Why customer experience is key to successful digital transformation
Explore why customer experience is key to successful digital transformation and how it impacts your business journey.
Read articleWhen Skatteverket and Försäkringskassan can’t agree, what does it mean for your organisation?
Posted by Jon-Thor Sigurleifsson
Sweden is used to being seen as something of a role model for other nations on matters of digitalisation and compliance. That is why recent developments have raised eyebrows: two of the country’s most central agencies, Försäkringskassan (the Swedish Social Insurance Agency) and Skatteverket (the Swedish Tax Agency), have come to different conclusions about whether Swedish authorities can use American cloud services such as Microsoft 365 and Teams.
This is not an academic disagreement. It strikes at the core of how we protect personal data, corporate information, and secrecy-protected government records at a time when EU law and U.S. surveillance legislation are pulling in different directions.
For those of us who have dedicated our careers to developing products and services built with compliance and the protection of EU citizens’ data at the forefront, it’s disheartening to imagine how much these kinds of disagreements could set us back across the continent.
Försäkringskassan’s line: digital sovereignty first
Försäkringskassan has taken a cautious and principled stance. Their conclusion: foreign-owned cloud services are not suitable for handling secrecy-protected or sensitive data.
Their reasoning is clear. Swedish public authorities must retain control over data, storage, and access. In other words, embrace digital sovereignty. U.S. surveillance laws are viewed as introducing too much legal risk, making the safest path one that avoids placing sensitive categories of information into foreign-owned clouds altogether.
Skatteverket’s line: cautious use with guardrails
Skatteverket, on the other hand, has moved towards a more permissive model. After years of alignment with Försäkringskassan’s position, it is now exploring limited use of Microsoft 365 and Teams under strict conditions.
According to its working groups, there are “no legal, security-related or functional obstacles,” provided the tools are used within a well-defined framework. That includes measures such as:
- Documents stored in Microsoft’s cloud are considered safe until proven otherwise
- Teams chats set to auto-delete after 24 hours
- No use of features such as live transcription or subtitles
- End-to-end encryption for internal meetings
The result is a compromise: a limited form of adoption that strips away many of the features that make these tools attractive in the first place.
What this disagreement tells us
Two of Sweden’s most influential public authorities are looking at the same legislation and arriving at different answers. That divergence tells us three things:
- Compliance remains complex. Court precedents and regulatory guidance exist, but practical implementation is fraught with uncertainty.
- Authorities are improvising. Each is developing its own interpretation in the absence of a definitive rulebook.
- Organisations that wait will be left behind. Those expecting uniform clarity from above may be waiting indefinitely.
When Försäkringskassan says “too risky” and Skatteverket says “possible within limits,” it exposes an uncomfortable truth: juggling regulation, digital reality and practical compliance is difficult even for large, heavily regulated government agencies.
When Skatteverket starts flip-flopping in their views on the matter, it creates unnecessary friction, which threatens to slow down progress. Responsible European SaaS companies have been investing a lot of time, effort and money in exactly what the public sector has been asking for and in European digital sovereignty. But now we’re seeing the two most central Swedish authorities not even able to agree on something as fundamental as this between themselves. Is this the way to create sound conditions for European digital innovation?
A united front is needed to create a strong, European ecosystem of tech, innovation and trust which can make us all less reliant on solutions that leave our data vulnerable to long-arm jurisdiction.
The risks of doing nothing
For organisations, indecision carries its own risks:
- Legal liability. Missteps can result in GDPR breaches or violations of secrecy law.
- Loss of trust. Citizens and customers expect data to be handled securely and transparently.
- Operational fragility. Building systems on uncertain ground today can lead to costly redesigns tomorrow.
Neutrality is not a safe position. Inaction, in this context, is a decision and one that may prove costly. For end users, EU citizens and service providers who don’t step up and offer an alternative.
Don’t wait for regulation to catch up
Sweden has often been seen as a leader in digitalisation. Yet this divide between Försäkringskassan and Skatteverket illustrates how differing interpretations of the same legislation can leave organisations hoping to look to such major institutions for guidance or inspiration stranded between ambition and risk.
It is tempting to blame slow-moving lawmakers, but that argument doesn’t hold up to scrutiny. The principle that EU citizens’ personal data should not be processed outside the EU has existed since 1995, rooted in the EU Charter and the European Convention on Human Rights. The issue only became mainstream when GDPR arrived in 2016 and even then the focus was more on fines than on practical compliance.
Whether the problem lies in market inertia or fragmented guidance, the lesson is clear: organisations cannot afford to wait for perfect clarity. They must take responsibility now, grounding their digitalisation strategies in security, sovereignty, and long-term compliance.
A way forward
The disagreement between Försäkringskassan and Skatteverket is a reminder that Europe’s digital transformation depends on confidence, not in foreign infrastructure but in our own ability to build secure, compliant systems.
Digital sovereignty does not have to be a distant ideal. With the right frameworks, it can become a practical reality today but in order to achieve this, we need to see concentrated effort from both public and private players to create a European ecosystem of trust, with clear, practical implementation of compliance and regulation, and without an over-reliance on U.S. vendors.
Related articles
A new way to access government services as Smart-ID achieves LoA High
Scrive launches the European digital compliance playbook: From obligation to opportunity
Compliance is becoming embedded directly into digital infrastructure, impacting everything from onboarding to cross-border transactions.
Read article