The Council of the European Union has authorised the French cryptographic product 'ZED! Q.2021.x' for protecting EU classified information at the RESTRICTED level, according to an information note published on 2 October 2026. The approval, granted under Article 10(6) of the Council Security Rules (Council Decision 2013/488/EU), allows EU institutions to use the product for safeguarding sensitive but non-critical information.
Document details
The information note, issued by the General Secretariat of the Council, confirms that the product meets the required security standards for the EU RESTRICTED classification. This is a procedural decision under the Council's own security framework, not a legislative act. The approval is mandatory for EU bodies handling RESTRICTED-level data, but does not impose obligations on member states beyond their own national security policies.
Policy context and trade-offs
The decision balances the need for robust information security against the operational benefits of using a commercially available cryptographic product. By approving a French-developed solution, the Council avoids the cost and delay of developing an in-house alternative, but also creates a dependency on a single national supplier. This may raise concerns about vendor lock-in and interoperability with other EU security systems.
Impact on stakeholders
- EU institutions and agencies: They can now deploy 'ZED! Q.2021.x' for RESTRICTED-level communications, potentially improving efficiency and reducing procurement complexity. However, they must ensure compatibility with existing security infrastructure.
- French defence and tech industry: The approval provides a commercial boost and validates the product's security credentials, opening doors to other government clients.
- Other EU member states: They may face pressure to accept a non-domestic product for joint EU operations, or may seek reciprocal approval for their own national solutions.
- EU taxpayers: The decision avoids significant R&D spending, but long-term costs could arise if the product requires frequent updates or if switching suppliers becomes difficult.
Next steps
The approval is effective immediately. EU institutions may begin integrating the product into their security systems. The Council may later extend the approval to higher classification levels or to products from other member states, depending on operational needs and security assessments.