DRAFT — FOR LEGAL REVIEW. This article analyses the quantum security implications of EU regulatory instruments including NIS2, DORA, the EU AI Act, and the EU Cyber Resilience Act. It does not constitute legal or regulatory advice. Organisations must seek qualified counsel before making compliance decisions. Regulatory text citations reflect the state of the instruments as of May 2026.

EU Quantum Security Policy 2026: What the Regulations Require

There is no single EU quantum security regulation. There is instead a cluster of four general cybersecurity instruments whose requirements for cryptographic controls, risk management, and product security happen to include quantum vulnerabilities within their scope. For organisations operating in the EU, understanding how NIS2, DORA, the EU AI Act, and the Cyber Resilience Act interact is more useful than waiting for a dedicated "PQC regulation" that does not exist.

This article maps what each instrument requires in relation to quantum security, calibrated to how direct and mature the obligation is. DORA has the most explicit language; the AI Act the most tentative connection. The UK is not subject to any of these instruments as an EU member state. UK-established subsidiaries of EU groups or UK ICT providers serving EU essential entities may be in scope for specific obligations at the entity level.

Four Instruments, One Common Challenge

The four instruments cover different populations of organisations and entered into force at different points, but they share a structural feature: none names specific post-quantum algorithms in their operative text. All use technology-neutral language such as "appropriate cryptographic controls," "state of the art," or "current cybersecurity standards." This is deliberate. Technology-neutral drafting avoids embedding specific algorithms in legislation that would need amending when algorithms are superseded.

Instrument In force Applies from Primary scope PQC relevance
NIS2 (Directive (EU) 2022/2555) January 2023 October 2024 (transposition) Essential and important entities across 16 sectors High
DORA (Regulation (EU) 2022/2554) January 2023 January 2025 EU financial entities and ICT third-party providers High — quantum threat explicit in RTS
EU AI Act (Regulation (EU) 2024/1689) August 2024 August 2026 (high-risk AI) Providers and deployers of AI systems in the EU Emerging — via NIS2/DORA co-application
EU Cyber Resilience Act (Regulation (EU) 2024/2847) December 2024 December 2027 (main obligations) Manufacturers of products with digital elements Forward-looking — firmware signature lifecycle

The practical mechanism by which each instrument incorporates PQC is the "state of the art" standard. As NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), and FIPS 206 (FN-DSA) become the established technical baseline for post-quantum cryptography, they progressively define what "state of the art" means for organisations implementing the cryptographic controls these instruments require.

NIS2 — Cryptography as a Proportionate Risk Measure

NIS2 Directive (EU) 2022/2555 applies to essential and important entities across 16 sectors listed in Annexes I and II: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space, postal and courier services, waste management, manufacture of critical products, food, and chemicals. Essential entities are large organisations in Annex I sectors; important entities are medium-sized organisations in Annex I sectors and medium/large organisations in Annex II sectors.

Article 21(2)(h) requires essential and important entities to implement "the use of cryptography and, where appropriate, encryption" as part of their cybersecurity risk management measures. Article 21(1) requires those measures to be "appropriate and proportionate" to the risk, taking into account "the state of the art." Commission Implementing Regulation (EU) 2024/2690, which entered into force on 18 October 2024, specifies the technical and methodological requirements for Article 21 measures across specific digital infrastructure sectors and addresses cryptographic controls in Article 4(f).

ENISA's Threat Landscape reports for 2023 and 2024 both identify harvest-now-decrypt-later (HNDL) as an emerging adversarial threat. ENISA's guidance documents following the August 2024 NIST FIPS publication recommend that NIS2-covered systems adopt quantum-resistant algorithms specifically to protect sensitive data subject to HNDL collection. For in-scope organisations, the combination of Article 21(2)(h)'s cryptographic controls obligation and ENISA's explicit HNDL guidance creates a clear expectation to address quantum-era risks in their security frameworks. [ASSUMED: Kelly must verify the precise ENISA publication recommending NIS2 PQC adoption before citing it with a specific title and date.]

For the full analysis of how NIS2 Article 21 creates PQC obligations, including sector-by-sector implications, see NIS2 and post-quantum cryptography: what cyber resilience requires.

DORA — Quantum Threats Explicitly in Scope

DORA (Regulation (EU) 2022/2554) is the strongest EU instrument for explicit quantum security obligations in force today. It applies to credit institutions, investment firms, payment institutions, insurance undertakings, and ICT third-party service providers serving financial entities. DORA became applicable on 17 January 2025.

The connection to quantum security is made in the implementing technical standards. Commission Delegated Regulation (EU) 2024/1774, the RTS on ICT risk management tools, methods, processes, and policies, requires EU financial entities to develop and maintain a policy on encryption and cryptographic controls that addresses updating cryptographic technology in response to developments in cryptanalysis. The recitals to the RTS explicitly name quantum advancements as the class of cryptanalytic development in scope. DORA Article 4 establishes DORA as lex specialis relative to NIS2 for financial entities, meaning the DORA-specific cryptographic controls obligation takes precedence for that sector. [ASSUMED: the exact provision and clause reference for the quantum threat monitoring language in Commission Delegated Regulation (EU) 2024/1774 must be verified against the published text before citation.]

