DRAFT, FOR LEGAL REVIEW. This article analyses ETSI quantum-safe cryptography standards and their relationship to European regulatory frameworks. It does not constitute legal or compliance advice. Citations reflect the state of ETSI documentation and EU legislation as of May 2026. Verify ETSI document versions and revision status before relying on specific version numbers for compliance purposes.

Most European security teams working on post-quantum migration come to NIST first. FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) were published on 13 August 2024; FIPS 206 (FN-DSA) followed on 24 October 2024. They contain the algorithm specifications; they are the technical foundation. That starting point is correct. The part that often gets missed is the European standards layer that sits on top of it.

For an organisation operating in the EU, ETSI standards are not an alternative to NIST. They are the regulatory translation layer. Where EU legislation requires conformity with European standards for qualified electronic signatures, trust services, or digital infrastructure, the NIST FIPS documents are technical references; the ETSI documents are the compliance references. A Qualified Trust Service Provider cannot point to FIPS 204 in its conformity assessment; it needs to demonstrate alignment with ETSI TS 119 312. [INFERRED: based on the eIDAS regulatory structure and current TS 119 312 V1.4.1 scope; verify against the specific conformity assessment body's requirements, as notified body practice may differ.] For procurement tenders in EU member state contexts, citing ETSI TS 103 744 alongside IETF specifications carries institutional weight that NIST documents alone do not.

This article maps the three primary ETSI quantum-safe cryptography documents, explains where each fits in the European regulatory structure, and addresses the naming problem that continues to cause confusion: ETSI documents written before August 2024 use pre-standardisation algorithm names that do not match the FIPS designations.

What ETSI Is and Why It Matters for European Cryptography

ETSI (European Telecommunications Standards Institute) is a European Standards Organisation (ESO) recognised under EU Regulation 1025/2012 on European standardisation. That recognition is the mechanism by which ETSI standards can acquire legal force in EU markets: once an ETSI standard is cited in EU legislation or designated as a harmonised standard under a product regulation, compliance with that standard gives a presumption of conformity with the relevant legal requirement.

ETSI does not regulate. It is not a supervisory authority. Its standards are voluntary unless a specific legislative or regulatory instrument changes that. The path from a voluntary ETSI standard to a compliance obligation runs through three mechanisms: citation in EU legislation (the eIDAS Regulation cites ETSI trust service standards directly); citation in Commission Implementing or Delegated Regulations; or adoption as a harmonised standard under an EU product regulation, such as the Cyber Resilience Act. For quantum-safe cryptography, the primary current regulatory anchor is eIDAS, specifically the trust service standards that govern qualified electronic signatures and Qualified Trust Service Providers.

ETSI's quantum-safe cryptography work lives in TC CYBER (Technical Committee on Cybersecurity) and the ISG QSC (Industry Specification Group on Quantum-Safe Cryptography). The outputs divide into two categories: technical reports (TR series), which are informational and guidance-oriented; and technical specifications or standards (TS and EN series), which are normative. For post-quantum migration purposes, three documents are the essential reading.

The Three Primary ETSI Quantum-Safe Cryptography Documents

Each document addresses a different layer of the migration problem.

ETSI TR 103 619: Migration strategies and recommendations for Quantum Safe Cryptography (V1.1.1, 2022). This is ETSI's equivalent of NIST IR 8547 for migration framing, though less prescriptive on specific deprecation dates. It is the document to reach for when building the risk analysis and migration strategy: it covers the HNDL threat model, the Mosca inequality framework for prioritisation, and three migration strategies (pure PQC, hybrid, QKD). Audience: security architects, risk teams, programme managers building the migration case.

ETSI TS 119 312: Electronic Signatures and Infrastructures, Cryptographic Suites (V1.4.1, August 2022). This is the algorithm registry for European qualified electronic signatures and trust services. It is cited in eIDAS and the ETSI EN 319 400 series standards that govern Qualified Trust Service Providers. If your organisation is a QTSP or issues qualified signatures, TS 119 312 is the normative reference for algorithm selection. Audience: PKI operators, QTSPs, legal compliance teams, e-signature infrastructure owners.

ETSI TS 103 744: Quantum Safe Hybrid Key Establishment for TLS. This is the ETSI-branded specification for hybrid key exchange in TLS, aligned with the IETF draft-ietf-tls-hybrid-design. It gives organisations operating in European regulatory contexts the ETSI reference they need when procuring or certifying TLS infrastructure. Audience: network security engineers, procurement teams for public sector or regulated financial services contracts, vendors selling into EU markets.

ETSI TR 103 619: The European Migration Framework

ETSI TR 103 619 opens its threat analysis with the Mosca inequality, the formal instrument for determining whether migration is urgent for any given data holding or system. The three variables (time until CRQC, time required to migrate, confidentiality lifetime of the data) are worked through with more rigour than most organisation-level risk assessments apply. Section 4's treatment of the HNDL mechanism is worth reading even for teams that are familiar with the concept, because it works through the attack geometry in the context of European public network traffic.

Section 5 on migration strategies identifies three approaches. The pure migration path replaces classical algorithms entirely; it is the eventual destination but impractical as a first step for most organisations because it breaks compatibility with infrastructure that has not yet migrated. The hybrid approach combines classical and post-quantum algorithms in a single scheme, providing HNDL protection from the point of deployment while maintaining backward compatibility. QKD (quantum key distribution) is identified as a third option, but the TR is careful about its scope: QKD addresses key distribution over short point-to-point optical links and is not a general-purpose replacement for RSA or ECDH in internet-scale applications.

Hybrid is the recommended approach for the transition period, and ETSI TR 103 619 makes this recommendation clearly. The practical specification for hybrid in TLS is IETF draft-ietf-tls-hybrid-design and ETSI TS 103 744: X25519+ML-KEM-768 is the current operational standard for TLS 1.3 hybrid key exchange, already deployed in production by Google Chrome, Mozilla Firefox (from version 127), and Cloudflare.

The TR was published in 2022, before NIST finalised FIPS 203/204/205. It references the NIST candidates by their pre-standardisation names: Kyber, Dilithium, Falcon, SPHINCS+. Those names map directly to the final FIPS standards: Kyber became ML-KEM (FIPS 203), Dilithium became ML-DSA (FIPS 204), SPHINCS+ became SLH-DSA (FIPS 205), all published August 2024, and Falcon became FN-DSA (FIPS 206), published October 2024. The algorithms are the same; the parameter sets in the published FIPS documents are the reference specifications. Any use of TR 103 619 guidance on algorithm choices must be cross-referenced against the current FIPS parameter tables.

ETSI TS 119 312: The Algorithm Registry for European Qualified Signatures

TS 119 312 is the standard that European PKI operators and QTSPs cannot ignore. It defines the cryptographic algorithm suites approved for qualified electronic signatures and the trust service infrastructure that supports them under eIDAS. If a QTSP's Certificate Policy references TS 119 312, that reference is the compliance boundary for algorithm selection.

The current published version (TS 119 312 V1.4.1 (August 2022)) was finalised before NIST published FIPS 203/204/205. It endorses RSA and ECDSA as the signature algorithms for qualified signatures. A revision incorporating post-quantum algorithm suites is required and is actively expected from ETSI TC CYBER. Until that revision is published, European QTSPs and PKI operators do not have a definitive ETSI specification for post-quantum qualified signature algorithms. This is not a bureaucratic gap to tolerate passively: tracking the ETSI TC CYBER work programme for TS 119 312 should be a standing agenda item for any team responsible for European qualified signature infrastructure. The revision will define the algorithm transition requirements for that infrastructure, and early engagement with the draft process is worth considerably more than rapid response to a published final version.

The migration path for qualified signatures is more complex than TLS migration because of long-term validation (LTV). Qualified signatures under XAdES, PAdES, and CAdES with LTV must be verifiable years after the signing event, potentially decades. The verifiability requirement means the signing algorithm used at creation must remain cryptographically intact through the entire validation period. A document signed today with ML-DSA must be verifiable in 2045 under an algorithm that is still considered secure at that time. That long-horizon requirement is precisely why qualified signature migration requires more planning than TLS migration, and why the TS 119 312 revision will address LTV architecture specifically.

ML-DSA (NIST FIPS 204) is the primary candidate for qualified signature migration. ML-DSA-65 produces signatures of 3,309 bytes (per FIPS 204 Table 2). That is a significant size increase over ECDSA P-256's 64 bytes and RSA-2048's 256 bytes. For high-volume signing environments (e-invoicing platforms, document management systems, code signing pipelines) the bandwidth and storage overhead requires active planning. It is not a reason to avoid the migration; it is a design constraint to factor into the migration timeline.

SLH-DSA (NIST FIPS 205) provides an alternative for archival and high-assurance contexts. Its security rests on hash function properties only, without algebraic structure assumptions. This makes it the conservative choice for long-term archive integrity signatures, root CA trust anchors, and other contexts where maximum security assurance at the cost of larger signatures is the correct trade-off. ETSI TR 103 619 discusses hash-based signatures in the context of code signing and software distribution where long-term integrity is the primary requirement.

ETSI TS 103 744: Hybrid Key Establishment for TLS

TS 103 744 specifies hybrid key exchange for TLS in a European standards format. The underlying protocol it specifies (X25519+ML-KEM-768) is the same mechanism in IETF draft-ietf-tls-hybrid-design. The two documents describe the same cryptographic operation; the distinction is institutional.

For European public sector procurement and regulated financial services infrastructure, citing ETSI TS 103 744 alongside the IETF draft is the defensible dual-citation approach. Many EU member state procurement frameworks require or prefer citation of European standards for cryptographic implementations. A network security team deploying hybrid TLS for a bank or critical infrastructure operator can satisfy both the ETSI and IETF reference requirements with the same deployment, because they specify the same thing.

X25519+ML-KEM-768 hybrid is already in production at internet scale. That matters practically: server-side deployment does not require waiting for a new ETSI version or pending RFC to advance. The code is shipping. What the ETSI standard provides is the citation that procurement and compliance processes in European contexts may require.

[ASSUMED: current ETSI TS 103 744 version and whether it references ML-KEM specifically post-FIPS 203 finalisation or retains pre-standardisation naming; verify at publication date.]

How ETSI and NIST Align: and Where They Differ

The algorithms are the same. ETSI TR 103 619 identified the NIST PQC candidates before the competition closed; ETSI's post-August 2024 documents reference the final FIPS standards. ML-KEM, ML-DSA, FN-DSA, and SLH-DSA are the algorithm suite in both frameworks. The differences are structural and contextual, not technical.

Deployment context is the primary divergence. NIST standards address US federal and contractor compliance: FIPS 140-2/140-3 validation, CNSA 2.0 requirements for national security systems, FedRAMP and CMMC frameworks. ETSI standards address European regulatory anchors: eIDAS qualified signatures, NIS2 implementing instruments, CRA harmonised standards in development, and national implementations in EU member states. An organisation that needs to satisfy both US federal procurement and EU qualified signature requirements needs both standards libraries, not one or the other.

The naming divergence is a practical problem for teams working with older ETSI documents. Any ETSI document published before August 2024 will use Kyber, Dilithium, Falcon, and SPHINCS+. The mapping is: Kyber = ML-KEM (FIPS 203), Dilithium = ML-DSA (FIPS 204), SPHINCS+ = SLH-DSA (FIPS 205), all published August 2024, and Falcon = FN-DSA (FIPS 206), published October 2024. This is not merely cosmetic. The parameter sets in the published FIPS documents are the definitive specifications; where an older ETSI document recommends a specific Kyber or Dilithium parameter set, verify that recommendation against the corresponding FIPS parameter table before treating it as current guidance.

On hybrid mandates, ETSI and NIST both recommend hybrid for the transition period. CNSA 2.0 diverges: for US National Security Systems, NSA mandates ML-KEM-1024 and ML-DSA-87 in pure PQC mode for high-priority systems from 2025 onwards. European standards, including ETSI TR 103 619, have not issued an equivalent mandatory pure-PQC timeline. For European organisations that supply national security system customers, or that carry US government contracts requiring CNSA 2.0 compliance, the applicable standard is CNSA 2.0's higher parameter set, ML-KEM-1024 rather than ML-KEM-768. See CNSA 2.0 vs CNSA 1.0: What Defence Suppliers Need to Know for the detailed comparison.

Both ANSSI (France) and BSI (Germany) have published national guidance documents that reference ETSI and NIST standards. ANSSI's "Recommandations de sécurité relatives à la cryptographie post-quantique" (2022) aligns with ETSI TR 103 619 on hybrid approach and migration priority. BSI's TR-02102 series (updated periodically) provides parameter-level algorithm recommendations that are consistent with NIST guidance. [INFERRED: BSI TR-02102 update frequency described as annual in prior versions; verify the current publication cadence at the BSI website before citing as an annual update guarantee.] Organisations in French or German regulatory environments should cross-reference national guidance alongside ETSI; the national guidance typically provides jurisdiction-specific implementation requirements that general ETSI standards do not resolve.

Practical Guidance: Which ETSI Documents to Use and When

The choice of which ETSI document to reach for depends on the context, not the algorithm question; the algorithm is the same regardless.

For migration strategy and risk analysis: ETSI TR 103 619 is the European equivalent of NIST IR 8547 for migration framing. Its Mosca inequality analysis and three-strategy taxonomy are the starting points for any European organisation building a PQC migration programme. Read alongside NIST IR 8547 for the US deprecation timeline specifics that TR 103 619's 2022 vintage does not include.

For qualified signature and PKI infrastructure: ETSI TS 119 312 is the reference, but treat the current V1.4.1 as a transitional document. Track the ETSI TC CYBER work programme for the revision. For algorithm selection in the interim, use NIST FIPS 204 (ML-DSA) as the current best-available reference for post-quantum qualified signature migration, and flag in your compliance documentation that the TS 119 312 revision is pending. That is not a compliance gap; it is an accurate representation of where the standards are.

For TLS hybrid deployment: ETSI TS 103 744 provides the European standards citation. Cite it alongside IETF draft-ietf-tls-hybrid-design when procurement or regulatory context requires a European standards reference. The underlying implementation is identical.

For procurement and tender documentation in EU contexts: the dual-citation approach (ETSI for the European standards reference, NIST FIPS 203/204/205 for the algorithm specification) gives coverage across both European regulatory and international technical requirements. This is particularly relevant for public sector procurement and for private sector contracts with public authorities or regulated financial entities.

For teams working across both EU and UK contexts: ETSI remains a recognised standards body in the UK post-Brexit. UK participation in ETSI continues; ETSI standards carry particular weight in UK telecommunications contexts, where OFCOM and operator licence conditions may reference ETSI documents directly. For UK organisations outside the telecoms sector, ETSI standards are voluntary unless specifically cited in UK legislation or regulation. They carry practical weight as technical references and procurement benchmarks, but the formal compliance chain differs from EU contexts where eIDAS and harmonised standards create legal force. [INFERRED: UK non-telecoms applicability framing; verify the specific UK regulatory citation chains for your sector before treating ETSI references as compliance obligations.]

For a detailed treatment of algorithm selection across NIST FIPS 203, 204, 205, and 206 and how to choose between them, see the FIPS 203/204/205 implementation decision map. That article covers the algorithm selection logic; this one covers the European standards layer that sits above it.