This article analyses where post-quantum cryptography intersects with NIS2 obligations under Directive (EU) 2022/2555. It does not constitute legal advice. Organisations must seek qualified legal and regulatory counsel before making compliance decisions. References to NIS2 articles and associated implementing regulation reflect the state of the legislation as of May 2026.

Most NIS2 implementation programmes treat cryptography as a checklist item: TLS version current, certificates valid, data encrypted at rest, multi-factor authentication deployed. That checklist addresses your present state. It says nothing about whether the cryptographic controls protecting your most sensitive data will still be adequate in 2033, when the threat environment changes in a fundamental way. The gap between what NIS2 compliance programmes currently cover and what NIS2 actually requires on cryptography is what this article addresses.

The short version: NIS2 Article 21 creates a dynamic obligation tied to the "state of the art." The publication of three post-quantum cryptographic standards by NIST in August 2024, the proposed deprecation timeline in NIST IR 8547 (issued as an initial public draft in November 2024), and ENISA's identification of harvest-now-decrypt-later as an emerging threat since 2022 have together moved post-quantum cryptography into the "state of the art" conversation. An EU essential or important entity that has not assessed its post-quantum exposure is carrying a documented gap in its Article 21 compliance posture.

What NIS2 Article 21 actually requires on cryptography

NIS2 Directive (EU) 2022/2555, Article 21(2)(h) requires that essential entities and important entities implement "the use of cryptography and, where appropriate, encryption" as one of their cybersecurity risk management measures. The Directive is deliberately non-prescriptive about algorithms. It does not mandate RSA-2048 key sizes or AES-256 by name. Algorithm selection is left to member state implementing legislation and sector guidance.

The operative word in Article 21(1) is "appropriate." Risk management measures must be "appropriate and proportionate to the risks posed," taking into account "the state of the art" in cybersecurity practices. In EU law, "state of the art" is not a static reference. It moves as the technical field moves. When NIST publishes final post-quantum cryptographic standards and when ENISA documents harvest-now-decrypt-later as an emerging threat in its annual threat landscape reports, "state of the art" begins to incorporate post-quantum risk management as a recognised practice. An organisation that continues to rely exclusively on RSA and ECC key exchange, without assessing its exposure under an Article 21-compliant risk framework, faces a legitimate challenge to whether its measures remain "appropriate" in the sense Article 21(1) requires.

Recital 98 of the Directive is the relevant encryption provision. It discusses encryption, including end-to-end encryption, as a measure relevant to security and confidentiality. This establishes that cryptography in NIS2 is not limited to data in transit. The full cryptographic posture, including stored data protection, is within scope.

The Commission Implementing Regulation (EU) 2024/2690, which entered into force on 18 October 2024, applies to the specified digital and trust-service entities listed in Article 1 of that Regulation. The Annex to the Regulation, at section 9 (and particularly sections 9.1 to 9.3), sets out requirements for cryptographic controls: the policy framework for cryptography, algorithm strength and selection, crypto-agility, key management, and periodic review against the state of the art. These provisions directly implicate the quantum threat for entities processing long-lived sensitive data.

Who NIS2 covers, and who it does not

NIS2's scope is materially broader than NIS1. It covers the Annex I high-criticality sectors and the Annex II other critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space, postal and courier services, waste management, manufacture of critical products (including medical devices and motor vehicles), food, chemicals, digital providers, and research.

Essential entities are large organisations in Annex I sectors. Important entities are medium-sized organisations in Annex I sectors and all medium and large organisations in Annex II sectors. The distinction carries supervisory consequences: essential entities face proactive assessment under Article 32, while important entities are subject to reactive supervision under Article 33.

UK-only operations are not subject to UK implementation of NIS2. The UK's NIS transposition is the Network and Information Systems (NIS) Regulations 2018 (SI 2018/506), which implemented NIS1, not NIS2. However, non-EU entities offering certain in-scope services into the EU may still face NIS2 jurisdictional and representative obligations under the Directive's scope provisions. UK organisations that are part of EU-based corporate groups, or that provide ICT services to EU essential or important entities, should assess whether those activities bring them within NIS2's reach. As of May 2026, the Cyber Security and Resilience Bill was before Parliament and had completed Commons committee stage, having been introduced on 12 November 2025 and passed its second reading on 6 January 2026.

