Bridging the Post-Quantum Cryptography (PQC) Gap: EU vs US in Banking
Financial institutions worldwide are preparing for the era of post-quantum cryptography (PQC) – upgrading encryption to resist future quantum attacks. However, banks in the EU and US face very different regulatory and accounting environments for funding these critical upgrades. This disparity affects how PQC migration costs hit their financial statements and how quickly they can act. Below we break down the key differences and why they matter for CISOs and CEOs
EU’s Advantage: DORA Compliance and CapEx Treatment of PQC Upgrades
EU banks benefit from supportive regulations and accounting standards. The EU’s Digital Operational Resilience Act (DORA) explicitly requires financial institutions to strengthen ICT security and cryptography management[1]. To meet these mandates – including transitioning to PQC algorithms – banks in the EU can leverage International Financial Reporting Standards (IFRS) accounting to capitalize their PQC upgrade investments. Under IFRS (the accounting framework in the EU), development expenditures for new technology or software (like implementing PQC) must be capitalized as an intangible asset if certain criteria are met[2]. In practice, this means money spent on building or upgrading cryptographic systems for quantum-resilience is treated as capital expenditure (CapEx), which goes on the balance sheet and is amortized over time[2][3].
Why is this an advantage? Capitalizing PQC upgrade costs “slower to impact the books”[3]. Instead of taking a big profit hit in one year, EU banks spread the cost via depreciation. This protects the P&L (profit & loss statement) in the short term and strengthens the balance sheet by recording a long-term asset. Essentially, EU banks get to treat PQC readiness as an investment in future resilience, aligning with DORA’s regulatory push.