Summary
On 20 January 2026, the European Commission tabled COM(2026) 13 final to refine NIS2 as part of a broader simplification package linked to Cybersecurity Act 2. Beyond streamlining scope definitions, easing cross-border supervision, adding ransomware reporting, and enabling cyber posture certification, the quiet headline for quantum security is a policy shift that elevates PQC from implication to obligation.
The proposal adds Article 7(2)(k), requiring every Member State to include a policy for the transition to post-quantum cryptography in its national cybersecurity strategy, aligned with EU timelines and related legal acts. This closes the gap between NIS2’s state-of-the-art cryptography requirement and prior EU guidance, notably the 2024 PQC Recommendation and the 2025 coordinated roadmap. If adopted, PQC migration planning becomes a mandatory, named element of national strategy across the EU.
For CISOs and cyber leaders, the signal is clear. Formalize PQC programs now: inventory cryptography across systems and suppliers, prioritize high-risk communications and long-lived data, build crypto-agility and modern key management, and align plans with expected EU timelines to de-risk audits and supervision. Expect more consistent cross-border expectations, tighter ransomware reporting obligations, and the option to use certification to evidence readiness. Early movers can shape national playbooks and procurement baselines while reducing transition risk.
Read more
See the original article at: https://postquantum.com/security-pqc/eu-pqc-nis2/