EU financial entities face layered obligations. DORA (Regulation (EU) 2022/2554) applies in parallel to NIS2 for entities in the twenty categories of EU-regulated financial services listed in DORA Article 2(1). DORA Article 9(2) requires ICT security policies, tools, and protocols that address confidentiality, integrity, availability, and authenticity. DORA does not use the words "post-quantum" or "quantum," but it supports a risk-based argument for PQC assessment where quantum risk affects confidentiality obligations. Article 15 of DORA further addresses cryptographic techniques in the development of regulatory technical standards. For the specific intersection of DORA and post-quantum cryptography, see our analysis at DORA and post-quantum cryptography: what financial services ICT risk managers must know.

The gap: what NIS2 cryptography compliance programmes are missing

Standard NIS2 cryptography reviews in 2024 to 2026 cover the present-state posture: TLS version compliance, certificate validity and rotation, encryption-at-rest implementation, and access management. These are appropriate checks. They are not the same as a forward-looking cryptographic risk assessment.

The confidentiality lifetime problem is where the gap opens. NIS2-covered entities across energy infrastructure, health data processing, and financial market infrastructure hold data whose confidentiality requirements extend well beyond 2030. An energy sector operator encrypting operational telemetry and control communications today under RSA-2048 key exchange generates data that a state-level adversary may be capturing for later decryption. When a cryptographically relevant quantum computer exists, Shor's algorithm recovers the session key from the captured handshake and the historical traffic becomes readable. NIS2's "appropriate and proportionate" standard, applied to this specific threat, implies the harvest-now-decrypt-later risk should be part of the Article 21 risk assessment. ENISA has identified it as an emerging threat in its Threat Landscape reports for 2023 and 2024. An organisation that has completed a NIS2 risk assessment without addressing HNDL has produced an assessment that the ENISA threat catalogue already identifies as incomplete.

The supply chain dimension compounds this. Article 21(2)(d), read with Article 21(3), requires NIS2 entities to address security risks in supply chains, including the security practices of direct suppliers and service providers. A cloud provider, managed security service provider, or ERP vendor that has no post-quantum migration roadmap becomes a supply chain risk item under Article 21(2)(d) for any NIS2 entity that depends on it for critical or important functions. The cryptographic posture of an essential entity is only as strong as the weakest cryptographic link across its critical service dependencies, a point I find routinely absent from NIS2 compliance gap assessments.

What the NIST standards mean for your NIS2 risk assessment

NIST finalised three post-quantum cryptographic standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). These are the first finalised post-quantum standards suitable for general deployment. FIPS 206 (FN-DSA) remains under development and had not been finalised as of the writing of this article. The "waiting for the standard" rationale for deferring PQC risk assessment no longer holds.

NIST IR 8547, issued as an initial public draft in November 2024, sets out the proposed transition and deprecation timeline for RSA, ECDH, ECDSA, DSA, and finite-field Diffie-Hellman. NIST's current PQC transition guidance reflects the timeline in that draft: new deployments of quantum-vulnerable algorithms targeted for deprecation by 2030, with full legacy retirement by 2035, and high-risk uses subject to earlier deadlines. This provides the technical basis for "state of the art" arguments under NIS2 Article 21(1). The transitional period for the algorithms NIS2-covered entities are currently relying on is now formally open. An entity that is not tracking this transition is not tracking the state of the art.

For EU digital infrastructure entities and trust service providers, ETSI TS 119 312 (Electronic Signatures and Trust Infrastructures: Cryptographic Suites) is the primary EU technical reference for algorithm selection in qualified trust services under eIDAS. ETSI TR 103 619, published in 2022, addressed quantum-safe cryptography specifically, and the ETSI Electronic Signatures and Infrastructures committee continues to update TS 119 312 to include post-quantum algorithm suites. NIS2 entities in sectors where eIDAS compliance is relevant should track ETSI TS 119 312 updates as the EU's closest current equivalent to a binding algorithm mandate for digital infrastructure.

