Updated juli 9, 2026
Summary: Organisations building or procuring EUCI sovereign infrastructure must satisfy a layered set of obligations under Council Decision 2013/488/EU, covering classification-specific crypto approvals, TEMPEST shielding, facility and personnel clearances, and an accelerating post-quantum migration. Swiss-hosted providers face additional bilateral arrangements before EUCI can lawfully cross into Swiss jurisdiction.

EUCI sovereign infrastructure refers to communication and information systems (CIS) that are architecturally and legally controlled in a way that satisfies the security obligations attached to EU Classified Information under Council Decision 2013/488/EU, covering everything from physical shielding and personnel vetting to cryptographic product approvals and facility clearances. For procurement officers, CISOs and data protection officers in the public sector and regulated industries, understanding these obligations is the prerequisite for any credible evaluation of sovereign hosting alternatives.

The Four EUCI Classification Levels and Their CIS Requirements

Council Decision 2013/488/EU establishes four classification levels, each triggering progressively stricter controls on the systems that may process the information.

RESTREINT UE/EU RESTRICTED is the entry level. Information at this level could disadvantage EU interests if disclosed. Communication and information systems processing RESTREINT UE must be accredited, but member states retain discretion over the precise technical baseline. Transmission over public networks is permissible only when protected by approved cryptographic means, and physical access to the CIS must be controlled.

CONFIDENTIEL UE/EU CONFIDENTIAL covers information whose unauthorised disclosure could harm the essential interests of the EU or its member states. At this level, CIS accreditation becomes mandatory under the formal approval chain described in Annex IV of Council Decision 2013/488/EU, and cryptographic products must carry Council Security Committee (CSC) approval. Personnel with access require a Personnel Security Clearance at the equivalent level.

SECRET UE/EU SECRET requires that the CIS environment meet substantially higher physical and technical baselines, including reinforced access control, security logging, and TEMPEST measures appropriate to the facility’s threat profile. All cryptographic products must be CSC-approved at SECRET level, and the hosting facility must hold a Facility Security Clearance at that level.

TRÈS SECRET UE/EU TOP SECRET is reserved for information whose disclosure could cause exceptionally grave damage. Systems processing TOP SECRET EUCI are subject to the most stringent combination of physical security, personnel vetting, crypto product approval and continuous monitoring requirements. Standalone or air-gapped architectures are the norm, and accreditation is conducted directly by the relevant National Security Authority (NSA) with close involvement of the EU Security Committee.

Classification Level Crypto Approval Required FSC Required PSC Required TEMPEST Obligation
RESTREINT UE/EU RESTRICTED Nationally approved or CSC-listed product Member-state discretion Member-state discretion Risk-based; often Zone C
CONFIDENTIEL UE/EU CONFIDENTIAL CSC-approved product mandatory Required Required at CONF level Zone B minimum typical
SECRET UE/EU SECRET CSC-approved product mandatory Required Required at SECRET level Zone B or Zone A
TRÈS SECRET UE/EU TOP SECRET CSC-approved product mandatory Required Required at TS level Zone A; often dedicated shielded room

Cryptographic Product Approval: The Council Security Committee Chain

For CONFIDENTIEL UE and above, cryptographic product selection is not a commercial decision, it is a regulated approval process. The Council Security Committee, operating under Council Decision 2013/488/EU and supplemented by Commission Decision (EU, Euratom) 2015/444 for Commission-processed EUCI, maintains a list of approved cryptographic products. No product may be used to protect EUCI at these levels unless it appears on that list or has received an equivalence recognition from the CSC.

The approval process involves vendor submission of technical documentation, evaluation by one or more accredited evaluation facilities (typically national cryptographic authorities such as ANSSI in France or BSI in Germany), and a formal CSC decision. Products are approved for a specific classification level, and that approval does not automatically extend upward. A product cleared for RESTREINT UE is not thereby cleared for CONFIDENTIEL UE.

Let op: Sovereign infrastructure providers that wish to offer EUCI-capable hosting must verify that every cryptographic component in the data path, including key management systems, VPN gateways and storage encryption modules, carries the appropriate CSC approval for the intended classification level. Using a non-approved product, even a technically strong one, constitutes a security violation under Council Decision 2013/488/EU.

TEMPEST and Physical Security Accreditation

TEMPEST refers to the discipline of controlling unintentional electromagnetic emanations from electronic equipment that could allow adversaries to reconstruct processed information. For sovereign data centre operators seeking accreditation to process EUCI, TEMPEST is a formal engineering and testing obligation, not a best-practice recommendation.

The applicable technical standard is SDIP-27 (published by NATO as AMSG 720B under NATO Information Security requirements CK-3705), which defines three zone levels: Zone A (highest shielding, for environments close to an uncontrolled perimeter), Zone B (intermediate), and Zone C (minimal measures, appropriate for facilities with substantial controlled space around the equipment). The National Security Authority determines which zone applies based on a physical inspection of the facility and an analysis of the surrounding threat environment.

