Cryptographic agility is the architectural property of a system that allows it to replace or upgrade its cryptographic algorithms, key sizes, and protocols centrally, without requiring changes to every application that relies on them. For European organisations in regulated sectors, this property has moved from a nice-to-have engineering principle to a hard compliance and security requirement, driven simultaneously by the post-quantum transition timeline and by audit expectations under NIS-2, DORA, and ISO/IEC 27001.
Why Cryptographic Agility Is Now a Prerequisite
Organisations that lack cryptographic agility face a specific and expensive failure mode: when an algorithm is deprecated or broken, every system that hardcodes that algorithm must be individually patched, tested, and redeployed. In a large public-sector or financial institution with hundreds of applications and integration points, that work can take years, during which exposure is unmanaged.
The urgency is not hypothetical. NIST IR 8547, published in 2024, sets a clear migration schedule: classical key-establishment algorithms such as RSA and ECDH should not be used in new systems after 2030 and reach their hard end-of-life in 2035. Organisations building systems today that lack agility will almost certainly face a forced, disruptive migration inside that window.
“The migration to post-quantum cryptography is not simply a matter of replacing one algorithm with another. It requires a fundamental rethinking of how cryptographic dependencies are managed across an organisation’s entire technology stack.” — Dustin Moody, Lead mathematician, NIST Post-Quantum Cryptography Standardization project
The financial stakes for getting this wrong are concrete. According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach globally reached USD 4.88 million, the highest figure in the report’s history. A breach triggered by exploitation of an outdated or unpatched cryptographic implementation compounds both the direct cost and the regulatory exposure under GDPR Article 83.
What NIST CSWP 39 Recommends for Sovereign Environments
NIST Cybersecurity White Paper CSWP 39 provides the most detailed authoritative treatment of crypto agility as a design objective. Its central definition is precise: cryptographic agility is “the ability of a system to switch between cryptographic algorithms and update cryptographic mechanisms without significant changes to the system’s infrastructure.”
For sovereign on-premises environments, CSWP 39’s practical recommendations translate into four actionable design principles. First, cryptographic decisions should be externalised: algorithms, key lengths, and protocol versions should be configured parameters, not compiled constants. Second, a centralised cryptographic service or key management system should act as the single point of algorithm policy, so that rotating from ECDSA to ML-DSA (formerly CRYSTALS-Dilithium) affects policy in one place, not in fifty applications. Third, organisations should maintain an inventory of all cryptographic assets, including every certificate, every key type, every library version, and every protocol in use. Fourth, automated testing of cryptographic transitions should be part of the continuous integration pipeline, so that a proposed algorithm change can be validated before it reaches production.
Designing Key Management, TLS, and API Authentication for Central Rotation
The architectural goal is to eliminate cryptographic coupling between individual applications and specific algorithm implementations. This is achieved through three layered controls.
Centralised Key Management
A hardware security module (HSM) cluster, operated under the organisation’s own key custody and integrated with a secrets manager such as HashiCorp Vault or its open-source equivalents, becomes the authoritative source of cryptographic operations. Applications call the key management service via API and receive signed outputs; they never handle raw key material or make algorithm decisions themselves. When the organisation rotates to a new algorithm, only the key management policy changes. Applications are unaffected because they were never aware of which algorithm was running.
TLS Configuration Management
TLS cipher suite selection should be driven by a central configuration management tool, applied uniformly across all endpoints via infrastructure-as-code. OpenSSL 3.5, released in 2025, is the first OpenSSL major release to ship with built-in support for the NIST PQC standards ML-KEM and ML-DSA. Organisations standardising on OpenSSL 3.5 across their server fleet can activate or deactivate post-quantum cipher suites through configuration changes alone, without application code changes.
API Authentication Layers
JSON Web Token (JWT) signing algorithms should be specified in a central identity provider configuration, not in individual microservices. If a service requests token validation, it calls the identity provider’s JWKS endpoint; when the signing key rotates from RS256 to PS256 or to a post-quantum signature scheme, the consuming services observe the change automatically through key discovery, rather than requiring reconfiguration.
Hybrid PQ/T Modes as a Migration Bridge
Deploying pure post-quantum algorithms immediately carries interoperability risk: not all counterparties, devices, or legacy systems support the new algorithm families yet. Hybrid modes solve this by combining a classical algorithm and a post-quantum algorithm in the same handshake, so that security holds as long as either component remains unbroken.
| Protocol | Hybrid mechanism | Classical component | PQC component | Status |
|---|---|---|---|---|
| TLS 1.3 | Hybrid key exchange (e.g. X25519MLKEM768) | X25519 (ECDH) | ML-KEM-768 (CRYSTALS-Kyber) | Supported in OpenSSL 3.5, Chrome 124+, Cloudflare |
| IKEv2 / IPsec | draft-hu-ipsecme-pqt-hybrid-auth | RSA or ECDSA | ML-DSA or similar | IETF draft; vendor implementations emerging |
For IPsec VPN gateways protecting remote and travelling staff, the IETF draft-hu-ipsecme-pqt-hybrid-auth defines how IKEv2 can carry both a classical and a post-quantum authentication credential simultaneously. This is directly relevant to organisations using sovereign quantum-safe gateways, because remote endpoints such as laptops running legacy operating systems may not yet support standalone PQC authentication.
The question of when to drop the classical component has a structured answer in NIST IR 8547: once the classical algorithm reaches its deprecation date (2030 for RSA and ECDH in new systems), and once the organisation’s counterparties have broadly completed their own PQC migrations, the classical half of the hybrid can be retired. Until both conditions are met, removing it prematurely reintroduces interoperability risk without meaningful security gain.
