Regulatory scope: DORA (Regulation (EU) 2022/2554) is an EU instrument. UK-regulated institutions operate under separate FCA and PRA frameworks; this article addresses their position in a dedicated section. Legislation and associated Regulatory Technical Standards are referenced as of May 2026. This article is analytical commentary, not legal advice. Take qualified counsel before making compliance decisions.

The Digital Operational Resilience Act entered into application on 17 January 2025. Its ICT risk management requirements are now live obligations for EU-regulated financial entities, not a forthcoming framework to plan for. The connection between DORA and post-quantum cryptography is not speculative: the Regulatory Technical Standards that implement DORA's cryptographic controls requirements explicitly name quantum advancements as a category of cryptanalytic threat that financial entities' policies must address.

This article works through what DORA actually requires on cryptographic controls, where those requirements connect to post-quantum cryptography migration, and what the three most significant pressure points are for ICT risk managers. It also addresses where UK institutions sit, which is outside DORA's jurisdiction, under their own distinct regulatory framework.

What DORA Actually Says About Encryption and Cryptographic Controls

DORA (Regulation (EU) 2022/2554, published in the Official Journal of the EU, OJ L 333, 27 December 2022) applies to 20 categories of EU financial entity under Article 2(1), including credit institutions, investment firms, insurance undertakings, payment institutions, and crypto-asset service providers. ICT third-party service providers who supply services to these entities may also be designated as critical providers under Article 31. The proportionality principle applies throughout: microenterprises (Article 3(60)) may use a simplified ICT risk management framework under Delegated Regulation (EU) 2024/1774, though the cryptographic controls obligation is not absent under the simplified framework: it is scaled.

The primary legislative hook for cryptographic controls is Article 6, which requires each in-scope EU financial entity to maintain an ICT risk management framework documented and reviewed at least annually. Article 8 extends this to the continuous identification and classification of ICT assets and ICT-related risks. Cryptographic algorithms and key material are ICT assets. An EU financial entity that has not inventoried its cryptographic posture has a gap in its Article 8 compliance.

The specific PQC connection is made in Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024. This is the RTS on ICT risk management tools, methods, processes, and policies. Article 6 of that Delegated Regulation requires EU financial entities to develop, document, and implement a policy on encryption and cryptographic controls that includes provisions for "updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis" to ensure it "remains resilient against cyber threats."

The recitals of Delegated Regulation (EU) 2024/1774 go further. They state explicitly that EU financial entities should "follow a flexible approach, based on risk mitigation and monitoring, to deal with the dynamic landscape of cryptographic threats, including threats from quantum advancements." This is not a background aspiration. It is the legislative context that defines what "developments in cryptanalysis" means for the purposes of Article 6. Quantum computing advances are the class of cryptanalytic development the recitals contemplate. DORA does not mandate specific NIST algorithms by name. It creates an outcome-based obligation to maintain cryptographic resilience as the threat landscape evolves, and the threat landscape is evolving in a direction the recitals name directly.

Three Pressure Points for ICT Risk Managers

1. Harvest-Now-Decrypt-Later and Data Classification

Harvest-now-decrypt-later (HNDL) is the mechanism that makes DORA's forward-looking cryptographic controls language operationally immediate rather than theoretical. An adversary capturing ciphertext today, before a cryptographically relevant quantum computer (CRQC) exists, can decrypt that data retrospectively once the hardware arrives. For EU financial entities subject to DORA, this maps to concrete data categories:

Long-duration liability data held by banks and investment firms (loan books, derivatives records, client personally identifiable information subject to GDPR retention schedules). Regulatory filings and signed records with multi-year legal hold obligations. Audit trails and transaction logs transmitted under today's TLS and stored encrypted at rest. Interbank messaging, settlement instructions, and payment data flowing over cryptographically vulnerable channels.

Under DORA Article 8's continuous risk identification obligation, and the RTS Article 6 requirement to maintain a cryptographic policy that addresses quantum-era cryptanalytic threats, EU financial entities that have not assessed their HNDL exposure are operating with a documented gap in their ICT risk framework. The exposure is not future-tense. The data is being collected now.

2. ICT Asset Inventory and the Cryptographic Bill of Materials

Article 8's asset identification obligation covers ICT assets including cryptographic primitives. In practice, meeting this obligation for cryptographic controls means maintaining a Cryptographic Bill of Materials (CBOM): a structured inventory of which algorithms, key sizes, and protocols protect which business-critical data flows and at-rest stores across the EU financial entity's estate.

This is not a theoretical compliance exercise. The CBOM is the prerequisite to any post-quantum migration: you cannot migrate cryptographic controls you have not mapped. It is also the evidence base that supervisors will review when assessing Article 8 compliance. EU financial entities that have completed a CBOM are materially better positioned for both DORA supervisory review and the migration planning that their cryptographic controls policy will require. Entities that have not are running a gap on both fronts simultaneously.

