The EU post-quantum cryptography (PQC) transition roadmap is the coordinated set of legally grounded deadlines, algorithm standards and governance expectations that require European critical infrastructure operators, essential entities under NIS-2 and regulated financial firms under DORA to replace classical public-key cryptography with quantum-resistant alternatives before adversarial quantum computing makes current encryption obsolete. The roadmap is not a distant aspiration: it carries supervisory weight today.
What the NIS Cooperation Group Roadmap v1.1 Requires and When
The EU NIS Cooperation Group’s Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography, Version 1.1, published in June 2025, sets two hard milestones for Member States and critical infrastructure operators.
By end-2026, operators must have completed a full cryptographic inventory covering all systems that use public-key cryptography, completed a risk-based classification of that inventory (distinguishing long-lived sensitive data from transient operational data), begun hybrid deployments on the highest-risk communication layers, and established board-level PQC governance including a named migration owner and a formal programme plan.
By end-2030, all production systems in critical infrastructure sectors must have migrated fully to quantum-safe cryptography. The roadmap is explicit that hybrid operation (running classical and quantum-safe algorithms in parallel) is a transitional measure, not a permanent state. Operators still running purely classical RSA or elliptic-curve Diffie-Hellman on any sensitive channel after 2030 will be in direct tension with the expected standard of care under NIS-2 Article 21.
Commission Recommendation C(2024) 2393: From Soft Law to Supervisory Expectation
Commission Recommendation C(2024) 2393, adopted in April 2024, is technically non-binding, but its practical effect on regulated entities is substantial. Supervisory authorities under NIS-2 and the European Supervisory Authorities overseeing DORA use recommendations as reference documents when assessing whether an entity has taken “appropriate and proportionate technical measures” under NIS-2 Article 21 and DORA Article 9.
The Recommendation asks Member States to develop national PQC transition plans aligned with the NIS Cooperation Group roadmap, to promote awareness among essential and important entities, and to prioritise PQC in public procurement. For compliance officers and DPOs at banks, insurers and market infrastructure operators, the Recommendation translates operationally into three obligations: classify cryptographic risk by asset type and data longevity; begin hybrid deployments on internet-facing services before the end of 2026; and document migration progress in a form that can be presented to auditors and supervisors on request.
DORA’s ICT risk management framework (Articles 5 through 16) already requires financial entities to identify, classify and manage ICT risks continuously. Cryptographic obsolescence, once a theoretical concern, now appears explicitly in supervisory guidance as a component of technology risk that must be addressed in ICT risk registers.
ETSI Quantum-Safe Hybrid Key Exchange Standards: Priority Order for Implementation
ETSI published its quantum-safe hybrid key exchange standard in March 2025, providing the technical specification that sovereign infrastructure operators need to begin hybrid deployments without waiting for full algorithm migration. The standard combines classical key agreement (ECDH) with a quantum-safe key encapsulation mechanism (ML-KEM, standardised as FIPS 203) so that a session key is secure unless both algorithms are broken simultaneously.
The priority order for implementation, as indicated by both the ETSI standard and the NIS Cooperation Group roadmap, follows the exposure surface of each layer:
| Layer | Protocol | Recommended algorithm (primary) | Implementation priority |
|---|---|---|---|
| Transport security | TLS 1.3 | ML-KEM (FIPS 203) hybrid with X25519 | First (highest internet exposure) |
| Remote access | IPsec / VPN gateways | ML-KEM hybrid in IKEv2 | Second (remote workforce and site-to-site) |
| Email and document signing | S/MIME, CMS | ML-DSA (FIPS 204) for signatures | Third (long-lived signed artefacts) |
| PKI and certificate infrastructure | X.509 / CA hierarchies | ML-DSA or SLH-DSA (FIPS 205) | Fourth (longest lead time, requires CA replacement) |
PKI migration carries the longest lead time because it requires retiring root certificate authorities, reissuing the entire certificate hierarchy and coordinating with relying parties. Organisations that defer PKI planning until after TLS and VPN migration is complete will almost certainly miss the 2030 deadline for full migration.
Structuring PQC Migration Governance
The NIS Cooperation Group roadmap and NIST IR 8547 (Draft, November 2024) converge on a four-phase governance model that compliance officers can map directly to existing risk management frameworks.
Phase 1: Cryptographic inventory (complete by mid-2026). Catalogue every system, protocol and library that uses public-key cryptography. This includes TLS certificates, VPN configurations, SSH keys, code-signing certificates, HSM-protected keys and any application-level encryption. The inventory must record algorithm, key length, certificate lifetime and the sensitivity classification of data protected by each asset.