DORA Article 9(2) requires that ICT security measures address confidentiality risks and that risk management frameworks account for the evolution of threats. Article 28 governs ICT third-party service providers and requires financial entities to assess whether critical or important function providers maintain appropriate and up-to-date information security standards, which extends the cryptographic controls obligation through the supply chain.

For DORA-specific PQC obligations across all three pressure points for ICT risk managers, including the harvest-now-decrypt-later exposure and the Article 28 third-party implications, see DORA and post-quantum cryptography: what financial services ICT risk managers must know.

EU AI Act — Where Quantum Intersects

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. General-purpose AI model obligations apply from 2 August 2025; obligations for high-risk AI systems apply from 2 August 2026. The AI Act's quantum security connection is indirect and should not be overstated.

Article 15(5) requires that high-risk AI systems be designed with an appropriate level of cybersecurity. The cybersecurity requirement addresses the AI system's resistance to adversarial attacks, including data poisoning and model inversion. The article does not mandate specific cryptographic standards for protecting AI model parameters or training data. This is an important distinction.

The quantum security relevance arises through co-application with NIS2 and DORA. Annex III of the AI Act lists high-risk AI system categories including AI in critical infrastructure management, health, law enforcement, financial services, and biometric identification. Operators of AI systems in these categories who also fall under NIS2 or DORA face cumulative obligations: AI Act cybersecurity requirements plus the cryptographic controls obligations from the co-applicable regulatory instrument. For those operators, the NIS2 or DORA obligation is the mechanism that brings post-quantum cryptography into scope, not the AI Act itself. Where long-lived sensitive data is processed by a high-risk AI system, the HNDL exposure from the cryptographic protection of that data is a current operational concern.

For the detailed analysis of how the AI Act's security requirements interact with quantum risk for critical infrastructure and financial sector operators, see EU AI Act quantum security: critical infrastructure implications.

EU Cyber Resilience Act — Quantum-Safe by Design

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 10 December 2024. Reporting obligations start 11 September 2026; the main cybersecurity obligations for manufacturers apply from 11 December 2027. The CRA regulates products with digital elements — hardware and software placed on the EU market that connect to a device or network.

Annex I of the CRA specifies essential cybersecurity requirements including: products must be delivered with a secure default configuration; vulnerabilities must be addressed via security updates throughout the product lifecycle; and cryptographic protection must meet the state of the art. The lifecycle security requirement is where the quantum dimension enters. A product placed on the EU market today with a ten-year lifecycle will be in operation well past the 2033-2035 Q-Day planning range. If its firmware authentication uses RSA or ECDSA signatures, those signatures will be vulnerable to a CRQC before the product reaches end of life.

CRA standardisation work is moving towards a state-of-the-art cryptography model where only current-standard cryptographic mechanisms are acceptable defaults. For manufacturers and developers, the practical implication is: new products placed on the EU market from December 2027 must support cryptographically authenticated firmware updates using schemes that remain secure across their expected product lifetime. SLH-DSA (FIPS 205) and FN-DSA (FIPS 206) are the relevant post-quantum signature candidates for constrained device firmware, where signature compactness and stateless operation matter.

For the full analysis of which product categories are most exposed under the CRA and what manufacturers must do before 2027, see EU Cyber Resilience Act: quantum-vulnerable products and what manufacturers must change.

The Common Technical Foundation

All four instruments point towards the same set of algorithm targets: NIST FIPS 203 (ML-KEM) for key encapsulation replacing RSA and ECDH, FIPS 204 (ML-DSA) for digital signatures replacing ECDSA and RSA-PSS, FIPS 205 (SLH-DSA) for long-lived or stateless signature contexts, and FIPS 206 (FN-DSA) for constrained-device and compact-signature applications. NIST IR 8547 (November 2024) provides the transition timeline: cryptographic inventory complete by 2025-2026, new deployments PQC-only by 2030, legacy migration complete by 2035.

The EU Commission has publicly discussed a 2030 critical infrastructure quantum-safe ambition, more aggressive than the NIST 2035 full migration target. [ASSUMED: The specific EU Council or Commission document establishing this ambition has not been independently verified against primary EU institution sources. Do not treat this as a binding regulatory deadline; treat it as a stated political aim pending source confirmation.] If a formal target at this level is confirmed in primary documentation, EU-regulated critical infrastructure operators would face a tighter practical timeline than the NIST guidance alone implies.

For a complex organisation, all four instruments may apply simultaneously. A company that manufactures IoT security devices, deploys them in critical infrastructure, processes financial transaction data, and uses AI systems for fraud detection faces CRA product obligations, NIS2 essential entity obligations, DORA financial entity obligations, and AI Act high-risk system obligations. The algorithm targets and migration methodology are consistent across all four. The urgency and compliance timelines are not: DORA obligations are live now; the CRA's main obligations do not start until 2027. The sequencing decision is an organisational one, but the technical work feeds into all four simultaneously.


About the Author

Steven Vaile is Director at Quantum Security Defence. He advises EU-regulated organisations on post-quantum cryptography migration across financial services, critical infrastructure, and product manufacturing. He is a keynote speaker at the QSECDEF World Symposium. View on LinkedIn | View Team | QSecDef Events