Front Page: NCSC-FI
Front Page: NCSC-FI
Menu

In relation to Finland's international information security obligations, the tasks of the National Cyber Security Centre Finland (NCSC-FI) at the Finnish Transport and Communications Agency Traficom include the approval of cryptography products for protecting the confidentiality of classified information in Finland. In the EU, the authority responsible for the approval of cryptography products is referred to as the CAA (Crypto Approval Authority). In Finland, CAA responsibilities are handled by NCSA-FI function at Traficom's NCSC-FI.

This list includes cryptography products approved by NCSC-FI for protecting the confidentiality of national and EU classified information. The products included on the list have been approved for protecting the confidentiality and integrity of information in high threat level environments. High threat level means communication over open networks, such as the internet, for example. It can also mean a system that has been approved for a lower classification level than the information being communicated. Advice on how to apply the list to other threat levels can be requested from NCSA-FI.

The presented classification levels only apply to information classified by public authorities, but they can also be used as recommendations for other needs.

The Council of the European Union and its General Secretariat also maintain a list of cryptography products that can be used for protecting the confidentiality of international or national classified information.

Cryptography solutions approved by NCSA-FI for national classified information

A cryptography product requires the approval of the Crypto Approval Authority (CAA) when applying for approval for an information system or telecommunications arrangements based on the fulfilment of international information security obligations (Act 588/2004). Approval may also be required when the approval process is based on the Act on the Assessment of the Information Security of Public Authorities' Information Systems and Telecommunications Arrangements (1406/2011).

Regarding the commissioning of cryptography products, it should be noted that approval may be subject to additional requirements. Because of this, NCSA-FI should be consulted when planning new systems and in any unclear situations. As regards products approved for protecting the confidentiality of national confidential information, key management solutions must also be approved nationally, either in connection with the SAA approval of information systems or based on a separate procedure.

NCSA-FI’s national approval is based on an information security assessment of the cryptography product carried out or supervised by a competent CAA.

Classification level TL II

Note! Products approved for a higher classification level can also be used for protecting the confidentiality of information at a lower classification level. Terms of use may differ based on the classification level.

      

Recent changes:

  • 22 December 2023: VeraCrypt's approval for classification level TL II has ended.
  • 28 January 2021: Veracrypt approved for classification levels TL II and TL III

Classification level TL III

Bittium Tough Mobile 2 C                    Bittium Oyj (FI)VPN and mass storage encryption for smartphones
  • 81.66 MR5.8 Ruby
  • until further notice

Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.

There are additional conditions for upgrade of MR 5.8 version.

Deltagon Sec@GW (D-Network)SSH Communications Security Oyj (FI)Email encryption3.3 (D-Network)until further noticeOnly use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. More detailed component-specific version information can be requested from NCSA-FI.
Insta SafeLink VPN Gateway 2008Insta Advance Oy (FI)VPN encryptor
  • V4 and V5; 4.2.3 and 4.2.5
  • V4 and V5; 4.2.2, 4.1.1 and 4.1.0
  • until 30 June 2026
  • until 31 December 2023
Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.
Insta SafeLink VPN Gateway 2020Insta Advance Oy (FI)VPN encryptor
  • V6 and V7: 4.3.1
  • V6 and V7: 4.2.3 and 4.2.5
  • until 17 June 2027
  • until 30 June 2026
Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.
Insta SafeLink VPN Gateway LiteInsta Advance Oy (FI)VPN encryptor
  • 4.3.1
  • 4.2.3 and 4.2.5
  • until 17 June 2027
  • until 30 June 2026
Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.
SSH NQXSSH Communications Security Oyj (FI)VPN encryptor
  • 1.1.0p5
  • 1.1.0p2
  • 2.2.4
  • 2.2.5
  • 2.2.9
  • until further notice
  • until 15 October 2022
  • until further notice
  • until further notice
  • until 28 June 2027
Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.
VeraCryptIdrix (FR)File encryptor
  • 1.22 and 1.23
  • 1.24 and 1.25
  • 1.26.7
Until 31 December 2026Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.
  • 28 June 2024: SSH NQX software version 2.2.9 evaluated for classification level TL III.
  • 18 June 2024: Insta SafeLink VPN Gateway version 4.3.1 evaluated. Removed expired approvals.
  • 17 January 2024: Insta SafeLink VPN Gateway version 4.2.5 approved. Removed expired approvals.
  • 22 December 2023: VeraCrypt version 1.26.7 approved. Earlier versions moved from TL II table to TL III table. Validity periods of all versions updated.
  • 20 June 2023: Insta SafeLink VPN Gateway version 4.2.3 approved, validity periods for old versions updated. Forcepoint Stonedsoft removed, since its validity period expired.
  • 13 Match 2023: Insta SafeLink VPN Gateway version 4.2.2 approved, version details and validity periods updated.
  • 10 February 2023: Bittium Tough Mobile 2 C data updated.
  • 19 September 2022: Forcepoint Stonesoft NGFW's approval is valid until 31 March 2023
  • 12 September 2022: Bittium Tough Mobile C removed from the list. Bittium Tough Mobile 2 C version details updated.
  • 21 December 2021: Insta SafeLink 4.1.0 approved for classification level TL III, updated version 3.5A's validity period. Remove expired Stonesoft FW/VPN's approval. Updated Bittium Tough Mobile C's validity period.
  • 19 November 2021: Removed expired Instal Safelink version 3.4B, 3.5 and 4.0.1 approvals
  • 1 November 2021: Updated Bittium Tough Mobile C and 2 C's validity period and approved versions.
  • 6 September 2021: Stonesoft FW/VPN's approval is valid until 30 November 2021
  • 7 April 2021: Bittium Tough Mobile 2 C approved for classification level TL III
  • 10 February 2021: SSH NQX version 1.1.0p5 approved for classification level TL III