Physical security accreditation is separate from CIS accreditation but is a prerequisite for it at CONFIDENTIEL and above. The accrediting NSA will verify that the facility has: a defined security perimeter with controlled access, intrusion detection and alarm systems tested to the relevant national standard, a secure area designation for the zones in which classified material is processed or stored, and documented procedures for visitor control and material handling. As of 2023, the EU institutions collectively process information across more than 80 classified information systems accredited under these rules, according to European Court of Auditors Special Report 20/2023.

Industrial Security Obligations for Sovereign Hosting Providers

Entering into a contract that involves access to EUCI or the hosting of EUCI-bearing systems requires a sovereign infrastructure provider to satisfy three overlapping industrial security obligations.

Facility Security Clearance (FSC): Issued by the National Security Authority of the member state in which the facility is located, the FSC certifies that the organisation and its premises meet the physical and procedural requirements for handling classified information up to a specified level. The FSC must be in place before a classified contract is signed, not obtained as a post-contractual formality.

Personnel Security Clearances (PSC): Every individual with unsupervised access to EUCI must hold a valid PSC at the appropriate level, issued by the member state’s NSA. For multinational teams, cross-recognition of PSCs between member states is governed by the bilateral or multilateral security arrangements referenced in Council Decision 2013/488/EU. Maintaining current PSCs for all relevant staff is an ongoing contractual obligation, not a one-time exercise.

Classified contract clauses: Contracts involving EUCI must include a Program Security Instruction (PSI) or equivalent annex specifying the classification level of information involved, the security measures the contractor must maintain, the procedures for incident reporting and the consequences of a security violation. These clauses are not negotiable and their content is prescribed by the contracting authority’s security office in coordination with the relevant NSA.

Post-Quantum Cryptography and the Migration Timeline for EUCI Products

NIST finalised three post-quantum cryptography standards in August 2024 (ML-KEM, ML-DSA and SLH-DSA), completing a standardisation process that began in 2016. As NIST itself states: “Quantum computers will eventually be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.”

For EUCI-protecting products, this creates a concrete re-evaluation obligation. The Council Security Committee’s approval framework requires products to be reassessed when the algorithms they rely upon are deprecated or newly identified as vulnerable. RSA and elliptic-curve Diffie-Hellman key exchange, which underpin most currently approved EUCI crypto products, are vulnerable to a sufficiently powerful quantum computer running Shor’s algorithm.

No single binding EU-wide deadline for EUCI crypto migration has been published as of mid-2025, but national security authorities including BSI (Germany) and ANSSI (France) have published migration guidance recommending that organisations complete the transition to quantum-safe algorithms before 2030. Sovereign infrastructure providers should treat this as a planning constraint: any new CIS accreditation submitted today for CONFIDENTIEL or above should include a quantum-migration roadmap, and legacy systems should be assessed for “harvest now, decrypt later” exposure, where an adversary captures encrypted traffic today intending to decrypt it once a quantum computer is available.

Let op: “Harvest now, decrypt later” attacks are not theoretical. Sensitive EUCI with a long confidentiality lifecycle, such as diplomatic communications or defence procurement data, is the primary target. The average cost of a data breach globally reached USD 4.88 million in 2024 (IBM Cost of a Data Breach Report 2024), but the damage from a quantum-enabled retrospective decryption of classified data cannot be expressed in monetary terms alone.

Swiss-Hosted Sovereign Infrastructure and EU-Swiss Classified Information Flows

Switzerland is not an EU member state, which means that EUCI cannot flow into Swiss jurisdiction by default. Any cross-border handling of EUCI between EU institutions or member states and Swiss-based infrastructure requires a bilateral Security of Information Agreement (SIA) that establishes the equivalence of Swiss protective measures with the EUCI framework.

The EU-Switzerland SIA, negotiated through the Council Secretariat and the Swiss Federal Council, covers classified information up to a level broadly equivalent to CONFIDENTIEL UE. The Swiss classified information framework is governed primarily by the Swiss Federal Act on Information Security (ISG, in force since 2023) and administered by the Swiss Federal Intelligence Service (NDB), which acts as the Swiss national security authority for industrial security purposes. The NDB issues Swiss facility and personnel security clearances under criteria that are technically comparable to those in Council Decision 2013/488/EU, which is what allows the equivalence finding in the SIA to hold.

For sovereign infrastructure providers operating Swiss data centres, the practical consequence is that they can lawfully handle RESTREINT UE and CONFIDENTIEL UE equivalent data for EU counterparts, provided: the SIA is in force and applicable to the specific contract, their facility holds a Swiss FSC recognised under the SIA, their personnel hold Swiss PSCs at the relevant level, and the CIS is accredited by or in coordination with the NDB. Processing at SECRET UE or above would require additional bilateral arrangements beyond the current SIA, and no Swiss commercial data centre currently holds an accreditation at that level for EU purposes.