Discovering Hardcoded Cryptographic Assumptions in Legacy Systems
A cryptographic inventory cannot be built from architecture diagrams alone; real deployments routinely contain cryptographic assumptions that no diagram documents. The discovery process requires at minimum three approaches running in parallel.
Static application security testing tools with cryptography-aware rulesets, such as Semgrep with community crypto detection rules or SonarQube’s security plugin, scan source code for hardcoded algorithm strings, deprecated API calls, and fixed key sizes. For compiled binaries or third-party components where source is unavailable, binary analysis identifies cryptographic constants embedded in executable code. Dependency scanning tools such as OWASP Dependency-Check flag library versions with known weak-cryptography CVEs, which frequently indicates that an application inherited a hardcoded algorithm choice from a dependency it does not control.
Europol’s Internet Organised Crime Threat Assessment 2023 identified ransomware as the most financially damaging form of cybercrime affecting European organisations. Many ransomware attacks exploit weak or misconfigured cryptographic controls, including self-signed certificates that disable verification, or legacy SSH configurations. The inventory process described above will surface exactly these weaknesses alongside the post-quantum gaps.
Prioritisation of findings should weight three factors: the data sensitivity of the system containing the vulnerability, the exposure surface (internet-facing systems before internal), and the remediation complexity. A finding in an internet-facing API gateway using RSA-1024 for token signing ranks higher than the same weakness in an air-gapped archival system, even if both are technically critical.
Demonstrating Crypto-Agility Readiness to Auditors
NIS-2 Article 21 requires operators of essential and important entities to implement “appropriate and proportionate technical and organisational measures” to manage cybersecurity risks, which national supervisory authorities in several EU member states have begun interpreting to include documented cryptographic lifecycle management. DORA Article 9 applies equivalent requirements to financial entities, and additionally requires that ICT risk management frameworks be tested and reviewed on defined schedules. ISO/IEC 27001:2022 Annex A control 8.24 specifically addresses the use of cryptography and requires a policy covering key management, algorithm selection, and key lifecycle.
A CISO presenting crypto-agility readiness to an auditor should be able to produce four artefacts: a current cryptographic asset register covering all certificates, keys, algorithms, and library versions; a documented algorithm policy that specifies approved algorithms, minimum key lengths, and review cadence; evidence of at least one completed algorithm rotation exercise (even a test rotation in a non-production environment demonstrates the process works); and a migration roadmap aligned to the NIST IR 8547 timeline, showing how each identified classical-algorithm dependency will be remediated before 2030.
For sovereign infrastructure operators, the compliance argument has an additional dimension. Organisations hosting on-premises or in a Swiss jurisdiction under the revised Federal Act on Data Protection retain full key custody, which means algorithm rotation decisions are entirely internal. A public cloud customer, by contrast, must negotiate algorithm changes with the provider, wait for the provider’s roadmap, and accept shared-responsibility limitations on what can be demonstrated to an auditor. Cryptographic agility and sovereign infrastructure reinforce each other: agility provides the operational mechanism for algorithm transitions, and sovereignty provides the legal and operational authority to execute them on the organisation’s own schedule.
FAQ
What is the difference between cryptographic agility and post-quantum cryptography?
Post-quantum cryptography refers to specific algorithm families designed to resist attacks from quantum computers, such as ML-KEM and ML-DSA standardised by NIST in 2024. Cryptographic agility is the architectural capability to swap any algorithm, including to PQC algorithms, without disrupting services. You need agility to adopt PQC cleanly; PQC alone does not give you agility.
When should an organisation drop the classical component in a hybrid PQ/T TLS 1.3 connection?
NIST IR 8547 sets 2030 as the point after which new systems should not rely on classical algorithms such as RSA and ECDH. Organisations should retire the classical component in hybrid modes once their counterparties have broadly deployed PQC-capable stacks and once NIST CMVP validations for their chosen PQC modules are confirmed. Until both conditions are met, the hybrid mode provides protection against future quantum attacks while maintaining compatibility with today’s infrastructure.
Does cryptographic agility apply only to TLS, or does it extend to stored data and backups?
Cryptographic agility must cover every layer where cryptography is applied: data in transit (TLS, IKEv2), data at rest (disk encryption, database-level encryption), authentication tokens (JWTs, API keys), code signing, and backup encryption. Organisations that address only TLS but leave backups encrypted with RSA-2048 remain exposed to harvest-now-decrypt-later attacks, where an adversary collects ciphertext today and decrypts it once a sufficiently capable quantum computer becomes available.
How does sovereign hosting in Switzerland or within the EU affect cryptographic agility obligations under NIS-2 and DORA?
Sovereign hosting removes the risk that a foreign government compels a cloud provider to expose keys under instruments such as the US CLOUD Act or FISA 702, but it does not itself provide cryptographic agility. NIS-2 Article 21 and DORA Article 9 both require organisations to maintain and test their ability to update security controls. Sovereign on-premises or Swiss-hosted infrastructure gives organisations full control over their key management systems, making centrally managed algorithm rotation achievable in a way that public cloud shared-responsibility models structurally complicate.
Which tool categories help discover hardcoded cryptographic assumptions in legacy codebases?
Static application security testing tools with cryptography-aware rulesets, such as Semgrep with community crypto rules or SonarQube’s security plugins, scan source code for hardcoded algorithm names and deprecated API calls. Dependency scanners such as OWASP Dependency-Check flag libraries with known weak-crypto CVEs. For compiled or third-party binaries, binary analysis tools identify embedded cryptographic constants. Findings should be prioritised by data sensitivity, exposure surface (internet-facing before internal), and remediation complexity.
