This article analyses where post-quantum cryptography intersects with DORA obligations and cyber insurance underwriting. It does not constitute legal or insurance advice. Organisations must seek qualified legal, regulatory, and insurance counsel before making decisions. DORA article references reflect the legislation as of May 2026.

How to Include Post-Quantum Cryptography Requirements in a Quantum Security Insurance Review

The scenario is increasingly common. A risk manager at an EU insurance undertaking is preparing for annual cyber insurance renewal in early 2026. The underwriter questionnaire includes a new section on cryptographic controls: has the organisation assessed its exposure to quantum-enabled cryptographic attack? What algorithms protect its data in transit? Is there a post-quantum migration roadmap?

These are not theoretical questions. They are appearing on real questionnaires from underwriters who are beginning to incorporate quantum security posture into their risk assessment process. [INFERRED, underwriter questionnaire practice; verify against a current insurer or broker guidance document before publication.] The practical question is what a credible answer looks like, and how DORA's ICT risk management framework shapes what the insurer actually expects to see.

What DORA Requires on Cryptographic Controls

DORA (Regulation (EU) 2022/2554) entered full enforcement in January 2025 and applies to 20 categories of EU financial entity, including credit institutions, investment firms, insurance undertakings, payment institutions, and crypto-asset service providers. The three articles most directly relevant to post-quantum cryptographic risk are Articles 6, 9, and 13.

Article 6 requires covered entities to maintain a comprehensive ICT risk management framework documented and reviewed at least annually. That framework must address advanced persistent threats and the full evolution of the threat landscape. Post-quantum cryptographic risk, including the harvest-now-decrypt-later (HNDL) threat and the prospective capability of a CRQC to break RSA and ECC key establishment, is an ICT risk under Article 6. [INFERRED, PQC risk classification as ICT risk follows from Article 6's scope over advanced and evolving threats; check whether EBA/ESAs have issued supervisory guidance explicitly classifying quantum risk as an Article 6 ICT risk.]

Article 9 requires cryptographic controls for data in transit and data at rest. The requirement to deploy cryptographic controls that reflect the state of the art is set out in the DORA RTS (Commission Delegated Regulation (EU) 2024/1774) — verify the exact article number in the Delegated Regulation before publication. That phrase is a living standard. NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), published in August 2024, define the current direction for what "state of the art" post-quantum cryptographic controls means. Using RSA or ECDH where ML-KEM could reasonably be deployed will increasingly not represent the state of the art as these standards move into operational use. [INFERRED, "state of the art" evolution follows from EU regulatory interpretation precedent and FIPS 203/204/205 publication; not yet a settled supervisory determination but the predictable direction.]

Commission Delegated Regulation (EU) 2024/1774 (the RTS on ICT risk management tools, methods, processes, and policies) operationalises Article 6. Its Article 6 requires covered entities to develop and implement a cryptographic controls policy that includes provisions for updating cryptographic technology based on developments in cryptanalysis. The recitals name quantum advancements explicitly as the class of cryptanalytic development the requirement addresses. This is the legislative connection between DORA and post-quantum cryptography: not a specific algorithm mandate, but an outcome-based obligation to maintain cryptographic resilience as quantum-era threats develop.

The practical implication for compliance programmes: a DORA-covered entity whose ICT risk management framework says nothing about post-quantum cryptographic risk is not implementing Article 6 comprehensively. The standard in 2026 is not "fully deployed PQC". No large financial entity is there. The standard is "assessed, documented, and planned."

For a full analysis of DORA's cryptographic controls requirements in the PQC context, see the DORA post-quantum cryptography ICT risk requirements insight.

What an Insurance Review Should Document

A cyber insurance quantum security review that satisfies both DORA Article 6 and a typical underwriter questionnaire requires documentation across four areas.

Cryptographic Asset Register

The first step is an inventory. Which cryptographic algorithms protect which data flows and stored datasets across the entity's infrastructure? Specifically, where are RSA and ECC deployed in TLS sessions, document signing, authentication infrastructure, software signing pipelines, and data-at-rest encryption? NIST SP 1800-38 (NCCoE PQC Migration Project, 2024) provides the technical methodology: a four-phase approach of Discover, Plan, Prioritise, and Migrate. A Cryptographic Bill of Materials (CBOM), a structured inventory of all cryptographic dependencies including those in third-party components, is the output of the discovery phase.

In my experience working with financial entities on this: the inventory phase consistently takes longer than anticipated, six to twelve months for a large institution, because cryptographic dependencies are embedded in commercial software, HSM firmware, and network infrastructure that the organisation's own security team did not build. Starting this work now is more valuable than waiting for any other milestone.

HNDL Risk Assessment

Harvest now, decrypt later (HNDL) is the mechanism that makes the quantum cryptographic threat present-tense rather than future-tense. An adversary with traffic collection capability can capture TLS sessions, VPN tunnels, and encrypted inter-system communications today, store them, and decrypt retrospectively once a CRQC becomes available. For EU financial entities, the HNDL risk is highest in data categories whose retention requirements extend into the 2033 to 2035 CRQC credible risk window (Webber et al., AVS Quantum Science, 2022): inter-bank settlement records, trading data subject to MiFID II five-year retention requirements [verify Article 72, MiFID II, for correct article number and retention period against current consolidated text], customer account data, actuarial records, and insurance policy documentation.