ENISA's Post-Quantum Cryptography Integration Study (published following the August 2024 NIST FIPS finalisation) addresses migration integration methodology for EU-regulated organisations and is aligned with the NIST migration approach. ENISA's earlier "Post-Quantum Cryptography: Current State and Quantum Mitigation" report (v2, May 2021) provides risk categorisation methodology, though it predates the NIST FIPS 203/204/205 finalisation; any reliance on its algorithm-specific guidance should be read alongside the current NIST standards.

3. Third-Party ICT Providers and Article 28

DORA Article 28 governs the use of ICT third-party services. Where contractual arrangements concern critical or important functions, EU financial entities must take due consideration of whether ICT third-party providers use "the most up-to-date and highest quality information security standards." This creates a downstream cryptographic controls obligation: cloud key management services, HSM-as-a-service providers, and SaaS platforms processing payment data or client records that support critical business functions must be assessed for their cryptographic posture.

An EU financial entity whose cloud KMS provider has no documented post-quantum migration roadmap cannot straightforwardly demonstrate that it has fulfilled the Article 28 diligence requirement for cryptographic controls in those critical functions. The subcontracting RTS (joint EBA/EIOPA/ESMA final report, July 2024) specifies conditions for services supporting critical or important functions subcontracted to further providers, extending the same diligence requirement through the supply chain.

I have seen this third-party assessment obligation treated as an afterthought in PQC planning, addressed only after internal migration is underway. The Article 28 implications make it a parallel workstream, not a sequential one. An EU financial entity's cryptographic resilience is only as strong as the weakest cryptographic link across its critical service dependencies.

DORA and Post-Quantum Cryptography, ICT Risk Compliance Map Diagram mapping DORA Regulation (EU) 2022/2554 and its delegated RTS instruments to post-quantum cryptography obligations for EU financial entities, with UK equivalents noted. DORA and Post-Quantum Cryptography, ICT Risk Compliance Map EU, Regulation (EU) 2022/2554 (DORA) UK, FCA PS21/3 · PRA SS1/21 · NIS Regs 2018 Regulation (EU) 2022/2554, DORA Applied: 17 January 2025 · Article 2(1): ~20 EU financial entity categories ICT RISK MANAGEMENT RTS Delegated Reg. 2024/1774 Art. 6: Encryption policy TLPT RTS JC 2024-29 · Articles 26–27 3-yr testing cycle Post-Quantum Cryptography Obligation (Art. 6) "Update cryptographic technology on the basis of developments in cryptanalysis to remain resilient" Delegated Reg. (EU) 2024/1774, Article 6, financial entities must document + implement crypto policy Migration algorithms (NIST FIPS, Aug 2024) ML-KEM (FIPS 203) ML-DSA (FIPS 204) SLH-DSA (FIPS 205) UK Equivalent Framework FCA Operational Resilience Policy Statement PS21/3 (applied Mar 2022) Impact tolerances for important business services PRA Supervisory Statement SS1/21 Operational resilience: scenario testing, mapping, response and recovery UK NIS Regulations 2018 SI 2018/506, network and information systems security for operators of essential services UK financial institutions are NOT directly bound by DORA, separate UK framework applies Common obligation for both jurisdictions: Cryptographic agility planning + PQC migration roadmap required under operational resilience frameworks. Scope and timing differ by jurisdiction and entity type. Sources: Regulation (EU) 2022/2554 · Delegated Reg. (EU) 2024/1774 Art. 6 · NIST FIPS 203/204/205 (Aug 2024) · FCA PS21/3 · PRA SS1/21 · UK NIS Regs 2018 Note: This diagram is an analytical summary. It does not constitute legal advice. Seek qualified regulatory counsel before making compliance decisions. qsecdef.com

TLPT and Cryptographic Resilience Testing

DORA Articles 26 and 27 require applicable EU financial entities to conduct Threat-Led Penetration Tests (TLPT) at minimum every three years. The TLPT RTS (JC 2024-29, EBA/EIOPA/ESMA, 17 July 2024) specifies that tests must cover critical functions and services using real threat intelligence, with mandatory purple teaming in the closure phase.

This is not a quantum attack simulation, current TLPT frameworks operate against the extant threat landscape, and CRQCs are not yet an operational threat. The relevant connection is that EU financial entities implementing post-quantum migrations will want to include the cryptographic integrity of that migration in their TLPT scope as work progresses: misconfigured hybrid schemes, inadequate key management, deprecated algorithm use in critical functions, and integration points where classical algorithms persist alongside post-quantum implementations all fall within the scope of a TLPT covering cryptographic controls in critical functions.