Three actions that close the gap within the NIS2 framework

The gap does not require completing the migration before the next supervisory assessment. It requires demonstrating that the risk has been identified and a proportionate response is underway. These three actions achieve that.

Complete a Cryptographic Bill of Materials. A CBOM is a structured inventory mapping every cryptographic asset across the entity's estate: algorithm, key size, protocol, certificate, library version, and the system or data flow each instance protects. It also records the confidentiality lifetime of the data and the migration complexity of each system. NIS2 Article 21(1) requires a risk management framework that identifies and assesses cyber risks. A CBOM is the instrument that makes it possible to identify the post-quantum risk within an Article 21-compliant framework. Without one, the organisation cannot claim to have assessed the cryptographic risk. The NIST NCCoE SP 1800-38B migration guidance covers the CBOM methodology in detail.

Deploy hybrid key exchange on high-risk data flows. Hybrid key exchange combines X25519 with ML-KEM-768 in a single TLS 1.3 handshake. X-Wing, a general-purpose hybrid KEM based on X25519 and ML-KEM-768, is specified in the IETF CFRG Internet-Draft draft-connolly-cfrg-xwing-kem. Hybrid key exchange in TLS 1.3 is addressed by the TLS WG hybrid-design draft and related named-group work. Google Chrome and Cloudflare have operated hybrid configurations in production since 2023 to 2024; the operational risk is well-characterised. A hybrid deployment provides HNDL protection for new traffic from the point of deployment: traffic captured after hybrid deployment requires a quantum attack on ML-KEM, not merely on ECDHE. For an entity holding long-lived sensitive data with a confidentiality requirement extending into the 2033 to 2035 risk window, the risk of not deploying is greater than the operational risk of deployment.

Add a PQC roadmap question to your supplier due diligence process. Article 21(2)(d), read with Article 21(3), creates an obligation to assess the security practices of tier-1 ICT suppliers. The question is simple: what is your post-quantum cryptography roadmap, and when will your cryptographic interfaces support ML-KEM and ML-DSA? Suppliers without an answer are a risk item in your NIS2 risk management framework, and the gap should be documented and tracked. This question is becoming standard in enterprise procurement for NIS2-covered entities.

The EU regulatory stack for critical infrastructure

For operators in EU-regulated sectors, post-quantum cryptography is not a single-instrument obligation. The cumulative weight of the regulatory stack is pointing consistently in one direction.

NIS2 Article 21 creates the framework obligation on cryptographic risk management. DORA Article 9(2) creates parallel obligations for EU financial entities and their critical ICT service providers. The EU Cybersecurity Act (Regulation (EU) 2019/881), particularly Articles 46 to 54 on ICT product security certification, provides the certification framework against which post-quantum capable products will be assessed as the ENISA certification schemes mature. The EU AI Act's security requirements for high-risk AI systems, where those systems are deployed in critical infrastructure contexts, add a further layer. For operators of AI-augmented critical infrastructure, the quantum security and AI security obligations overlap. That intersection is examined in our analysis at the EU AI Act and quantum security for critical infrastructure.

What proportionate action looks like in 2026

For an NIS2 essential entity: complete the CBOM, deploy hybrid key exchange on high-risk data flows handling data with long confidentiality lifetimes, add the PQC roadmap question to all tier-1 ICT supplier due diligence, and update the risk register to include the quantum threat with a documented treatment plan and migration phasing. This constitutes a proportionate response under Article 21(1), it demonstrates that the risk has been assessed and a phased treatment programme is underway.

For an NIS2 important entity with limited technical resource: prioritise the CBOM for your highest-confidentiality data stores. Engage your ICT managed service provider on their post-quantum migration timeline. Document both. A supervisory assessment under Article 33 looks for evidence of risk identification and proportionate response, not migration completion. The absence of any documented assessment is the position that fails the proportionality test. A documented partial programme is materially better.

The supervisory question under Articles 32 and 33 is not "have you finished migrating?" It is "have you assessed the risk and is a proportionate response under way?" An entity with a CBOM and a documented migration plan satisfies the second question. An entity with neither does not satisfy the first.

Sources