Phase 2: Risk prioritisation. Apply a longevity test: data that must remain confidential for more than five years warrants immediate hybrid protection. NIST IR 8547 advises prioritising systems that protect national security information, financial records subject to long retention requirements, and medical or legal data. For European organisations, this maps directly to special-category personal data under GDPR Article 9 and data subject to sector-specific retention obligations under DORA and the revised FADP.
Phase 3: Algorithm deprecation scheduling. NIST IR 8547 formally deprecates RSA and elliptic-curve algorithms for new deployments after 2030 and disallows their use entirely after 2035. The EU roadmap does not yet set a disallowance date, but supervisory authorities are expected to follow NIST’s schedule when assessing essential entities. Compliance officers should build deprecation dates into vendor contracts now, using break clauses or mandatory upgrade provisions.
Phase 4: Board-level reporting. The NIS-2 management body accountability requirement (Article 20) means that boards of essential entities must be informed of and accountable for cybersecurity risk management. PQC migration status should appear in quarterly risk reporting as a named programme with RAG status, budget, milestone dates and escalation triggers.
Procurement Criteria for PQC-Capable Infrastructure
Selecting vendors without explicit PQC readiness criteria creates lock-in risk: hardware security modules (HSMs), network appliances and cloud services that cannot be upgraded to support ML-KEM and ML-DSA will require forklift replacement at the worst possible time.
Regulated buyers should apply the following criteria at the point of procurement. First, confirm that HSMs support FIPS 203 and FIPS 204 via firmware upgrade rather than hardware replacement; leading HSM vendors have published roadmaps but not all have delivered firmware. Second, for VPN and firewall appliances, require documented support for ML-KEM hybrid key exchange in IKEv2 with a committed delivery date, not merely a statement of intent. Third, for cloud services and SaaS platforms, require explicit contractual commitments to PQC migration timelines aligned with the EU 2030 deadline, and verify that the provider’s key management infrastructure supports quantum-safe key encapsulation. CISA’s 2025 product category guidance identifies sectors where PQC-ready products are already commercially available, including TLS termination appliances, VPN concentrators and PKI software, which gives buyers leverage to reject vendors who cannot demonstrate readiness.
IBM’s Cost of a Data Breach Report 2024 recorded the average cost of a data breach at USD 4.88 million, the highest figure in the report’s history. Organisations that experience a breach attributable to cryptographic weakness after supervisory authorities have made PQC obligations explicit face not only remediation costs but also the prospect of NIS-2 administrative fines of up to EUR 10 million or 2 percent of global annual turnover, whichever is higher.
NIST estimates that a cryptographically relevant quantum computer could emerge within 10 to 15 years, a timeline consistent with the EU’s 2030 hard deadline for critical infrastructure migration. That window is shorter than the typical procurement and refresh cycle for enterprise network infrastructure, which means the next hardware refresh cycle, not the one after it, is the practical last opportunity to specify PQC-capable equipment without emergency replacement costs.
FAQ: EU PQC Transition Roadmap
What is the harvest-now-decrypt-later threat and why does it make PQC urgent today?
Harvest-now-decrypt-later refers to adversaries intercepting and storing encrypted data now, intending to decrypt it once a cryptographically relevant quantum computer becomes available. Because data captured in 2025 may still be sensitive in 2035, organisations must protect long-lived data with quantum-safe algorithms before quantum capability matures, not after.
Are Commission Recommendation C(2024) 2393 and the NIS Cooperation Group roadmap legally binding?
The Commission Recommendation is not directly binding in the way a regulation is, but it establishes the expected standard of practice that supervisory authorities will reference when assessing whether essential entities under NIS-2 and financial firms under DORA have taken appropriate technical measures. Non-compliance creates direct regulatory risk during audits and incident investigations.
Which NIST algorithms should European organisations prioritise first?
NIST finalised three algorithms in August 2024: FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, for digital signatures) and FIPS 205 (SLH-DSA, a stateless hash-based signature scheme). NIST IR 8547 recommends ML-KEM and ML-DSA as primary migration targets for most use cases, with SLH-DSA as a conservative fallback for high-assurance signing environments.
What does the EU 2030 deadline specifically require for critical infrastructure operators?
The NIS Cooperation Group PQC Roadmap v1.1 sets end-2030 as the target for critical infrastructure operators to have completed migration of all production systems to quantum-safe cryptography. The end-2026 milestone requires completion of cryptographic inventory, risk classification and the start of hybrid deployments on the highest-risk communication layers such as TLS and VPN gateways.
How does NSM-10 affect European organisations with US operations or US federal contracts?
NSM-10, issued by the US National Security Council in May 2022, requires US federal agencies and their contractors to migrate to NIST-approved PQC algorithms. European organisations that process US federal data, hold US government contracts or operate US-based subsidiaries must satisfy NSM-10 timelines alongside EU requirements, which in practice means accelerating their PQC programme to meet the more demanding of the two schedules.
