged to pay damages to the consumer.

The findings of the ADR entities are merely recommendations and therefore not legally binding on the parties. However, the parties usually comply with ADR entities' decisions.

The decision of the ADR entity cannot be appealed, but in some procedures the ADR entity can hand over the case to the relevant Ombudsman who can order an injunction or file a complaint.

The Marketing Practices Act applies to advertising online and through social media in the same way as it applies to marketing offline. The relevant rules include:

The advertising and selling of products and services such as medical products, tobacco, alcohol, financial services and gambling are highly regulated, but not specifically with regards to online activities. These regulations apply to both online and offline sales and advertising.

Companies selling pharmaceuticals to the public online must display a certain logo on the website to show that the website is legally selling pharmaceuticals. The logo contains a link to a verification page with the Swedish Medical Products Agency. The logo enables consumers to verify whether the website can legally sell medical products or not.

The Marketing Practices Act strictly prohibits traders from sending unsolicited e-mails or text messages to consumers without their consent. However, if the e-mail address or phone number was obtained in connection with the sale of a product, unsolicited e-mails and text messages can be sent if:

In marketing by means of e-mail and text messages, both in relation to consumers and legal entities, the communication must at all times contain a valid address through which the recipient can request that the marketing ceases.

There are no general language requirements for websites. However, there are exceptions in situations where there is a particular need for consumer protection. For example, the Swedish Gambling Act (2018:1138) provides that a licence holder must ensure that all relevant information about the game, including its rules and the odds of winning, is stipulated in Swedish.

If goods are sold to consumers, the instructions on how to use the product must be in Swedish, unless the product is of a simple nature. Information regarding technically advanced products addressed to a limited customer base can be in English. Further, a consumer has a right to be given safety information and instructions for products in Swedish.

Sales concluded online are, like sales concluded in other forums, subject to VAT taxation. A 25% VAT rate applies to most goods and services. In case of a permanent establishment in Sweden, the business profit attributable to the permanent establishment may also be subject to corporate income tax, at a rate of 20.6%.

Swedish companies must, regardless of annual turnover, register for VAT if the company is required by Swedish law to charge sales tax.

Since Sweden is a member of the EU, the One Stop Shop (OSS) regime applies to foreign businesses established within the EU that sell goods online or digital services (telecommunication services, radio or television broadcasting and electronic services) to Swedish persons not registered for VAT (for example consumers).

As long as the foreign business's total turnover in other EU member states does not exceed the threshold of EUR10,000 (SEK99,680) per year, a VAT registration in Sweden is not necessary.

The threshold means that cross-border transactions up to the threshold level are taxed in the seller's country, while transactions that exceed the threshold are taxed in the buyers' countries.

However, a special OSS VAT-registration is possible to have a VAT reporting obligation in only one state. When selling vehicles or goods subject to excise tax, such as alcohol and tobacco, other rules apply and a registration in Sweden may be mandatory regardless of the amount.

For B2B businesses within the EU, a "reverse charge" normally applies, which means that the buyer reports the VAT, provided that the seller does not have a fixed establishment in Sweden.

For import of goods and services from states outside the EU, the buyer is generally liable for VAT. However, if the service provided is intended for private use, (bought by a consumer) no Swedish VAT applies.

VAT is a complex area and should be assessed on a case-by-case basis.

Companies registered with the Swedish Company Registration Office (Bolagsverket) must register for VAT at www.verksamt.se no later than 14 days before commencement of business operations that are subject to VAT. Foreign businesses register for VAT at the Swedish Tax Agency (Skatteverket) on form SKV 4632.

Restrictions on content that can be published on a website are affected by the fundamental right to freedom of speech. Therefore, restrictions are limited to criminal acts or other unlawful behaviour. For example, the Penal Code prohibits defamation, insulting behaviour and unlawful threats, among others.

The civil law provides restrictions relating to, for example, IP rights. Subject to a few exceptions, the Copyright Act (1960:729) contains certain restrictions in relation to the publishing of copyrighted material on a website. This Act transposes the InfoSoc Directive ((EU) 2001/29) into Swedish law. The Trade Marks Act contains similar restrictions on infringing behaviour.

The T&Cs for registering a domain name include provisions granting the registrar the right to take actions against the domain name if the content on the website is illegal.

The Digital Services Act prohibits advertisements based on profiling if the recipient may reasonably be a minor (see Question 44).

The Copyright in the Digital Single Market Directive ((EU) 2019/790) is not yet implemented in Sweden. However, the Swedish Government published its government Bill on the implementation of the Directive on 12 July 2022 (Prop. 2021/22:278) and the proposed amendments entered into force on 1 January 2023.

In accordance with the Directive, the Swedish Government introduced an additional chapter in the Copyright Act addressing online services. The chapter states that the service provider is responsible for the copyright of the works that users make available to the public by uploading them to the service. However, the service provider will not be liable for an unauthorised transfer if it promptly prevents access to the content and does what is reasonably required to:

Generally, any user who publishes unlawful content on a website can be held liable for that content. However, in some cases, other intermediaries can be held liable.

