Standards, Certification & Compliance Bodies
Understand who creates PQC standards, who certifies products, and who mandates compliance — worldwide and by region.
Three Distinct Roles in the PQC Ecosystem
The PQC transition involves three fundamentally different types of organizations, each playing a distinct role. Confusing them is a common source of compliance mistakes.
Think of it like building construction: standardization bodies write the building codes (what materials are safe), certification bodies are the inspectors who verify that a specific building meets those codes, and compliance frameworks are the zoning laws that say "in this jurisdiction, meeting code is mandatory for these buildings." All three are necessary; none is redundant.
Create technical standards: algorithm specifications, security levels, protocol integration. Their output is a published document, not a certificate.
Certify that products/systems correctly implement standards. Their output is a certificate (or certificate number) tied to a specific product version.
Regulations and mandates that reference standards and require certifications. Their output is a legal/regulatory obligation, not a technical specification.
How the Three Roles Interact
The three roles form a chain: a standards body publishes an algorithm specification → a certification body validates that a product correctly implements it → a compliance framework mandates that regulated entities use certified products.
Publishes FIPS 203 (ML-KEM algorithm specification)
Certifies HSM implementations of FIPS 203 (FIPS 140-3 certificate)
Mandates that federal agencies use CMVP-certified modules implementing ML-KEM-1024
Key insight: You can comply with a framework, be certified against a standard, and the standard body writes the standard — three verbs, three different relationships.
Learning module content can be inaccurate. Please double-check its information. Report inaccuracies in PQC Today GitHub Discussions.