A risk assessment that classifies data by retention period and current encryption status, then scores HNDL risk against the Mosca inequality, is what both DORA Article 6 (ICT risk management framework) and an underwriter questionnaire will recognise as a credible risk posture. The Solvency II Own Risk and Solvency Assessment (ORSA) [verify Article 45, Solvency II Directive 2009/138/EC] provides a ready vehicle for incorporating this forward-looking quantum risk assessment for DORA-covered insurers.

Migration Roadmap

A credible roadmap in 2026 does not need to show completed PQC deployment. It needs to show a sequenced plan with defined phases. A reasonable structure:

Phase 1 (immediate to 12 months): hybrid TLS deployment (X25519+ML-KEM-768) for internet-facing and inter-entity communications. This protects new traffic from HNDL from the point of deployment. Google Chrome and Cloudflare have operated hybrid ML-KEM-768 in production TLS since 2023; the engineering is validated at scale.

Phase 2 (12 to 24 months): PKI and certificate infrastructure migration to ML-DSA-65 (3,309-byte signature per FIPS 204) for general signing; ML-DSA-87 (4,627-byte signature) for highest-assurance contexts including eIDAS qualified trust services.

Phase 3 (24 to 48 months): re-encryption or replacement of highest-risk data at rest; update of long-duration document signatures to SLH-DSA (FIPS 205) for contexts where hash-based security assumptions complement the lattice basis of ML-DSA.

Vendor roadmap letters from critical ICT third-party providers, confirming ML-KEM and ML-DSA support timelines, are part of the documentation that satisfies DORA Article 28. That article requires due consideration of whether ICT third-party providers maintain "the most up-to-date and highest quality information security standards." A cloud KMS provider with no documented PQC roadmap creates an Article 28 gap in the entity's cryptographic controls posture.

Governance Documentation

Board or management body awareness is not optional under DORA. NIS2 Article 20 requires management bodies at covered entities to receive training on cybersecurity risk management, and DORA Article 4 brings equivalent governance expectations through the ICT risk management framework requirements. A board briefing documenting that management has been informed of quantum risk, the CRQC timeline, the HNDL exposure, and the migration programme is both a DORA compliance artefact and an underwriter signal of governance maturity.

Updating the DORA ICT risk management policy to explicitly name quantum threat as a risk category also serves both purposes. An insurer reviewing that policy can see it directly; a DORA supervisor can see it directly.

For a broader analysis of how quantum security preparedness maps to DORA financial services compliance, see quantum security preparedness for financial services under DORA.

What Underwriters Are Looking for in 2026

The cyber insurance market's approach to quantum risk is not uniform. Most underwriters are at the awareness and monitoring stage rather than actively applying premium penalties or exclusions for the absence of PQC deployment. The differentiation that already matters in 2026 is between entities with a documented programme and entities with nothing. [INFERRED, insurer differentiation on documented programme versus no programme follows from how the cyber insurance market has historically handled emerging risk categories, such as ransomware readiness and MFA requirements; verify against current Lloyd's or Marsh McLennan quantum risk underwriting guidance before publication.]

The near-term trajectory: as the NIST IR 8547 deprecation dates approach, with RSA and ECC deprecated for US federal use after 2030, with EU-aligned timelines expected from ENISA [INFERRED, check for ENISA EU-specific PQC deprecation timeline publication before article goes live], underwriters will increasingly expect to see hybrid TLS deployed and a credible PKI migration timeline. Entities with no programme will face growing questionnaire pressure through 2027 to 2029.

Beyond 2030, entities still relying entirely on classical key establishment face both regulatory exposure under the state-of-the-art standard in the DORA RTS (Commission Delegated Regulation (EU) 2024/1774) and the potential for underwriters to treat the absence of PQC controls as a risk factor in the same way they now treat the absence of MFA or endpoint detection.

The practical conclusion for 2026: the value of starting now is that the competitive bar is still "having a programme at all." An entity that has completed a cryptographic asset register, produced an HNDL risk assessment, and documented a roadmap sits at the leading edge of current market practice. Starting that programme under deadline pressure in 2028 or 2029 means doing the same work in a compressed timeframe without the benefit of iterating on the approach.

The Convergence Point

DORA and the cyber insurance market are converging on the same set of quantum security requirements through different mechanisms. DORA creates a direct regulatory obligation via Articles 6 and 9, with the state-of-the-art cryptographic controls requirement set out in the RTS on ICT risk management (Commission Delegated Regulation (EU) 2024/1774). Underwriters are creating commercial incentives by incorporating quantum security posture into risk pricing. NIST FIPS 203/204/205 provide the algorithm standards. ENISA's PQC Migration Considerations (2024) and ETSI TS 103 744 (Quantum-Safe Hybrid Key Exchanges) provide the EU-specific technical reference documents.

What most covered entities do not yet have is a structured programme that puts these elements into a documented posture demonstrable to a regulator or an underwriter. QSECDEF provides training on the technical components: HNDL risk assessment, cryptographic inventory methodology, PQC algorithm selection for financial services contexts, and DORA-aligned documentation. Information on the programme is at QSECDEF certificated training programme. QSECDEF professional membership gives ICT risk managers access to the practitioner methodology documentation and the community of security professionals navigating the same DORA compliance obligations.


About the Author

Steven Vaile is Director at Quantum Security Defence and a specialist in post-quantum cryptography migration and quantum security strategy for enterprise and financial services organisations. He speaks at international quantum security forums including the QSECDEF World Symposium. About QSECDEF | Membership | LinkedIn