Compliance & Regulatory Strategy
Navigate the complex landscape of PQC compliance requirements across jurisdictions and frameworks.
The PQC Compliance Landscape
Governments and standards bodies worldwide are establishing requirements for the transition to . For organizations operating across borders, navigating these overlapping and sometimes conflicting requirements is a critical challenge.
“The United States must prioritize the timely and equitable transition of cryptographic systems to quantum-resistant cryptography, with the goal of mitigating as much of the quantum risk as is feasible by 2035.”
— NSM-10, Section 3(a), National Security Memorandum on Promoting United States Leadership in Quantum Computing (May 2022)
NIST, NSA, ETSI, , and are all publishing PQC transition guidance with concrete deadlines.
PCI DSS, HIPAA, FedRAMP, and CMMC are incorporating quantum-safe requirements into their compliance frameworks.
Organizations operating in multiple jurisdictions must reconcile different algorithm preferences, timelines, and certification requirements.
Key Frameworks
Understanding the major compliance frameworks driving PQC adoption is essential for building a multi-jurisdiction strategy.
The Commercial National Security Algorithm Suite 2.0 mandates PQC adoption for National Security Systems. Key deadlines: software/firmware signing preferred by 2025, exclusive by 2030; new networking equipment by 2026; web/cloud/servers and all remaining NSS by 2033. Requires -1024 (FIPS 203) and -87 (FIPS 204) as minimum security levels.
NIST's transition guidance for post-quantum cryptography standards (draft November 2024, finalized March 2025). Recommends deprecating RSA, ECC, and other classical public-key algorithms by 2030 and disallowing them entirely after 2035. Emphasizes cryptographic agility and hybrid approaches during the transition period.
European bodies have published PQC migration guidance. ANSSI recommends hybrid cryptography combining classical and PQC algorithms. BSI endorses ML-KEM (FIPS 203) and ML-DSA (FIPS 204) with specific parameter recommendations. ETSI provides interoperability guidance for hybrid key exchanges.
Compliance-First vs Risk-First
Organizations typically approach PQC migration from one of two angles. The optimal strategy often combines both, using compliance deadlines as hard constraints and risk scoring to prioritize within those constraints.
- • Driven by regulatory deadlines and audit requirements
- • Prioritizes systems under regulatory scope first
- • Clear, external-driven milestones
- • Risk: may miss high-risk systems outside compliance scope
- • Best for: regulated industries (finance, government, healthcare)
- • Driven by data sensitivity and exposure windows
- • Prioritizes highest-risk assets regardless of regulatory scope
- • Addresses threats early
- • Risk: may not satisfy auditors without compliance mapping
- • Best for: technology companies, defense, intelligence
Major Compliance Deadlines
Key deadlines are converging across jurisdictions, creating a narrow window for organizations to complete their PQC migration.
NIST
NSA
NSA
NSA/NIST
ANSSI
NSA
NIST
Country-Specific Deadlines
Beyond the major US and EU frameworks, individual countries are setting their own PQC transition deadlines. Organizations operating internationally must track these jurisdiction-specific requirements.
| Country | Agency | Key Deadline | Details |
|---|---|---|---|
| Australia | ASD | 2030 | Prohibit traditional asymmetric cryptography — one of the most aggressive global deadlines, 5 years ahead of US/UK full transition |
| Canada | CCCS | 2026 | Federal departments submit PQC migration plans by April 2026; high-priority systems by 2031; full transition by 2035 |
| United Kingdom | NCSC | 2028 | Three-phase roadmap: discovery (2025–2028), priority migration (2028–2031), full migration (2031–2035) |
| Czech Republic | NUKIB | 2027 | First EU member state to set a specific encryption migration deadline — ahead of the broader EU coordinated roadmap |
| European Union | EC | 2030 | Coordinated Implementation Roadmap (v1.1, June 2025): high-risk systems by 2030, full transition by 2035 — aligned with NIST timelines |
| Israel | INCD | 2025 | Quantum threat assessments completed by end of 2025; PQC required in new contracts |
| Taiwan | NICS | 2027 | PQC migration target for critical semiconductor and technology sectors |
| Germany | BSI/DLR | 2030 | QUANTITY initiative (March 2025) for quantum cryptanalysis; critical applications PQC-protected by end of 2030 |
| G7 | CEG | 2034 | Cyber Expert Group (January 2026): financial sector PQC migration by 2034 with phased preparation from 2025 |
Key takeaway: Organizations must meet the earliest deadline across all jurisdictions where they operate. A company in Australia and the EU faces a 2030 hard deadline, not the EU's 2035 full transition target.
Compliance Dependencies
Several cross-cutting compliance requirements affect PQC migration timelines regardless of jurisdiction.
The Cryptographic Module Validation Program certifies cryptographic implementations for government use. PQC algorithm implementations (FIPS 203/204/205) must undergo CMVP validation before deployment in federal systems. Validation exists on a spectrum: full CMVP validation (gold standard), modules in process, FIPS-mode operation, and partial compliance (FedRAMP, WebTrust). This certification backlog is a key dependency in migration timelines.
The updated EU regulation for electronic identification mandates European Digital Identity (EUDI) wallets with deployments starting 2027+. While eIDAS 2.0 does not yet mandate PQC specifically, these wallets will need quantum-safe cryptography for long-term trust. ENISA identifies wallet providers as high-impact entities for early PQC adoption.
EO 14306 (June 2025) sustains PQC migration provisions. CISA subsequently issued federal procurement guidance (January 2026) requiring PQC capabilities in new product and service acquisitions, driving market demand for PQC-capable solutions.
The EU's Digital Operational Resilience Act (enforcement January 2025) requires financial institutions to implement robust ICT risk management including cryptographic controls. While not PQC-specific yet, organizations subject to DORA must demonstrate encryption resilience planning that will inevitably encompass quantum threats.
A CBOM is a comprehensive inventory of all cryptographic assets in an organization's systems — algorithms, key sizes, protocols, certificates, and their locations. Generating a CBOM is a critical first step for PQC compliance because you cannot migrate what you haven't inventoried. Studies show 70% of organizations lack a complete cryptographic inventory.
Europol finding: 86% of executives are unprepared for quantum threats (February 2025), highlighting a significant gap between the urgency of PQC compliance and organizational readiness.
Workshop Overview
This workshop guides you through building a comprehensive compliance strategy in three steps:
Select your operating jurisdictions and see which frameworks, deadlines, and requirements apply. Identify conflicts between jurisdictions.
Build a comprehensive audit readiness checklist covering cryptographic inventory, policy, technical controls, vendor management, and documentation.
Overlay regulatory deadlines with your migration milestones. Identify gaps and build a timeline to close them.
Related Resources
Map jurisdictions, build audit checklists, and construct compliance timelines.