Summary
The EU is signaling that quantum risk has entered the mainstream of regulatory cyber governance. Under NIS2 and DORA, CISOs are already required to run risk management that tracks material evolving threats and to implement state-of-the-art controls. With the EU’s post-quantum cryptography roadmap, quantum is now one of those threats you must govern.
Rather than prescribing algorithm X by date Y for most private entities, the EU is building a layered regime that makes crypto agility and cryptographic asset management auditable. A coordinated PQC timeline gives supervisors, auditors, customers, and procurement a common yardstick to test whether your cryptography will still hold up around 2030 to 2035.
NIS2 barely mentions quantum by name, yet its real leverage is structural. Once public authorities define PQC as a relevant threat and publish milestones, NIS2 pulls it into your governance scope and ties it to controls and penalties. For leadership teams, the shift is clear: treat PQC readiness as an enterprise control surface, inventory and own your crypto, and prove you can swap safely as standards mature.
Read more
See the original article at: https://postquantum.com/quantum-policies/nis2-dora-pqc-quantum/