Quantum Security CPD: How UK and EU Security Professionals Build a Recognised Portfolio

Consider the professional's actual position: you hold a CISM and a Chartered IT Professional designation, your CPD log is current, and your organisation is asking you to advise on its post-quantum cryptographic migration timeline. Nothing in your existing CPD portfolio covers how to select between ML-KEM-768 and ML-KEM-1024, run a cryptographic asset register, or calculate HNDL exposure for data with a ten-year retention requirement. That gap is real and it is now.

NIST published FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) in August 2024. DORA entered full enforcement in January 2025. NIS2 has been transposed across EU member states. The regulatory infrastructure exists. The CPD infrastructure does not yet match it. This article maps the frameworks that do exist, identifies where quantum security competency sits within each, and sets out what a complete quantum security CPD record looks like in 2026.

UK CPD Frameworks and Quantum Security

ISACA CPE (CISM, CRISC, CDPSE, CISA, CGEIT)

ISACA requires CISM holders to earn 20 Continuing Professional Education hours per year, or 120 CPE hours across a three-year cycle. CPE must be relevant to information security management and is self-reported against ISACA's published acceptance criteria. Quantum security competency sits within ISACA's domains covering Information Security Management, Risk Management, and Emerging Technologies.

The practical CPD case for ISACA holders is regulatory, not abstract. A CISM advising a covered entity's management body on cyber risk carries a direct NIS2 Article 20 obligation: covered entities' management bodies must receive training on cybersecurity risk management. Post-quantum cryptographic risk is now a named category of evolving threat under DORA's Delegated Regulation (EU) 2024/1774. Documenting CPD activity against those specific articles, and against FIPS 203/204/205 as the published algorithm standards. Such entries are more credible at audit than noting generic attendance at a security conference.

The technical depth gap is worth naming directly: ISACA's CPE programme and the CISM examination curriculum do not cover PQC algorithm selection at implementation level. A CISM holder who completes ISACA's PQC Playbook has the governance framing. They do not yet have the technical depth to specify ML-KEM parameter sets in a procurement document. [ASSUMED, ISACA has published a PQC Playbook resource; verify that the publication exists and confirm the correct URL before publication.]

BCS CITP CPD (Chartered IT Professionals)

BCS requires 35 CPD hours per year for Chartered IT Professional status maintenance. BCS CPD is self-directed and competency-mapped to the BCS Professional Framework. Quantum security most naturally sits within Domain 4 (Technology) and Domain 5 (Security) of the BCS Professional Framework [INFERRED, domain classification follows from the framework's published domain definitions; verify against current BCS Professional Framework].

BCS does not maintain a pre-approved provider list. What BCS CPD documentation requires is specificity of learning outcome: attending a workshop and noting "learned about post-quantum cryptography" is weaker than documenting "covered FIPS 203 ML-KEM parameter selection for TLS hybrid deployment, cryptographic inventory methodology per NIST SP 1800-38, and HNDL risk quantification using Mosca's inequality." The second entry demonstrates a specific learning outcome against named standards. That is what makes CPD evidence credible at charter renewal.

CIISec CPD (Chartered Security Professionals and Members)

The Chartered Institute of Information Security operates a tiered membership model with CPD expectations that increase with seniority. Chartered Security Professional (CSyP) status requires demonstrating ongoing competency through structured CPD. CIISec publishes a Skills Framework with defined competency clusters. Quantum security maps directly across three clusters: Cluster 3 (Cryptography and PKI), Cluster 7 (Security Architecture), and Cluster 14 (Emerging Technologies) [INFERRED, cluster mapping follows from the framework's published cluster definitions; verify current cluster numbering as CIISec revises the framework periodically].

CIISec's cluster model is the most useful of the UK frameworks for positioning quantum security CPD precisely. PQC algorithm selection is a Cluster 3 competency. Post-quantum PKI architecture sits in Cluster 7. CRQC threat assessment belongs in Cluster 14. A CSyP can build a quantum security CPD record that maps directly to the framework's own categories, rather than fitting it under a broadly defined adjacent domain.

NCSC CCP (Government and CNI Roles)

The NCSC Certified Cyber Professional scheme provides the competency framework that governs employability in UK government and regulated critical infrastructure roles. CCP's 14 specialisms do not currently include a dedicated quantum security or PQC specialism [VERIFIED, NCSC CCP specialism list as of May 2026; verify before publication]. Security professionals building CCP-aligned portfolios must position quantum security CPD within the existing specialisms that cover it: Cryptographic Solutions (algorithm migration and parameter selection), Security Architecture (post-quantum design patterns), and Risk Assessment (HNDL exposure analysis and Mosca inequality application).

The absence of a dedicated specialism does not reduce the CPD value. It means practitioners need to map their quantum security work to the relevant specialism's competency descriptors with precision. Vague entries do not strengthen a CCP portfolio; specific claims such as algorithm names, NIST FIPS numbers, and methodology references, make the record defensible.

EU CPD Frameworks and Quantum Security

ENISA ECSF (European Cybersecurity Skills Framework)

ENISA published the European Cybersecurity Skills Framework in 2022, revised in 2023. The ECSF defines 12 cybersecurity professional roles with associated knowledge, skills, and competency descriptors. Quantum security practitioners most directly fall under Role 9 (Cybersecurity Implementer) and Role 4 (Cybersecurity Researcher); governance-level professionals are closer to Role 7 (Cybersecurity Risk Manager).

