Compliance & Regulatory Strategy
Navigate the complex landscape of PQC compliance requirements across jurisdictions and frameworks.
The PQC Compliance Landscape
Governments and standards bodies worldwide are establishing requirements for the transition to . For organizations operating across borders, navigating these overlapping and sometimes conflicting requirements is a critical challenge.
“A quantum computer of sufficient size and sophistication — also known as a cryptanalytically relevant quantum computer — will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.”
— Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation's Cybersecurity (June 6, 2025)
NIST, NSA, ETSI, , and are all publishing PQC transition guidance with concrete deadlines.
PCI DSS, HIPAA, FedRAMP, and CMMC are incorporating quantum-safe requirements into their compliance frameworks.
Organizations operating in multiple jurisdictions must reconcile different algorithm preferences, timelines, and certification requirements.
Key Frameworks
Understanding the major compliance frameworks driving PQC adoption is essential for building a multi-jurisdiction strategy.
The Commercial National Security Algorithm Suite 2.0 mandates PQC adoption for National Security Systems. Key deadlines: software/firmware signing preferred by 2025, exclusive by 2030; new networking equipment by 2026; web/cloud/servers and all remaining NSS by 2033. Requires -1024 (FIPS 203) and -87 (FIPS 204) as minimum security levels.
NIST's transition guidance for post-quantum cryptography standards (Initial Public Draft published November 2024; comment period closed January 2025; final version pending). Recommends deprecating RSA, ECC, and other classical public-key algorithms by 2030 and disallowing them entirely after 2035. Emphasizes cryptographic agility and hybrid approaches during the transition period.
European bodies have published PQC migration guidance. ANSSI recommends hybrid cryptography combining classical and PQC algorithms. BSI endorses ML-KEM (FIPS 203) and ML-DSA (FIPS 204) with specific parameter recommendations. ETSI provides interoperability guidance for hybrid key exchanges.
All major frameworks converge on a two-phase transition arc. In Phase 1 (now through roughly 2028), organizations deploy hybrid mode — running a classical algorithm alongside a PQC algorithm in parallel. ANSSI and BSI require this during transition because it preserves security even if PQC implementations have undiscovered flaws. In Phase 2 (2028 onward, timed to your earliest jurisdiction deadline), organizations move to pure PQC: CNSA 2.0's “exclusive” requirements mean dropping the classical component once FIPS 140-3 validated implementations are widely available and proven.
Executive rule of thumb: Start hybrid deployments now. Plan your transition to pure PQC to meet your earliest jurisdiction deadline — which you will identify in the Jurisdiction Mapper workshop below.
Learning module content can be inaccurate. Please double-check its information. Report inaccuracies in PQC Today GitHub Discussions.