The Council of the European Union summarises the foundational principle directly in Council Decision 2013/488/EU: “The protection of EU classified information requires that all measures be taken to ensure that such information cannot be accessed by unauthorised persons, whether through electronic interception, physical access or any other means.” That principle applies equally whether the infrastructure is located in Brussels, Berlin or Zurich.

FAQ

Does a cloud provider need a Facility Security Clearance before it can process RESTREINT UE/EU RESTRICTED data?

The requirements vary by member state. Council Decision 2013/488/EU sets the EU-level framework but allows national security authorities discretion over RESTREINT UE. Many member states do not require a formal FSC for RESTREINT UE processing, but they do require an accredited CIS and contractual security clauses. For CONFIDENTIEL and above, a full FSC issued or recognised by the relevant National Security Authority is mandatory.

What is the difference between NSA accreditation and the Council Security Committee approval of a crypto product?

National Security Authority accreditation covers the entire communication and information system, including its operational environment, personnel and physical controls. The Council Security Committee crypto-approval is narrower: it specifically validates that a cryptographic product meets the technical standards required to protect EUCI at a given classification level. Both are necessary for systems handling CONFIDENTIEL UE and above.

Can a Swiss data centre legally host EU SECRET or EU TOP SECRET data for an EU institution?

Not without a bilateral Security of Information Agreement between Switzerland and the EU that covers the relevant classification level, combined with an EU Security Committee decision recognising the equivalence of Swiss protective measures. Currently, the EU-Switzerland SIA covers equivalent handling up to a level comparable to CONFIDENTIEL UE. Processing at SECRET or TOP SECRET level would require additional bilateral arrangements and dedicated accreditation decisions.

When must existing EUCI-protecting cryptographic products be replaced with post-quantum approved alternatives?

No single binding EU-wide deadline has been published as of mid-2025. However, the Council’s crypto-approval framework requires products to be re-evaluated when underlying algorithms are deprecated. Given that NIST finalised its first PQC standards in August 2024 and national security authorities such as BSI and ANSSI are publishing migration guidance, products protecting CONFIDENTIEL UE and above should be assessed for quantum vulnerability now, with migration plans targeting completion before 2030.

What TEMPEST zone classification is typically required for a data centre processing SECRET UE/EU SECRET?

Under the SDIP-27 (NATO AMSG 720B) zoning framework, SECRET-level processing generally requires Zone B or Zone A shielding, depending on the proximity of the controlled perimeter to the nearest uncontrolled area. The precise zone classification is determined during the physical security inspection conducted by or on behalf of the relevant National Security Authority as part of the facility accreditation process.

Frequently asked questions

Does a cloud provider need a Facility Security Clearance before it can process RESTREINT UE/EU RESTRICTED data?
The requirements vary by member state. Council Decision 2013/488/EU sets the EU-level framework but allows national security authorities discretion over RESTREINT UE. Many member states do not require a formal FSC for RESTREINT UE processing, but they do require an accredited CIS and contractual security clauses. For CONFIDENTIEL and above, a full FSC issued or recognised by the relevant National Security Authority is mandatory.
What is the difference between NSA accreditation and the Council Security Committee approval of a crypto product?
National Security Authority accreditation covers the entire communication and information system, including its operational environment, personnel and physical controls. The Council Security Committee crypto-approval is narrower: it specifically validates that a cryptographic product meets the technical standards required to protect EUCI at a given classification level. Both are necessary for systems handling CONFIDENTIEL UE and above.
Can a Swiss data centre legally host EU SECRET or EU TOP SECRET data for an EU institution?
Not without a bilateral Security of Information Agreement between Switzerland and the EU that covers the relevant classification level, combined with an EU Security Committee decision recognising the equivalence of Swiss protective measures. Currently, the EU-Switzerland Security of Information Agreement covers equivalent handling up to a level comparable to CONFIDENTIEL UE. Processing at SECRET or TOP SECRET level would require additional bilateral arrangements and dedicated accreditation decisions.
When must existing EUCI-protecting cryptographic products be replaced with post-quantum approved alternatives?
No single binding EU-wide deadline has been published as of mid-2025. However, the Council's crypto-approval framework requires products to be re-evaluated when underlying algorithms are deprecated. Given that NIST finalised its first PQC standards in August 2024 and national security authorities are publishing migration guidance, products protecting CONFIDENTIEL UE and above should be assessed for quantum vulnerability now, with migration plans targeting completion before 2030 to align with most national authority recommendations.
What TEMPEST zone classification is typically required for a data centre processing SECRET UE/EU SECRET?
Under the SDIP-27 (NATO AMSG 720B) zoning framework, SECRET-level processing generally requires Zone B or Zone A shielding, depending on the proximity of the controlled perimeter to the nearest uncontrolled area. The precise zone classification is determined during the physical security inspection conducted by or on behalf of the relevant National Security Authority as part of the facility accreditation process.