🇸🇪 Sweden compliance
Whistleblower software for Sweden
In Sverige, Lag 2021:890 transposes EU Directive 2019/1937 and requires companies with 50+ employees to operate a confidential internal whistleblowing channel. Reports must be acknowledged within 7 days and answered substantively within 3 months. Administrative fines for non-compliance can reach SEK 1,000,000.
Confidly is a GDPR-compliant whistleblowing channel built for companies in Sweden (Sverige) operating under Lag 2021:890 (Visselblåsarlagen). The intake form is auto-configured with the categories and disclosures Visselblåsarlagen requires. Reporters can attach audio or video oral statements to a web submission; a native phone-hotline or voicemail channel is on roadmap. The mandatory 7-day acknowledgement and 3-month feedback updates are automated. Set up in 15 minutes. Hosted in the EU. Used by compliance teams from 50 to 5,000 employees.
| Law | Lag 2021:890 |
| In force since | 17 December 2021 |
| Who must comply | 50+ employees |
| Enforcement | Arbetsmiljöverket |
| Max fine | SEK 1,000,000 |
| Companies affected | ~18,000 companies with 50+ employees |
What Visselblåsarlagen requires you to do
Lag 2021:890 transposes the EU Whistleblower Directive 2019/1937 into Sweden national law. The core obligations for companies above the threshold (50+ employees):
- Maintain a confidential internal reporting channel
- Acknowledge every report within 7 days
- Provide feedback to the reporter within 3 months
- Designate a person or unit to handle reports
- Protect the reporter from retaliation
- Keep records for the case duration + the audit window
In Sweden, enforcement sits with Arbetsmiljöverket. Maximum fines for non-compliance reach SEK 1,000,000.
Estimate your exposure under Visselblåsarlagen with the fines calculator.
How Confidly covers Visselblåsarlagen
- Country-specific intake template for Visselblåsarlagen: the form is auto-configured with the categories, disclosures and fields the Sweden transposition requires. No manual setup per channel.
- Anonymous intake available where Sweden law permits. Reporters get a server-issued case code and their own 6-digit secret. No email, no IP, no identifier stored.
- Oral-statement attachments on every plan: reporters upload audio or video oral statements directly into the web form, with EXIF/metadata stripping. A staffed phone hotline or AI-transcribed voicemail channel is on roadmap, in support of the oral-reporting requirement that Visselblåsarlagen carries from EU Directive 2019/1937 Art. 16.
- Form pre-translated into SV, EN. AI translates incoming reports to your working language on the admin side.
- Auto reporter status updates at 7 days (acknowledgement) and 3 months (status), in the reporter's language. Visselblåsarlagen feedback obligation satisfied by default.
- AI investigation copilot (Pro): AI summarises, classifies severity, drafts neutral replies, and clusters multi-reporter patterns to surface systemic issues.
- Append-only audit log required for Arbetsmiljöverket audits. Every action recorded with actor, timestamp and metadata.
- EU data residency: all data stored in EU data centres. Per-channel residency on Enterprise (data for Sweden entities stays in Sweden). No third-country transfers.
- Native HRIS sync (Pro): Personio, BambooHR. Auto-revoke channel access on offboarding; flag when a named-in-report person leaves the company.
What does Confidly cost in Sweden?
Three plans, EUR-priced (VAT reverse-charged for EU B2B). Pick a tier by company size; everything else is included.
Frequently asked questions: Visselblåsarlagen
- Is a whistleblowing channel mandatory in Sweden?
- Yes. Lag 2021:890 (Visselblåsarlagen), the Sweden transposition of EU Directive 2019/1937, requires companies with 50+ employees to operate a confidential internal whistleblowing channel. The law has been in force since 17 December 2021.
- What are the fines for non-compliance with Visselblåsarlagen?
- Maximum administrative fines under Visselblåsarlagen reach SEK 1,000,000. Enforcement is carried out by Arbetsmiljöverket. Fines apply both for failing to establish a channel and for retaliation against reporters.
- Does Visselblåsarlagen require anonymous reporting?
- Visselblåsarlagen permits anonymous reporting where Sweden national law allows. Confidly's reporter UI issues a server-side case code and reporter-only secret (no email, IP address, or browser identifier is stored), so reporters can submit and follow up entirely anonymously.
- What are the timelines under Visselblåsarlagen?
- Companies must acknowledge a report within 7 days of receipt and provide substantive feedback to the reporter within 3 months. Confidly's dashboard tracks both SLAs with automatic reminders.
- Is GDPR satisfied by Visselblåsarlagen compliance?
- Visselblåsarlagen compliance and GDPR are complementary, not equivalent. Confidly is hosted entirely in the EU, signs a GDPR-compliant Data Processing Agreement, and runs an append-only audit log that satisfies both Arbetsmiljöverket inspections and Article 30 GDPR records.
- How long does it take to deploy a whistleblowing channel for Sweden?
- 15 minutes for the channel itself. Branding, SV, EN translations, and policy import take an additional 1-2 hours. Most Sweden customers go live the same day they sign up.