Inhaltsverzeichnis
3.4 EU Regulation
European requirements for Post-Quantum security.
NIS2 Directive
The NIS2 Directive1) has been in force since October 2024 and requires „state of the art“ cryptography for critical infrastructures.
Affected sectors:
- Energy, Transport, Health
- Banking, Financial Markets
- Digital Infrastructure
- Public Administration
EU PQC Roadmap (June 2025)
The EU Commission2) has published a coordinated roadmap3) for PQC transition:
| Deadline | Requirement |
|---|---|
| End 2025 | Cryptographic inventory |
| End 2026 | National PQC roadmaps, first pilots |
| End 2027 | New products must be PQC-capable (CRA4)) |
| End 2030 | Complete migration for high-risk |
DORA
The Digital Operational Resilience Act (DORA)5) applies since January 2025 for financial companies and requires „robust cryptographic controls“.
GDPR
The General Data Protection Regulation6) requires „appropriate technical measures“ for protecting personal data - PQC is increasingly considered necessary.
What Does This Mean for You?
- Inventory: Where is cryptography used?
- Risk assessment: Which data is long-term sensitive?
- Planning: When will migration occur?
- Budget: Plan resources for transition
Sources
1)
EU Directive 2022/2555 (NIS2): https://eur-lex.europa.eu/eli/dir/2022/2555/oj
2)
European Commission: https://commission.europa.eu/
3)
EU PQC Transition Recommendation: https://digital-strategy.ec.europa.eu/en/library/recommendation-coordinated-implementation-plan-transition-post-quantum-cryptography
4)
Cyber Resilience Act: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
5)
EU Regulation 2022/2554 (DORA): https://eur-lex.europa.eu/eli/reg/2022/2554/oj
6)
EU Regulation 2016/679 (GDPR): https://eur-lex.europa.eu/eli/reg/2016/679/oj
Zuletzt geändert: on 2026/01/29 at 11:28 PM