Classification level TL IV

SafeMove Windows VPN ClientBittium Wireless OyVPN Client software for Windows operating systems14.0until 1 February 2027Traficom has defined usage policy for the product.
Traficom's Cybersecuritycenter is responsible for distribution of the usage policy. The manufacturer can deliver the usage policy to the authorities.
Deltagon Sec@GWSSH Communications Security Oyj (FI)Email encryption3.10 (SecAtGW 3.10.82-1)until further noticeOnly use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI. More detailed component-specific version information can be requested from NCSA-FI.
GnuPG Email encryptionGnuPG 2until further noticeOnly use in compliance with Traficom’s instructions is approved. The instructions are available from NCSA-FI.
TETRA E2EEAirbus Defense and Space Oy (FI)End-to-end encryptor for the TETRA networkE2EE smart cards 3.5until further noticeOnly use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.

Recent changes:

  • 12 February 2024: SafeMove Windows VPN Client added to the list.
  • 19 November 2021: Deltagon Sec@GW version 3.10 update approved for classification level TL IV, approval for version 3.8 has expired
  • 17 February 2021: Deltagon Sec@GW version 3.10 update approved for classification level TL IV

Encryption products for EU classified information

Encryption products used to protect EU classified information must be approved in accordance with Article 10(6) of the Council Decision on security rules for protecting EU classified information. The Article states that within Member States’ national systems, the confidentiality of information classified as CONFIDENTIEL UE/EU CONFIDENTIAL (C-UE/EU-C) or RESTREINT UE/EU RESTRICTED (R-UE/EU-R) may be protected by cryptographic products approved by a Member State’s Crypto Approval Authority (CAA). The confidentiality of information classified as SECRET UE/EU SECRET (S-UE/EU-S) and above, and outside of national systems the confidentiality of information classified as C-UE/EU-C and R-UE/EU-R, shall be protected by cryptographic products approved by the Council or its General Secretariat as Crypto Approval Authority.

Important: Regarding the commissioning of cryptography products, it should be noted that approval is usually subject to additional requirements. Because of this, NCSA-FI should be consulted when planning new systems. According to the Council's security rules for protecting EU classified information, all systems used to process EU classified information must also be reviewed and approved by the national SAA (Security Accreditation Authority, which in Finland is NCSA-FI).

NCSA-FI’s approval is based on an information security assessment of the cryptography product carried out or supervised by the competent Crypto Approval Authority (CAA) of a Member State.

List of cryptography products approved by the Council or its General Secretariat (External link)

RESTREINT UE/EU RESTRICTED (R-UE/EU-R)

ProductManufacturerTypeApproved versionsValidityTerms of use
Insta SafeLink VPN Gateway 2020Insta Advance Oy (FI)VPN encryptorV6 and V7: 4.3.1until 17 June 2027Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.
Insta SafeLink VPN Gateway LiteInsta Advance Oy (FI)VPN encryptor4.3.1until 17 June 2027Only use in compliance with the usage policy prepared by Traficom is approved. Instructions are available from the manufacturer or NCSA-FI.
  • 18 June 2024: Insta SafeLink VPN Gateway version 4.3.1 approved.
Updated