The EU Council has published a List of Approved Cryptographic Products (LACP) for securing EU Classified Information (EUCI) at the levels of RESTREINT, CONFIDENTIEL, and SECRET. The list, issued in an information note on 2 November 2026, includes encryption tools from various manufacturers that have been formally certified following national and second-party evaluations. This move aims to provide a controlled and transparent set of encryption products for protecting sensitive EU data.
Legal Basis and Scope The LACP is established under Council Decision 2013/488/EU (the Council Security Rules), specifically Article 10(6), which mandates the maintenance of such a list. The document covers cryptographic products approved for protecting information up to SECRET level, ensuring that EU institutions and member states use only vetted encryption solutions. The list includes products from multiple vendors, reflecting a multi-source approach to security.
Policy Orientations and Trade-offs The publication of the LACP balances security and operational efficiency. On one hand, it enhances trust by ensuring that only certified products are used, reducing the risk of compromised communications. On the other hand, it may limit flexibility for EU bodies that prefer alternative encryption tools not on the list, potentially increasing procurement costs or requiring migration to approved products. The trade-off is between strict security standards and the administrative burden of compliance.
Impact on Stakeholders - EU institutions and agencies: They must use only LACP-listed products for classified information, ensuring a common security baseline but potentially incurring costs for upgrading or replacing existing systems. - National authorities of EU member states: They benefit from a harmonised list, simplifying cross-border information sharing, but may need to align their national cryptographic policies with the EU list. - Cryptographic product manufacturers: Inclusion in the LACP provides a competitive advantage and market access, while non-listed vendors face barriers to selling to EU institutions. - EU taxpayers: They ultimately bear the costs of compliance and procurement, but gain from improved security of sensitive EU information.
Expected Institutional Follow-up The Council will periodically update the LACP as new products are evaluated and approved. The European Commission and other EU bodies are expected to align their internal security policies with the list. No further legislative action is required, as the list is an administrative measure under existing rules.
← Atlas › News › Defence