Inhaltsverzeichnis

2.1 Compliance

Regulatory conformance and audit documentation for post-quantum cryptography.

Compliance Framework

flowchart TB subgraph EU["EU Law"] NIS2["NIS2 Directive
(EU) 2022/2555"] GDPR["GDPR
Art. 32"] DORA["DORA
Financial Sector"] end subgraph DE["German Law"] ITSIG["IT Security Act 2.0"] KRITIS["KRITIS Regulation"] BSI["BSI IT-Grundschutz"] end subgraph INT["International Standards"] NIST["NIST FIPS
203/204"] FIPS["FIPS 140-3"] end WVDS[("WvdS
PQ-Crypto")] NIS2 --> WVDS GDPR --> WVDS DORA --> WVDS ITSIG --> WVDS KRITIS --> WVDS BSI --> WVDS NIST --> WVDS FIPS --> WVDS style WVDS fill:#4caf50,color:#fff

Detailed Compliance Documentation

Document Description Target Audience
BSI IT-Grundschutz Mapping to BSI modules (CON.1, CON.5, OPS.1.1.5) IT Security Officers
NIS2 Directive EU 2022/2555 for critical infrastructure Critical Infrastructure Operators
IT Security Act 2.0 German implementation of EU requirements Compliance Managers
GDPR Art. 32 Encryption of personal data Data Protection Officers
KRITIS Regulation Sector-specific requirements Critical Infrastructure Operators
Audit Checklist Audit checkpoints for auditors Auditors, BSI

NIST Standards

The library implements the final NIST standards for PQ cryptography:

Standard Algorithm Usage Status
FIPS 2031) ML-KEM Key encapsulation Final (2024)
FIPS 2042) ML-DSA Digital signatures Final (2024)

These standards are the result of the 8-year NIST Post-Quantum Cryptography Standardization Project.

Regulatory Recommendations

BSI (Germany)

The Federal Office for Information Security recommends:

ENISA (EU)

The European Agency for Cybersecurity6) recommends:

Industry-Specific Requirements

Industry Relevance Regulation WvdS Scenario
Energy/Utilities Critical NIS2, KRITIS Regulation Energy
Healthcare Critical GDPR, DiGAV Healthcare
Finance Critical DORA, PSD2 Finance Scenarios
Industry High NIS2, BSI Industry
Automotive High UN R155/R156 Automotive
Government Critical BSI TR, NIS2 Government Scenarios

Quick Mapping: Requirements to WvdS

Requirement Regulation WvdS Component
Cryptography policies NIS2 Art. 21(2)h CryptoConfig, Algorithms
State of the art GDPR Art. 32 ML-DSA/ML-KEM (NIST 2024)
Crypto concept BSI CON.1 Concepts
Key management BSI CON.5 KeyDerivation
Logging BSI OPS.1.1.5 Audit Logging
Supply chain security NIS2 Art. 21(2)d OpenSSL 3.6 (Open Source)

Audit Support

Demonstrable Compliance:

Documentation for Audits:

Further Reading

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, , , , , , ,
1)
NIST FIPS 203: https://csrc.nist.gov/pubs/fips/203/final
2)
NIST FIPS 204: https://csrc.nist.gov/pubs/fips/204/final
3)
BSI: „Quantum-Safe Cryptography - BSI Recommendations for Action“, September 2024, Section 3.1: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Post-Quanten-Kryptografie_Handlungsempfehlungen.pdf
4)
BSI TR-02102-1: „Cryptographic Mechanisms: Recommendations and Key Lengths“, Version 2024-01, Chapter 7: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf
5)
BSI: „Quantum-Safe Cryptography - Fundamentals, Current Developments and Recommendations“, 2021, Section 5.2: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.pdf
6)
ENISA: https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation