3.4 EU Regulation

European requirements for Post-Quantum security.

NIS2 Directive

The NIS2 Directive¹⁾ has been in force since October 2024 and requires „state of the art“ cryptography for critical infrastructures.

Affected sectors:

Energy, Transport, Health
Banking, Financial Markets
Digital Infrastructure
Public Administration

EU PQC Roadmap (June 2025)

The EU Commission²⁾ has published a coordinated roadmap³⁾ for PQC transition:

Deadline	Requirement
End 2025	Cryptographic inventory
End 2026	National PQC roadmaps, first pilots
End 2027	New products must be PQC-capable (CRA⁴⁾)
End 2030	Complete migration for high-risk

DORA

The Digital Operational Resilience Act (DORA)⁵⁾ applies since January 2025 for financial companies and requires „robust cryptographic controls“.

The General Data Protection Regulation⁶⁾ requires „appropriate technical measures“ for protecting personal data - PQC is increasingly considered necessary.

What Does This Mean for You?

Inventory: Where is cryptography used?
Risk assessment: Which data is long-term sensitive?
Planning: When will migration occur?
Budget: Plan resources for transition

Sources

¹⁾

EU Directive 2022/2555 (NIS2): https://eur-lex.europa.eu/eli/dir/2022/2555/oj

²⁾

European Commission: https://commission.europa.eu/

³⁾

EU PQC Transition Recommendation: https://digital-strategy.ec.europa.eu/en/library/recommendation-coordinated-implementation-plan-transition-post-quantum-cryptography

⁴⁾

Cyber Resilience Act: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

⁵⁾

EU Regulation 2022/2554 (DORA): https://eur-lex.europa.eu/eli/reg/2022/2554/oj

⁶⁾

EU Regulation 2016/679 (GDPR): https://eur-lex.europa.eu/eli/reg/2016/679/oj