The EU Council has formally approved the use of the Swedish cryptographic product 'PGAI 9421 version 2.2.x' for protecting classified information at the RESTREINT UE/EU RESTRICTED level, according to an information note published on 2 October 2026. The decision, taken by the Secretary-General of the Council, authorises EU institutions and member states to deploy the product for securing sensitive but non-critical communications, subject to the integration of evaluator recommendations into Security Operating Procedures (SecOps).
Document details and legal basis
The approval was granted under Article 10(6) of the Council Security Rules, established by Council Decision 2013/488/EU. The document is an information note—a procedural instrument that records internal administrative decisions rather than a legislative act. It does not set numerical targets or impose mandatory obligations on member states beyond the conditional authorisation. The product was evaluated by designated national security authorities, and the approval is contingent upon the implementing body incorporating the evaluator's recommendations into its local SecOps.
Policy orientations and trade-offs
The decision reflects a balance between security and operational efficiency. By approving a specific product, the Council ensures a standardised level of protection for EU RESTRICTED information, reducing fragmentation across institutions. However, the conditional nature of the approval—requiring incorporation of recommendations—introduces administrative overhead for the implementing entity. The trade-off lies between the need for robust cryptographic assurance and the desire for rapid deployment of interoperable solutions.
Impact on stakeholders
- EU institutions and agencies: They gain a new, pre-approved tool for protecting RESTRICTED-level information, potentially streamlining procurement and interoperability. However, they must adapt their SecOps to include the evaluator's recommendations, which may require additional resources.
- National security authorities of EU member states: The decision reinforces the mutual recognition of cryptographic evaluations, supporting the EU's Common Security and Defence Policy. It may also encourage further harmonisation of security standards.
- The Swedish manufacturer (PGAI): The approval opens a market within EU institutions for the product, providing a competitive advantage. However, the conditional nature means the manufacturer may need to support customers in implementing the recommendations.
- EU taxpayers: The standardisation may lead to cost savings through shared procurement and reduced duplication of evaluations. Conversely, any additional administrative costs are ultimately borne by taxpayers.
Institutional follow-up
The approval is an internal Council decision with immediate effect for the Council's own security infrastructure. Other EU institutions and member states may adopt the product under their own security frameworks. No further legislative steps are required at EU level, though the European Commission and the European Parliament may take note for their internal security policies. The decision does not trigger a formal inter-institutional procedure.