The provider of an electronic bulletin board, under certain conditions, can be held liable for content published on the bulletin board (Act on Responsibility for Electronic Bulletin Boards). The provider must remove certain user-generated criminal content, such as content that obviously constitutes:

If not removed, the provider may be subject to a fine or imprisonment.

Service providers may be liable for copyright infringement if they enable and assist infringing acts of copying and communication to the public (Copyright Act). In the Swedish "Pirate Bay" case (Svea Court of appeal, B4041-09), the persons behind the Pirate Bay were convicted of complicity to commit crime in violation of the Copyright Act.

The editor of a publication (for example, a newspaper) is generally liable for any content published under a "certificate of no legal impediment to publication" (Freedom of the Press Act (1949:105)).

Under the E-commerce Act, a service provider will be held liable for content if they fail to take steps to discharge their liability. For example, if the service provider, despite knowledge or awareness of user-generated illegal content, does not act to remove the information, the service provider may be obliged to pay damages or a penalty fee.

Criminal liability in relation to user-generated content is incurred where the offence is committed intentionally. In addition, own initiatives taken to ensure compliance do not necessarily lead to exemptions from liability.

The Digital Services Act applies to hosting service providers (see Question 44). It requires hosting services, including online platforms, to introduce a "notice and action" mechanism. Once such a notice is received, the service provider is considered to have knowledge of any illegal content or activity included in such a notice. Failing to act once the process is activated will then result in liability for the service provider.

Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online, which entered into force on 7 June 2022, further applies to all hosting service providers offering services in the EU and requires them to remove or disable access to terrorist content on an order from the competent authority in the relevant member state. In addition, hosting service providers that are exposed to terrorist content are obliged to take certain measures to prevent the service from being misused to disseminate such content.

On 11 May 2022, the European Commission published a proposal for a Regulation laying down rules to prevent and combat child sexual abuse online. This Regulation sets out the obligations of hosting services and of interpersonal communication services to identify, analyse and assess the risk of the service being used for online sexual abuse and to take measures to mitigate any such risk. Service providers would also have to report the appearance of such content and, on order, remove or disable access to it.

The service provider must provide the following information:

(E-commerce Act)

The operator must provide the following information before a service user places an order:

(E-commerce Act)

A trader must provide certain information before entering into a distance contract (for example, a sale concluded online) (Distance and Off-Premises Contracts Act). This information includes, for example:

The controller must provide the data subject with information regarding the processing of personal data (GDPR).

A website operator must inform the visitor of the website that the website contains cookies and the purpose for which cookies are used (Electronic Communications Act)).

Further, providers of intermediary services must include information in their T&Cs on any restrictions that they impose on the use of their service in respect of information provided by the recipients of the service, (Digital Services Act), see Question 44).

Generally, anyone publishing material on a website is liable if the material violates any laws.

Where the Act on Responsibility for Electronic Bulletin Boards applies, the website operator is in some cases obliged under penalty of a fine to remove certain material if the material violates certain laws.

If the website operator has a publication licence, the operator must nominate a legally responsible publisher, which is then liable for the content published on the website.

Under the E-commerce Act, a service provider (for example, an internet service provider) is not liable for content on a website if the provider:

If a service provider in any way contributes to the content of a website, the service provider is liable for such content.

Under European case law (UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH (C-314/12)), a national court can order an ISP to shut down a website if the content of the website infringes on any copyright laws.

There is no right stipulated in law for an ISP to shut down a website at its own discretion, but this could be included in the ISP's T&Cs.

There are no specific regulations on the liability for products/services supplied online, so general rules apply.

The sale of counterfeit goods is subject to civil and criminal sanctions in the Trade Marks Act.

Online trading platforms can be liable for helping the sale of counterfeit goods over the internet.

Following the decision of the CJEU in L'Oréal SA and Others v eBay International AG and Others (C-324/09), auction operators may be ordered to take measures to make it easier to clearly identify sellers of counterfeit goods. However, the operator of the online marketplace cannot be liable for the infringement itself, given that it does not itself actively use the trade marks. An operator is actively using the trade mark if it provides assistance to the seller which entails optimising the presentation of the offers for sale or promoting them.

There are no specific regulations regarding the use of spiders, bots or crawlers. General rules on data protection apply. The Database Directive (96/9/EC), which is implemented in Swedish law, does not prevent the reuse of parts of the creator's database once it has been made accessible for use by the public. However, the CJEU ruled in Ryanair Ltd v PR Aviation BV (C-30/14) that the author of a database can lay down contractual limitations on its use by third parties. A website reusing another website's database must observe these limitations.

In general, an online business requires the same insurance as other businesses in the same industry sector. However, there are some insurances that are especially useful for online businesses in any industry sector. In addition to a business insurance, other insurances that should be considered include:

The following EU legislation was passed:

Other reforms to strengthen consumer protection within the EU include: