This article analyses Harvest-Now-Decrypt-Later risk and post-quantum cryptography obligations for financial institutions under EU and UK regulatory frameworks. It does not constitute legal advice. Organisations must seek qualified legal and regulatory counsel before making compliance decisions. References to DORA, NIS2, FCA, and associated instruments reflect their state as of June 2026.

HNDL in Financial Services: Regulatory and Operational Implications

Financial services institutions occupy a specific position in the HNDL threat landscape: they hold the data categories with the longest regulatory retention periods, they are documented targets of nation-state cyber operations, and they already operate under ICT risk management frameworks that carry technology-currency obligations on cryptography. The interaction of these three factors means that HNDL is not a future consideration for this sector. It is an active risk with traceable regulatory consequences.

This article works through the EU and UK regulatory obligations that apply to quantum-vulnerable cryptography, identifies the specific data categories in financial services that are inside the HNDL risk window, and sets out the three-track operational response that follows from the analysis. For the core DORA post-quantum cryptography analysis, see DORA and Post-Quantum Cryptography: What Financial Services ICT Risk Managers Must Know. For the cross-sector HNDL data risk framework, see which data is most at risk from HNDL attacks today.

Why Financial Services Is the Highest-Priority HNDL Sector

Three factors compound in financial services in a way that is not replicated at the same intensity in other sectors.

First, regulatory retention periods. Financial institutions are legally required to retain records for periods that extend into and beyond the 2033–2035 Q-Day planning horizon. A derivatives record retained for ten years from contract life under EMIR may still be protected by its original key exchange encryption when a cryptographically relevant quantum computer (CRQC) becomes available. Records encrypted and transmitted today under RSA or ECDHE key exchange that are retained until 2034 or later are inside the HNDL risk window under any plausible Q-Day estimate.

Second, documented nation-state targeting. ODNI Annual Threat Assessments and Five Eyes joint advisories document systematic collection operations against financial institutions for economic intelligence and strategic pre-positioning. Data collected under HNDL operations does not need to be decrypted today, it is collected now for exploitation later. Financial institutions holding commercially sensitive trading data, long-lived client financial records, and payment system logs are targets of exactly this kind of collection.

Third, existing regulatory obligations. DORA, NIS2, and the UK FCA operational resilience framework each impose ICT risk management requirements that extend to emerging cryptographic vulnerabilities. These frameworks do not wait for regulatory authorities to name specific quantum threats before creating compliance obligations. The technology-currency language in each framework applies now.

The Mosca inequality makes the compounding concrete. Migration time (X) for a complex financial institution: 3–7 years. Required confidentiality lifetime (Z) for long-duration records: 20–40+ years. Q-Day central estimate (Y): 9–12 years from now. For the longest-lived data categories, X + Z exceeds Y by a significant margin. Those records are in the HNDL risk window today.

DORA: What the ICT Risk Requirements Mean for Quantum-Vulnerable Cryptography

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) became applicable on 17 January 2025. It applies to credit institutions, payment institutions, electronic money institutions, insurance undertakings, investment firms, crypto-asset service providers, and, where designated as critical, ICT third-party service providers operating in the EU.

DORA Article 6 requires in-scope entities to maintain an ICT risk management framework. Article 6(8) specifically requires the framework to identify and address ICT risk from "evolving threats" to confidentiality, integrity, and availability. The EBA guidelines on ICT and security risk management (EBA/GL/2019/04) do not yet explicitly name quantum threats; however, the "evolving threats" obligation is technology-neutral. Quantum-related cryptographic vulnerabilities are within its scope on the same interpretive basis that applies to any emerging cryptanalytic threat.

The direct PQC hook is in Article 9, which requires entities to maintain encryption and cryptographic controls as part of data protection measures. Article 9(2) requires entities to adopt "state-of-the-art" encryption. That phrase creates a technology-currency obligation: as NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), and FIPS 206 (FN-DSA) become the applicable post-quantum benchmarks, institutions whose encryption does not track this shift will face increasing difficulty demonstrating Article 9(2) compliance. [INFERRED — this is a compliance inference about regulatory trajectory, not a statement that DORA currently mandates NIST algorithms by name. ENISA's interpretation of "state of the art" for DORA/NIS2 cryptography is the relevant authority when published]

Commission Delegated Regulation (EU) 2024/1774, the RTS on ICT risk management tools, methods, processes, and policies, requires entities to develop a cryptographic controls policy that addresses "developments in cryptanalysis" to ensure it "remains resilient against cyber threats." The recitals contemplate "quantum advancements" as the relevant class of cryptanalytic development. [ASSUMED — verify the exact recital wording against the Official Journal of the EU text of (EU) 2024/1774 before quoting verbatim] DORA's quantum obligation is not ambiguous, it is stated in the legislative instrument that implements Article 9.

Article 28 creates the third obligation: ICT third-party risk management. An institution whose core banking system, payment processing infrastructure, or custody and settlement systems are provided by third parties whose cryptographic implementations remain quantum-vulnerable may be in breach of Article 28 ICT risk management obligations even if its own infrastructure has been migrated. The obligation extends through the supply chain to critical ICT service dependencies.

NIS2: The Parallel EU Obligation

NIS2 (Directive (EU) 2022/2555) required transposition into EU member state law by 17 October 2024. It applies to essential and important entities in banking (credit institutions) and financial market infrastructure (trading venues, central counterparties, payment and settlement systems).

For most large financial institutions, NIS2 and DORA co-apply. Where they overlap on ICT risk management obligations, DORA takes precedence as the lex specialis for the financial sector under the principle confirmed in DORA Recital 16: DORA's more specific requirements displace NIS2's general requirements for in-scope financial entities, meaning a DORA-compliant ICT risk management programme satisfies the parallel NIS2 obligation for that entity class. NIS2 Article 21 requires entities to implement cybersecurity risk management measures including "encryption" using "state-of-the-art" technical measures. The Article 21(2)(h) obligation applies the same technology-currency logic as DORA Article 9(2): as PQC standards mature, "state of the art" for encryption will incorporate them.

The practical implication is that large EU financial institutions with both DORA and NIS2 applicability should treat their quantum-risk management programme as meeting both frameworks, the compliance work is substantively the same. Smaller institutions below DORA's scope threshold that are nonetheless NIS2-applicable carry NIS2's Article 21 encryption obligation independently.

UK Financial Institutions: FCA Operational Resilience and PQC

UK financial institutions are not directly subject to DORA. Post-Brexit UK regulatory obligations derive from distinct instruments. The FCA Operational Resilience Policy (PS21/3, March 2021) requires FCA-authorised firms to identify important business services, set impact tolerances, and test resilience. The PRA Supervisory Statement SS1/21 applies equivalent expectations to PRA-regulated firms.

UK entities providing services to EU customers or operating EU-regulated entities remain subject to DORA under Article 2(1)(c). UK-only institutions operating solely under FCA jurisdiction are subject to FCA's operational resilience requirements and SYSC systems and controls obligations. FCA SYSC 2.1.1R requires adequate systems and controls; SYSC 9.1.1R requires record-keeping with appropriate protections.

The NCSC's guidance "Next Steps in Preparing for Post-Quantum Cryptography" (March 2025) identifies financial services as a priority sector and sets Phase 3 migration completion at 2031–2035. While NCSC guidance is advisory for private-sector entities, it establishes UK government assessment of good practice. That assessment is relevant to FCA supervisory engagement with firms' operational resilience programmes. UK institutions should document their quantum risk assessment as part of their operational resilience programme under PS21/3. Documenting the assessment, even before migration has started, demonstrates supervisory engagement with an emerging expectation. [ASSUMED — verify whether the FCA has published specific PQC-related supervisory communications between 2024 and June 2026]

The Specific Data Categories at Risk: What Long-Lived Financial Data Actually Means

The HNDL risk window is not uniform across financial data. It varies by retention period and by the sensitivity of the data to future exploitation. Four categories warrant specific attention.

MiFID II trade records. Article 16(7) of MiFID II (EU 2014/65) and FCA SYSC 9.1.1R require investment firms to retain records of client communications and orders for at least five years, and seven years for MiFID-designated firms. Transaction data, order books, and client instruction records encrypted under current protocols and retained until 2031 are within the HNDL risk window under a 2033–2035 Q-Day estimate with a 3–5 year migration timeline. The margin is not comfortable.

EMIR derivatives records. EMIR (Regulation (EU) 648/2012, Article 9) requires derivatives data to be retained for at least ten years from the life of the contract. [ASSUMED — verify the precise trigger point for the retention period under EMIR Article 9 and applicable RTS before publication] A 30-year interest rate swap entered in 2024 carries a retention obligation through approximately 2064. Records created under current encryption over the next several years are HNDL-exposed for the full duration of that retention period.

Pension and insurance records. UK defined benefit pension scheme records are retained for the life of the scheme and typically at least 40 years after a member joins. Life insurance contract records may be retained for the policy duration plus a regulatory minimum. Data collected in 2024 and retained through 2064 is in the HNDL risk window under any plausible Q-Day and migration timeline combination. Beneficiary details, benefit calculations, and personal financial data in these records have intelligence value to nation-state adversaries beyond the immediate financial relationship.