The 2023 ECSF does not name FIPS 203, 204, or 205 as specific knowledge areas. ML-KEM and ML-DSA are not listed as named competencies [VERIFIED, consistent with the published 2023 ECSF; verify whether ENISA has released a 2025-2026 revision before publication]. The EU-specific reference documents that fill this gap are ENISA's Post-Quantum Cryptography Migration Considerations (2024) and ETSI TS 119 312 (Cryptographic Suites for EU Trust Infrastructure, v1.4.1, 2023). EU practitioners should cite these directly in CPD records rather than relying on the ECSF's generic competency language.

DORA-Driven CPD (Financial Sector)

For ICT risk professionals at DORA-covered financial entities, quantum security CPD is not simply credential maintenance. It is building documented evidence of regulatory compliance. DORA's Article 6 requires a comprehensive ICT risk management framework covering evolving threats. Commission Delegated Regulation (EU) 2024/1774 (the RTS on ICT risk management) explicitly requires cryptographic policies to address quantum-era cryptanalytic threats — verify the exact article number in the Delegated Regulation. The state-of-the-art cryptographic controls obligation is set out in the RTS, not in DORA Article 13 of the parent regulation (Article 13 of DORA covers learning and evolving).

A DORA-covered ICT risk manager's CPD log entry for a PQC training programme should reference DORA Article 6 and the RTS by designation. The argument for quantum security CPD in a DORA context is not "it might be useful". It is "DORA Article 6 and the RTS (Delegated Regulation (EU) 2024/1774) create a documented regulatory obligation to maintain current competency in this area, and I can evidence it." That is a different category of CPD justification from credential maintenance.

NIS2 Article 20 Training Obligations

NIS2 Directive 2022/2555, effective from October 2024, requires management bodies of essential and important entities to approve and oversee cybersecurity risk management measures and to receive training. Germany's BSI, France's ANSSI, and the Netherlands' NCSC have each issued NIS2 compliance guidance that carries implicit workforce competency requirements in areas including cryptographic risk [INFERRED, national guidance implies workforce competency requirements; verify specific published guidance documents before citing national agency positions].

For technical practitioners at NIS2-covered entities, the Article 20 training floor is a minimum, not a ceiling. Practitioners advising covered entities on post-quantum cryptographic migration need competency at implementation depth, not governance awareness. The regulatory obligation does not specify the training content; it specifies the outcome. A practitioner who can demonstrate specific PQC migration competency in their CPD record is in a materially stronger position at regulatory review than one whose CPD log shows generic security awareness activity.

What a Complete Quantum Security CPD Record Looks Like

The concrete template for a CPD record that covers quantum security across ISACA, BCS, CIISec, and DORA-driven frameworks:

Regulatory foundations: NIST FIPS 203/204/205 (August 2024) and NIST IR 8547 (November 2024, initial public draft; check for final publication) as the US standards baseline; NIS2 and DORA as the EU regulatory anchors; NCSC PQC guidance as the UK anchor. These are the source documents. CPD records that cite them by name carry more weight than those that reference "PQC training" generically.

Technical depth: Understanding of ML-KEM parameter sets and when to use each: ML-KEM-768 for general internet applications, ML-KEM-1024 for highest-assurance contexts. Hybrid scheme rationale and configuration: X25519+ML-KEM-768 for TLS during the transition period, per NIST SP 1800-38 and ETSI TS 103 744. Cryptographic inventory methodology: the NIST SP 1800-38 four-phase approach (Discover, Plan, Prioritise, Migrate).

Governance dimension: HNDL risk assessment methodology, covering data classification by retention period and sensitivity, combined with the Mosca inequality to determine migration urgency. Q-Day timeline calibration: the 2033 to 2035 credible lower bound based on Webber et al. (AVS Quantum Science, 2022), presented as a risk window rather than a guaranteed date. Board communication on quantum risk framed against the regulatory timeline rather than against speculative hardware projections.

Documentable activity: A CPD entry that reads "Attended QSECDEF workshop on PQC migration, covering FIPS 203/204/205 algorithm selection, hybrid deployment with X25519+ML-KEM-768, and HNDL risk assessment methodology" produces a defensible CPD record. An entry that reads "Attended a quantum security course" does not. For ISACA, BCS, and CIISec CPD purposes, specific learning outcomes against named standards are the currency of credible documentation.

The Direction of Travel

ISACA has published a PQC Playbook. ENISA has updated its PQC migration guidance. The ECSF will eventually name ML-KEM and ML-DSA as knowledge competencies. The professional credential bodies are moving. The pace is not aligned with the regulatory timeline.

The practical position for UK and EU security professionals in 2026 is that waiting for framework updates is not viable. NIST has published the algorithm standards. ENISA has published migration guidance. The NCSC has published the UK PQC guidance. DORA and NIS2 are already in effect. The CPD case for building quantum security competency now and documenting it against the frameworks and regulations that already exist. That case is straightforward. The frameworks will catch up. The regulatory exposure does not wait for them.

For a comparison of how ISC2 and ISACA handle quantum security professional development, see the ISC2 and ISACA quantum security professional comparison. On how existing certifications map to quantum security competency, the existing certifications and quantum security coverage analysis is worth reading alongside this.

QSECDEF's certificated training programme covers FIPS 203/204/205 algorithm selection, hybrid scheme deployment, cryptographic inventory methodology, and HNDL risk assessment. Attendance generates documentable CPD hours under ISACA CPE, BCS CPD, and CIISec CPD frameworks. Details at QSECDEF certificated training programme. QSECDEF professional membership provides access to the full practitioner methodology library.


About the Author

Steven Vaile is Director at Quantum Security Defence and a specialist in post-quantum cryptography migration strategy for enterprise and government organisations. He speaks at international quantum security forums including the QSECDEF World Symposium. About QSECDEF | Membership | LinkedIn