Cryptography solutions approved by Traficom's NCSA-FI
In relation to Finland's international information security obligations, the tasks of the National Cyber Security Centre Finland (NCSC-FI) at the Finnish Transport and Communications Agency Traficom include the approval of cryptography products for protecting the confidentiality of classified information in Finland. In the EU, the authority responsible for the approval of cryptography products is referred to as the CAA (Crypto Approval Authority). In Finland, CAA responsibilities are handled by NCSA-FI function at Traficom's NCSC-FI.
This list includes cryptography products approved by NCSC-FI for protecting the confidentiality of national and EU classified information. The products included on the list have been approved for protecting the confidentiality and integrity of information in high threat level environments. High threat level means communication over open networks, such as the internet, for example. It can also mean a system that has been approved for a lower classification level than the information being communicated. Advice on how to apply the list to other threat levels can be requested from NCSA-FI.
The presented classification levels only apply to information classified by public authorities, but they can also be used as recommendations for other needs.
The Council of the European Union and its General Secretariat also maintain a list of cryptography products that can be used for protecting the confidentiality of international or national classified information.
Cryptography solutions approved by NCSA-FI for national classified information
A cryptography product requires the approval of the Crypto Approval Authority (CAA) when applying for approval for an information system or telecommunications arrangements based on the fulfilment of international information security obligations (Act 588/2004). Approval may also be required when the approval process is based on the Act on the Assessment of the Information Security of Public Authorities' Information Systems and Telecommunications Arrangements (1406/2011).
Regarding the commissioning of cryptography products, it should be noted that approval may be subject to additional requirements. Because of this, NCSA-FI should be consulted when planning new systems and in any unclear situations. As regards products approved for protecting the confidentiality of national confidential information, key management solutions must also be approved nationally, either in connection with the SAA approval of information systems or based on a separate procedure.
NCSA-FI’s national approval is based on an information security assessment of the cryptography product carried out or supervised by a competent CAA.
Classification level TL II
Note! Products approved for a higher classification level can also be used for protecting the confidentiality of information at a lower classification level. Terms of use may differ based on the classification level.
Recent changes:
- 22 December 2023: VeraCrypt's approval for classification level TL II has ended.
- 28 January 2021: Veracrypt approved for classification levels TL II and TL III
Classification level TL III
| Bittium Tough Mobile 2 C | Bittium Oyj (FI) | VPN and mass storage encryption for smartphones |
|
| Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. There are additional conditions for upgrade of MR 5.8 version. |
| Deltagon Sec@GW (D-Network) | SSH Communications Security Oyj (FI) | Email encryption | 3.3 (D-Network) | until further notice | Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. More detailed component-specific version information can be requested from NCSA-FI. |
| Insta SafeLink VPN Gateway 2008 | Insta Advance Oy (FI) | VPN encryptor |
|
| Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. |
| Insta SafeLink VPN Gateway 2020 | Insta Advance Oy (FI) | VPN encryptor |
|
| Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. |
| Insta SafeLink VPN Gateway Lite | Insta Advance Oy (FI) | VPN encryptor |
|
| Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. |
| SSH NQX | SSH Communications Security Oyj (FI) | VPN encryptor |
|
| Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. |
| VeraCrypt | Idrix (FR) | File encryptor |
| Until 31 December 2026 | Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. |
- 17 January 2024: Insta SafeLink VPN Gateway version 4.2.5 approved. Removed expired approvals.
- 22 December 2023: VeraCrypt version 1.26.7 approved. Earlier versions moved from TL II table to TL III table. Validity periods of all versions updated.
- 20 June 2023: Insta SafeLink VPN Gateway version 4.2.3 approved, validity periods for old versions updated. Forcepoint Stonedsoft removed, since its validity period expired.
- 13 Match 2023: Insta SafeLink VPN Gateway version 4.2.2 approved, version details and validity periods updated.
- 10 February 2023: Bittium Tough Mobile 2 C data updated.
- 19 September 2022: Forcepoint Stonesoft NGFW's approval is valid until 31 March 2023
- 12 September 2022: Bittium Tough Mobile C removed from the list. Bittium Tough Mobile 2 C version details updated.
- 21 December 2021: Insta SafeLink 4.1.0 approved for classification level TL III, updated version 3.5A's validity period. Remove expired Stonesoft FW/VPN's approval. Updated Bittium Tough Mobile C's validity period.
- 19 November 2021: Removed expired Instal Safelink version 3.4B, 3.5 and 4.0.1 approvals
- 1 November 2021: Updated Bittium Tough Mobile C and 2 C's validity period and approved versions.
- 6 September 2021: Stonesoft FW/VPN's approval is valid until 30 November 2021
- 7 April 2021: Bittium Tough Mobile 2 C approved for classification level TL III
- 10 February 2021: SSH NQX version 1.1.0p5 approved for classification level TL III
Classification level TL IV
| SafeMove Windows VPN Client | Bittium Wireless Oy | VPN Client software for Windows operating systems | 14.0 | until 1 February 2027 | Traficom has defined usage policy for the product. Traficom's Cybersecuritycenter is responsible for distribution of the usage policy. The manufacturer can deliver the usage policy to the authorities. |
| Deltagon Sec@GW | SSH Communications Security Oyj (FI) | Email encryption | 3.10 (SecAtGW 3.10.82-1) | until further notice | Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. More detailed component-specific version information can be requested from NCSA-FI. |
| GnuPG | Email encryption | GnuPG 2 | until further notice | Only use in compliance with Traficom’s instructions is approved. The instructions are available from NCSA-FI. | |
| TETRA E2EE | Airbus Defense and Space Oy (FI) | End-to-end encryptor for the TETRA network | E2EE smart cards 3.5 | until further notice | Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. |
Recent changes:
- 12 February 2024: SafeMove Windows VPN Client added to the list.
- 19 November 2021: Deltagon Sec@GW version 3.10 update approved for classification level TL IV, approval for version 3.8 has expired
- 17 February 2021: Deltagon Sec@GW version 3.10 update approved for classification level TL IV
Encryption products for EU classified information
Encryption products used to protect EU classified information must be approved in accordance with Article 10(6) of the Council Decision on security rules for protecting EU classified information. The Article states that within Member States’ national systems, the confidentiality of information classified as CONFIDENTIEL UE/EU CONFIDENTIAL (C-UE/EU-C) or RESTREINT UE/EU RESTRICTED (R-UE/EU-R) may be protected by cryptographic products approved by a Member State’s Crypto Approval Authority (CAA). The confidentiality of information classified as SECRET UE/EU SECRET (S-UE/EU-S) and above, and outside of national systems the confidentiality of information classified as C-UE/EU-C and R-UE/EU-R, shall be protected by cryptographic products approved by the Council or its General Secretariat as Crypto Approval Authority.
Important: Regarding the commissioning of cryptography products, it should be noted that approval is usually subject to additional requirements. Because of this, NCSA-FI should be consulted when planning new systems. According to the Council's security rules for protecting EU classified information, all systems used to process EU classified information must also be reviewed and approved by the national SAA (Security Accreditation Authority, which in Finland is NCSA-FI).
NCSA-FI’s approval is based on an information security assessment of the cryptography product carried out or supervised by the competent Crypto Approval Authority (CAA) of a Member State.
List of cryptography products approved by the Council or its General Secretariat (External link)