AML and KYC records. The EU 5th Anti-Money Laundering Directive (5AMLD, Directive (EU) 2018/843, Article 40) and UK Money Laundering Regulations 2017 (Regulation 40) require AML and KYC records to be retained for at least five years from the end of a business relationship. KYC records contain PII, beneficial ownership data, and politically exposed person screening results, categories with intelligence value to nation-state adversaries that extends well beyond the financial relationship itself.

Operational Exposure: Payment Systems, Custody, and Trading Infrastructure

The retention-period argument for HNDL risk is straightforward. The operational argument is about the infrastructure through which financial data currently moves.

Payment system communications are a primary collection target. SWIFT messaging, TARGET2, CHAPS, and FPS all use cryptographic authentication and channel encryption. The key exchange mechanisms across these systems, including SWIFT's PKI infrastructure and institution-to-institution TLS connections, use RSA and ECDH. Nation-state adversaries collecting payment traffic today are collecting both transaction content and the key material needed to decrypt it post-Q-Day. [ASSUMED — SWIFT PKI current key exchange algorithm specifics; verify from the SWIFT Customer Security Programme (CSP) documentation before citing specifically]

Custody and settlement systems hold securities positions, beneficial ownership records, and collateral data. Encrypted communications between custodians, central securities depositories (CSDs), and institutional clients, carrying data that EMIR and MiFID II require to be retained for years or decades, are HNDL-collection targets for adversaries seeking to map institutional securities holdings.

Algorithmic trading data presents a different dimension. Proprietary trading strategies encrypted in 2024 and collected under HNDL would, if decryptable post-Q-Day, provide a permanent record of trading behaviour and strategy that could be exploited commercially or used to anticipate institutional market activity years after decryption. The harm extends beyond regulatory records into competitive intelligence.

The Regulatory-Operational Response Framework

For DORA-regulated entities, the response runs on three parallel tracks. They are parallel, not sequential, initiating them in sequence costs years.

Track 1: Cryptographic inventory (CBOM). Identify which ICT systems use RSA, ECDH/ECDSA, or classical DH for key exchange and which hold long-retention financial data. The CBOM is the prerequisite to migration planning, institutions that have not mapped their cryptographic estate cannot make informed prioritisation decisions. It is also the evidence base for DORA Article 8 asset inventory compliance. NIST NCCoE SP 1800-38 provides the migration framework including CBOM methodology.

Track 2: Risk classification. Apply the Mosca inequality to identified data categories, using MiFID II, EMIR, AML, and pension retention periods as the Z values. The output is a prioritised list of data flows and storage systems by HNDL risk urgency. Payment system communications and long-duration derivatives records rank highest. This classification feeds both migration scheduling and regulatory documentation.

Track 3: Hybrid key exchange deployment. Deploy X25519+ML-KEM-768 (IETF RFC 9496, X-Wing Hybrid KEM) on the highest-risk data flows. Hybrid deployment provides HNDL protection from the point of deployment without waiting for full PQC migration. Traffic captured after hybrid deployment requires a quantum attack on ML-KEM to decrypt, not just on ECDHE. For payment systems and external counterparty communications, the highest-risk categories, hybrid deployment is the immediate operational response.

DORA Article 28 makes Track 1 and Track 3 extend to critical ICT third parties. Core banking system providers, payment processing platforms, and cloud infrastructure providers should all be assessed for their PQC migration roadmaps. An institution cannot consider its DORA cryptographic risk management complete if its critical service dependencies remain on quantum-vulnerable infrastructure.

For UK institutions under FCA supervision, the same three-track approach applies within the PS21/3 operational resilience framework. Documentation of the quantum risk assessment within the operational resilience programme provides the supervisory evidence trail that demonstrates good faith engagement with the emerging regulatory expectation.

The QSECDEF HNDL Exposure Calculator at /insights/hndl-calculate-organisation-exposure/ allows financial institutions to model their specific risk window against configurable retention periods, migration timelines, and Q-Day assumptions. The calculator provides the quantitative input for Track 2 risk classification and is designed for CISO, CRO, and compliance team use. See also the analysis of DORA quantum security preparedness for financial services for the broader readiness assessment framework.

This article analyses regulatory requirements as of June 2026. Post-quantum cryptography guidance from DORA implementing regulators (EBA, EIOPA, ESMA) and UK FCA is evolving; verify current supervisory guidance before making compliance decisions. Organisations should seek qualified legal counsel on regulatory compliance questions.