The EU Council has formally approved the use of the Swedish cryptographic product 'PGAI 9441 version 7.5.x' for protecting information classified as RESTREINT UE/EU RESTRICTED. The decision, taken by the Secretary-General on 2 October 2026, is conditional on the incorporation of the evaluator's recommendations into Security Operating Procedures. This approval enables EU institutions and member states to use the product for securing sensitive but non-classified information, impacting security officers and IT departments handling EU restricted data.
Document Details
The approval is based on Article 10(6) of Council Decision 2013/488/EU on the security rules for protecting EU classified information. The document is an information note, not a legislative act, and it specifies that the product's use is limited to the RESTREINT UE level, the lowest classification tier. The decision follows a security evaluation process and is binding for EU bodies that choose to adopt the product.
Policy Context and Trade-offs
The approval balances the need for secure communication with operational flexibility. By endorsing a specific product, the Council ensures a common security standard, reducing fragmentation across member states. However, the conditional nature of the approval—requiring updates to Security Operating Procedures—imposes administrative costs on adopting entities. The decision also favors interoperability within EU institutions, as the product is already used by some member states.
Impact on Stakeholders
- EU institutions and agencies: Gain a certified tool for protecting restricted information, enhancing security but requiring procedural adjustments. - National security authorities: May need to align their security procedures with the Council's requirements, potentially increasing workload. - Swedish manufacturer (PGAI): Benefits from EU-wide endorsement, boosting market credibility and potential sales. - IT security contractors: May see increased demand for integration and compliance services related to the product.
Next Steps
The approval is effective immediately. EU bodies intending to use the product must update their Security Operating Procedures to incorporate the evaluator's recommendations. No further institutional follow-up is required, as the decision is administrative. The Council may later approve additional products for higher classification levels or other use cases.
← Atlas › News › Defence