What is the Swedish Protective Security Act?
The Protective Security Act (PSA) establishes requirements for protecting security-sensitive activities in Sweden. It applies to government authorities and private organizations conducting activities important to national security or covered by international protective security commitments.The PSA was introduced in April 2019, with extensive amendments taking effect December 1, 2021. It requires organizations to implement information security, physical security, and personnel security controls based on risk assessments.
- Conduct protective security analyses to identify sensitive activities and classified information
- Implement security measures across three categories: information security, physical security, and personnel security
- Notify supervisory authorities (e.g., Swedish Security Service, MUST) of security-sensitive activities
- Conduct personnel security vetting based on access requirements
How ABV Supports PSA Compliance
ABV provides security controls and documentation to help organizations meet PSA requirements:Information Security (Informationssäkerhet)
Information Security (Informationssäkerhet)
The PSA requires systematic protection of classified and security-sensitive information:
- Access Control: RBAC restricts who can view GenAI prompts, responses, and system configurations. Learn more
- Audit Logging: Comprehensive logs track all access to sensitive data, supporting accountability and incident investigation. Learn more
- Encryption: AES-256 at rest and TLS 1.2+ in transit protect classified information from unauthorized access. Learn more
- Data Classification: Tag and track security-sensitive information with metadata and access restrictions. Learn more
- Data Masking: Automatically redact sensitive details from GenAI interactions before storage or analysis. Learn more
Personnel Security (Personalsäkerhet)
Personnel Security (Personalsäkerhet)
The PSA requires personnel security vetting for individuals accessing security-sensitive activities:
- User Authentication: MFA and SSO ensure only authorized personnel access the platform. Learn more
- Access Reviews: Audit logs enable periodic review of who accessed classified information and when.
- Session Tracking: Monitor individual user sessions and activities for security oversight. Learn more
Data Residency Options
ABV offers flexible deployment options to meet Swedish data residency requirements:Standard Regions
- EU Region: Ireland (AWS eu-west-1) - Available immediately
- US Region: Virginia (AWS us-east-1) - Available immediately
Custom Regional Deployments
Sweden-Specific Deployment Available: ABV can provide custom deployments in AWS Stockholm (eu-north-1) region for organizations requiring data storage within Sweden’s borders.This option is particularly relevant for:
- Organizations handling classified information under PSA
- Government entities with strict data sovereignty requirements
- Critical infrastructure operators requiring domestic data storage
Deployment Options for PSA Compliance
For organizations subject to PSA with data residency requirements:-
Standard EU Region (Ireland):
- Immediate availability
- Data remains within the European Union
- Suitable for many non-classified use cases
-
Custom Sweden Deployment (Stockholm):
- Available for Enterprise customers
- Data stored exclusively within Sweden’s borders
- Meets stringent PSA data residency requirements
- Requires custom deployment assessment
-
Hybrid Architecture:
- Use EU region for non-sensitive workloads
- Sweden deployment for classified or security-sensitive data
- Separate environments with complete data isolation
Requesting Sweden Deployment
To request a custom deployment in Sweden (AWS Stockholm region):
- Email [email protected] with your requirements
- Include your security classification level and PSA requirements
- Specify data volume and performance needs
- Our team will provide deployment timeline and pricing
- Enterprise agreement
- Minimum commitment period
- Additional setup and operational costs
- 2-4 week deployment timeline
Protective Security Analysis Support
Protective Security Analysis Support
ABV helps organizations conduct and maintain protective security analyses required by the PSA:
- Risk Identification: Comprehensive observability reveals what sensitive information GenAI systems process, supporting threat and vulnerability assessments.
- Security Documentation: Audit trails, access logs, and configuration records provide evidence for implementation plans required by supervisory authorities.
- Continuous Monitoring: Real-time alerts detect unauthorized access, anomalous behavior, or security incidents affecting classified information.
Incident Management
Incident Management
The PSA requires organizations to manage security incidents affecting classified information:
- Incident Detection: Monitor for unauthorized access, data exfiltration attempts, or suspicious GenAI behavior.
- Forensic Support: Immutable logs with tamper-evident timestamps support incident investigation and reporting to supervisory authorities.
- Notification Protocols: Documented procedures for notifying SÄPO, MUST, or other supervisory authorities. Learn more
For Swedish Government Contractors
Private organizations conducting security-sensitive work for the Swedish government must comply with PSA requirements:Defense Contractors
Defense Contractors
Support military GenAI projects with PSA-compliant governance and security controls.
Critical Infrastructure
Critical Infrastructure
Protect GenAI systems in energy, telecommunications, or transportation sectors designated as security-sensitive.
Sensitive Research
Sensitive Research
Govern GenAI used in research with national security implications or international protective agreements.
Documentation for PSA Compliance Assessments
ABV can support certain PSA requirements through security controls and documentation, but may not meet all requirements for highly classified or security-sensitive activities, particularly regarding data location.
What We Can Provide
- Security Controls Documentation: Evidence of information security controls (encryption, access management, audit logging) that align with PSA requirements.
- ISO 27001 Certificate: International certification often accepted as evidence of systematic information security management. Learn more
- Risk Assessment Support: Documentation to include in your protective security analysis regarding use of cloud services.
What We Cannot Provide
- Physical security measures for Swedish government facilities (cloud-based service only)
- Personnel security vetting (this is your organization’s responsibility)
- Classification as a Swedish security-cleared vendor (we are a commercial SaaS provider)
- On-premises deployment within government facilities (cloud-only service)
How to Request Documentation
Provide Organization Details
Include organization name, ABV account details, security classification level, and supervising authority (SÄPO, MUST, Swedish Armed Forces, etc.).
Specify Requirements
Detail specific PSA requirements, whether Sweden-only data storage is mandatory, and documentation needed for protective security analysis.
Share Risk Assessment
Explain whether you’ve determined ABV is suitable for your security classification and any compensating controls you’re implementing.
Submit Request
Email [email protected] from your organization email. We typically respond within 1-2 business days. Detailed documentation may require an NDA.
Before using ABV for PSA-regulated activities, ensure your protective security analysis addresses:
- Whether standard EU (Ireland) region meets your requirements, OR
- Whether you need custom Sweden (Stockholm) deployment for classified data
- Any specific requirements from your supervisory authority (SÄPO, MUST, etc.)