====== 2.1 Compliance ======

Regulatory conformance and audit documentation for post-quantum cryptography.

----

===== Compliance Framework =====

<mermaid>
flowchart TB
    subgraph EU["EU Law"]
        NIS2["NIS2 Directive<br/>(EU) 2022/2555"]
        GDPR["GDPR<br/>Art. 32"]
        DORA["DORA<br/>Financial Sector"]
    end

    subgraph DE["German Law"]
        ITSIG["IT Security Act 2.0"]
        KRITIS["KRITIS Regulation"]
        BSI["BSI IT-Grundschutz"]
    end

    subgraph INT["International Standards"]
        NIST["NIST FIPS<br/>203/204"]
        FIPS["FIPS 140-3"]
    end

    WVDS[("WvdS<br/>PQ-Crypto")]

    NIS2 --> WVDS
    GDPR --> WVDS
    DORA --> WVDS
    ITSIG --> WVDS
    KRITIS --> WVDS
    BSI --> WVDS
    NIST --> WVDS
    FIPS --> WVDS

    style WVDS fill:#4caf50,color:#fff
</mermaid>

----

===== Detailed Compliance Documentation =====

^  Document  ^  Description  ^  Target Audience  ^
| [[.:bsi-grundschutz|BSI IT-Grundschutz]] | Mapping to BSI modules (CON.1, CON.5, OPS.1.1.5) | IT Security Officers |
| [[.:nis2|NIS2 Directive]] | EU 2022/2555 for critical infrastructure | Critical Infrastructure Operators |
| [[.:it-sig-2|IT Security Act 2.0]] | German implementation of EU requirements | Compliance Managers |
| [[.:dsgvo-verschluesselung|GDPR Art. 32]] | Encryption of personal data | Data Protection Officers |
| [[.:kritis-verordnung|KRITIS Regulation]] | Sector-specific requirements | Critical Infrastructure Operators |
| [[.:audit-checkliste|Audit Checklist]] | Audit checkpoints for auditors | Auditors, BSI |

----

===== NIST Standards =====

The library implements the final NIST standards for PQ cryptography:

^  Standard  ^  Algorithm  ^  Usage  ^  Status  ^
| FIPS 203((NIST FIPS 203: https://csrc.nist.gov/pubs/fips/203/final)) | ML-KEM | Key encapsulation | Final (2024) |
| FIPS 204((NIST FIPS 204: https://csrc.nist.gov/pubs/fips/204/final)) | ML-DSA | Digital signatures | Final (2024) |

These standards are the result of the 8-year NIST Post-Quantum Cryptography Standardization Project.

----

===== Regulatory Recommendations =====

==== BSI (Germany) ====

The Federal Office for Information Security recommends:

  * Migration to PQ cryptography by 2030((BSI: "Quantum-Safe Cryptography - BSI Recommendations for Action", September 2024, Section 3.1: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Post-Quanten-Kryptografie_Handlungsempfehlungen.pdf))
  * Hybrid solutions for the transition period((BSI TR-02102-1: "Cryptographic Mechanisms: Recommendations and Key Lengths", Version 2024-01, Chapter 7: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf))
  * Priority for long-lived data (>10 years protection requirement)((BSI: "Quantum-Safe Cryptography - Fundamentals, Current Developments and Recommendations", 2021, Section 5.2: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.pdf))

==== ENISA (EU) ====

The European Agency for Cybersecurity((ENISA: https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation)) recommends:

  * Immediate evaluation of PQ solutions
  * Crypto agility as a design principle
  * Inventory of cryptographic assets

----

===== Industry-Specific Requirements =====

^  Industry  ^  Relevance  ^  Regulation  ^  WvdS Scenario  ^
| Energy/Utilities | Critical | NIS2, KRITIS Regulation | [[en:int:pqcrypt:szenarien:branchen:energie:start|Energy]] |
| Healthcare | Critical | GDPR, DiGAV | [[en:int:pqcrypt:szenarien:branchen:healthcare:start|Healthcare]] |
| Finance | Critical | DORA, PSD2 | Finance Scenarios |
| Industry | High | NIS2, BSI | [[en:int:pqcrypt:szenarien:branchen:industrie:start|Industry]] |
| Automotive | High | UN R155/R156 | [[en:int:pqcrypt:szenarien:branchen:automotive:start|Automotive]] |
| Government | Critical | BSI TR, NIS2 | Government Scenarios |

----

===== Quick Mapping: Requirements to WvdS =====

^  Requirement  ^  Regulation  ^  WvdS Component  ^
| Cryptography policies | NIS2 Art. 21(2)h | CryptoConfig, [[en:int:pqcrypt:konzepte:algorithmen|Algorithms]] |
| State of the art | GDPR Art. 32 | ML-DSA/ML-KEM (NIST 2024) |
| Crypto concept | BSI CON.1 | [[en:int:pqcrypt:konzepte:start|Concepts]] |
| Key management | BSI CON.5 | [[en:int:pqcrypt:api:keyderivation:start|KeyDerivation]] |
| Logging | BSI OPS.1.1.5 | Audit Logging |
| Supply chain security | NIS2 Art. 21(2)d | OpenSSL 3.6 (Open Source) |

----

===== Audit Support =====

**Demonstrable Compliance:**

  * NIST FIPS 203/204 algorithms
  * OpenSSL 3.6 (FIPS 140-3 validatable base)
  * Hybrid signatures documented (X.509 extension)
  * Complete API documentation -> [[en:int:pqcrypt:api:start|API Reference]]

**Documentation for Audits:**

  * Algorithm selection justified (NIST standard)
  * Key management documented
  * Migration path traceable
  * -> [[.:audit-checkliste|Audit Checklist]]

----

===== Further Reading =====

  * [[..:risiko|Risk]] - Why act now
  * [[..:migration-roadmap|Strategy & Technology]] - Implementation planning
  * [[en:int:pqcrypt:konzepte:algorithmen|Algorithms]] - Technical details

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>compliance nist fips bsi enisa nis2 gdpr kritis}}