====== 3.4 EU Regulation ======

European requirements for Post-Quantum security.

===== NIS2 Directive =====

The NIS2 Directive((EU Directive 2022/2555 (NIS2): https://eur-lex.europa.eu/eli/dir/2022/2555/oj)) has been in force since October 2024 and requires "state of the art" cryptography for critical infrastructures.

Affected sectors:
  * Energy, Transport, Health
  * Banking, Financial Markets
  * Digital Infrastructure
  * Public Administration

===== EU PQC Roadmap (June 2025) =====

The EU Commission((European Commission: https://commission.europa.eu/)) has published a coordinated roadmap((EU PQC Transition Recommendation: https://digital-strategy.ec.europa.eu/en/library/recommendation-coordinated-implementation-plan-transition-post-quantum-cryptography)) for PQC transition:

^ Deadline ^ Requirement ^
| End 2025 | Cryptographic inventory |
| End 2026 | National PQC roadmaps, first pilots |
| End 2027 | New products must be PQC-capable (CRA((Cyber Resilience Act: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act))) |
| End 2030 | Complete migration for high-risk |

===== DORA =====

The Digital Operational Resilience Act (DORA)((EU Regulation 2022/2554 (DORA): https://eur-lex.europa.eu/eli/reg/2022/2554/oj)) applies since January 2025 for financial companies and requires "robust cryptographic controls".

===== GDPR =====

The General Data Protection Regulation((EU Regulation 2016/679 (GDPR): https://eur-lex.europa.eu/eli/reg/2016/679/oj)) requires "appropriate technical measures" for protecting personal data - PQC is increasingly considered necessary.

===== What Does This Mean for You? =====

  * Inventory: Where is cryptography used?
  * Risk assessment: Which data is long-term sensitive?
  * Planning: When will migration occur?
  * Budget: Plan resources for transition

===== Sources =====

  * [[https://eur-lex.europa.eu/eli/dir/2022/2555/oj|NIS2 Directive (EUR-Lex)]]
  * [[https://eur-lex.europa.eu/eli/reg/2022/2554/oj|DORA Regulation (EUR-Lex)]]
  * [[https://eur-lex.europa.eu/eli/reg/2016/679/oj|GDPR (EUR-Lex)]]
  * [[https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation|ENISA PQC Report]]
  * [[https://digital-strategy.ec.europa.eu/en/library/recommendation-coordinated-implementation-plan-transition-post-quantum-cryptography|EU PQC Transition Recommendation]]