The NIST Standards and What They Mean for DORA Compliance

NIST finalised three post-quantum standards in August 2024. The enterprise implementation decision map covers sequencing and dependency logic in detail. FIPS 203 specifies ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism): the migration target for RSA and ECDH in key exchange contexts including TLS, IKEv2, and key transport. FIPS 204 specifies ML-DSA (Module-Lattice-Based Digital Signature Algorithm): the primary signature standard replacing RSA-PSS and ECDSA in certificate chains, code signing, and document signing. FIPS 205 specifies SLH-DSA (Stateless Hash-Based Digital Signature Algorithm): a conservative hash-based alternative for long-lived signing use cases including audit records, archive integrity, and root CA trust anchors where re-signing is impractical.

DORA's Delegated Regulation does not name NIST algorithms. It mandates an outcome: cryptographic technology that remains resilient against developments in cryptanalysis, including quantum advancements. The NIST FIPS 203/204/205 standards are the current best-available response to that mandate for EU financial entities. ENISA's guidance is broadly aligned with the NIST migration approach. The EU has not yet published a binding algorithm mandate for financial sector post-quantum migration equivalent to NSA's CNSA 2.0 timeline for US national security systems, but the direction of travel in ENISA guidance and the explicit quantum reference in the RTS recitals together constitute a clear regulatory expectation.

Proportionality: What This Means for Smaller Entities

DORA's proportionality principle does not remove the cryptographic controls obligation from smaller EU financial entities, it scales it. Microenterprises using the simplified ICT risk management framework under Delegated Regulation (EU) 2024/1774 Chapter II still carry Article 6 obligations on encryption and cryptographic controls. A smaller payment institution or credit union with limited technical resource has a proportionate obligation to maintain a documented cryptographic policy addressing quantum-era risks, even if the implementation programme is less complex than that of a tier-1 bank. Starting with a CBOM and a risk assessment is proportionate for any size of in-scope entity.

UK Institutions: Where DORA Does and Does Not Apply

UK financial institutions are not directly subject to DORA. The UK left the EU's regulatory framework; DORA is an EU Regulation and does not have direct effect in UK law.

UK ICT operational resilience requirements derive from distinct instruments. The FCA Operational Resilience Policy (PS21/3, March 2021) applies to FCA-authorised firms from March 2022 and requires identification of important business services, setting of impact tolerances, and testing of resilience. The PRA Supervisory Statement SS1/21 (March 2021) sets equivalent expectations for PRA-regulated firms. The Network and Information Systems (NIS) Regulations 2018 (SI 2018/506) apply to operators of essential services including financial services firms meeting threshold criteria.

None of these UK instruments currently contain an explicit post-quantum cryptographic policy obligation directly equivalent to Delegated Regulation (EU) 2024/1774 Article 6. However, the FCA's expectation that firms maintain appropriate technical safeguards against foreseeable cyber threats, and the NIS Regulations' requirement for appropriate technical and organisational measures, create analogous pressure on UK institutions operating in sectors where HNDL risk is material, financial services among them.

UK firms with EU subsidiaries or entities licensed by EU national competent authorities will be directly subject to DORA for those entities, with the full Article 6 and Article 8 obligations applying. The jurisdictional boundary runs at the entity level, not the group level.

What to Do Now

For EU financial entities subject to DORA, the sequencing is clear. Document a cryptographic controls policy that explicitly addresses quantum-era cryptanalytic threats, the RTS Article 6 obligation. Build the CBOM: inventory cryptographic algorithms, key sizes, and protocols across your estate, including ICT third-party providers supporting critical functions. Assess HNDL exposure for your highest-sensitivity, long-duration data categories using the Mosca inequality framework. Engage your critical ICT third-party providers on their post-quantum migration roadmaps under the Article 28 diligence obligation.

Adopting NIST FIPS 203/204/205 as the algorithm basis for your migration programme is the current best-available response to the RTS Article 6 resilience mandate. Starting with ML-KEM (FIPS 203) for key establishment addresses HNDL exposure for confidentiality. ML-DSA (FIPS 204) for signing infrastructure, certificate chains, document signing, audit trail integrity, follows. SLH-DSA (FIPS 205) provides algorithm diversity for long-lived trust anchors where hash-based security assumptions complement the MLWE basis of ML-KEM and ML-DSA.

QSECDEF's Quantum Threat Exposure Assessment provides a structured starting point for the ICT asset inventory and HNDL risk scoring steps described above. QSECDEF membership gives ICT risk managers access to the practitioner methodology documentation, implementation templates, and the community of security professionals navigating the same compliance obligations across EU-regulated sectors.