Post-Quantum Cryptography and Regulatory Compliance GDPR, DORA and Beyond
Key Takeaways
- Timeline: DORA effective January 2025, EU PQC roadmap milestones 2026-2035
- For: CISOs, Compliance Officers, Risk Managers, Data Protection Officers
- Key Regulations: GDPR, DORA, NIS2, PCI DSS v4.0, eIDAS 2.0
- Reading Time: 10 minutes
The Quantum Clock is Ticking on your Data Compliance
The cryptographic foundations protecting your organisation’s most sensitive data weren’t designed to withstand quantum computers. For CISOs navigating increasingly stringent regulatory requirements across the UK and EU, this creates a compliance challenge extending beyond technology refresh cycles.
Adversaries are already collecting encrypted data today to decrypt once quantum computers become available. For data with 7+ years retention requirements, the overlap between data lifespan and quantum capability creates a compliance gap that exists now.
The NCSC, ENISA and financial regulators are signalling that quantum-safe cryptography will become a compliance expectation. CISOs must understand how post-quantum cryptography intersects with GDPR, DORA and emerging frameworks.
- For quantum threat fundamentals: The Future of Security: Why Post-Quantum Cryptography Matters
Why Compliance Frameworks Care About Cryptography
Compliance frameworks have always required “appropriate technical measures,” but remained technology-agnostic until now.
When NIST finalised post-quantum cryptographic standards in August 2024, it triggered a shift in how compliance bodies view encryption.
Quantum-safe compliance is now a regulatory imperative
- ✅ PCI DSS v4.0: Quantum-readiness planning required by 2025
- ✅ Government contracts: Include NIST PQC migration timelines
- ✅ Financial regulators: Incorporating crypto-agility into cyber risk assessments
- ✅ EU PQC roadmap: National strategies by 2026, full critical infrastructure transition by 2035
Current cryptographic controls may satisfy today’s audits whilst creating tomorrow’s compliance failures. Organisations must adopt crypto-agility – rapid algorithm updates – through hybrid cryptography.
- For NIST standards and NCSC roadmap:
PQC and GDPR
The General Data Protection Regulation doesn’t mention quantum computing, but its Article 32 requirements for encryption and Article 5’s security principles create clear obligations to address the quantum threat. Quantum-safe GDPR compliance requires post-quantum encryption as a foundational component.
Protecting Personal Data Against “Harvest Now, Decrypt Later”
The most insidious quantum threat facing GDPR-regulated organisations is the “harvest now, decrypt later“ attack. Adversaries are capturing encrypted data today to decrypt once quantum computers become available.
This demands immediate quantum readiness planning for data with long-term sensitivity: medical records, financial information, biometric data, intellectual property, and M&A negotiations.
The compliance question: If an adversary harvests encrypted personal data today and decrypts it in 2032, did you breach your Article 32 obligations in 2025 when you knew the threat existed but took no mitigating action?
The stakes: GDPR fines of up to €20 million or 4% of global revenue, reputational damage, competitive disadvantage, and strategic compromise.
Demonstrating Accountability to Regulators
Under GDPR’s accountability principle (Article 5(2)), organisations must prove – not just claim – compliance. In a post-quantum context, that means documenting how cryptographic risk is identified, mitigated, and reviewed.
Regulators such as the ICO and DORA competent authorities increasingly expect clear evidence that quantum threats are part of ongoing security governance.
Data Protection Impact Assessments should now include quantum exposure: identify systems using RSA/ECC, assess “harvest now, decrypt later” risks for long-life data, record transition plans (e.g., hybrid ECC + ML-KEM), and evaluate supplier readiness.
Quantum-readiness assessments typically request:
- Cryptographic inventory (CBOM) showing algorithms in use
- Policies for key lifecycle management and migration to FIPS 203-205 standards
Vendor attestations and pilot-testing records aligned with ENISA/NCSC guidance
Regulators interpret “state of the art” (GDPR Art. 32; NIS2 Art. 21) as adherence to recognised standards and transparent governance. Evidence includes use of approved PQC algorithms (ML-KEM, ML-DSA, SLH-DSA), board-level oversight of transition plans, and rationale for any deviations.
Maintain a Quantum Readiness File containing:
Board approval minutes
DPIAs with quantum risk assessments
Cryptographic Bills of Materials (CBOMs)
Supplier attestations
Roadmap updates with timelines
Time-stamped logs for key management and configuration changes
Adequate documentation tells a clear story – how quantum risk was assessed, mitigations chosen, and progress tracked.
Retail and commercial banks
Insurers and reinsurers
Investment firms (asset managers, brokers, trading venues)
Payment service providers and e-money institutions
Get Ready!
PQC and DORA (Digital Operational Resilience Act)
The Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554), effective from 17 January 2025, mandates that financial entities – including banks, insurers, investment firms, and critical third-party ICT service providers – ensure their digital operational resilience.
This includes addressing risks from quantum computing, making the adoption of Post-Quantum Cryptography and crypto-agility essential to meet DORA cryptography requirements.
Financial sector guidance: Quantum Threats to UK/EU Financial Services | Implementing PQC in Financial Services
DORA Cryptography Requirements for Financial Institutions
Cryptography is central to DORA’s ICT risk framework. DORA mandates that financial entities “maintain all functions available at all times” and protect against cyber-attacks. When cryptographic algorithms face quantum obsolescence, this constitutes an operational resilience risk affecting authentication, payment processing, regulatory reporting, and customer data protection.
Insurance Impact: Institutions failing to adopt PQC face 20-50% higher cyber insurance premiums. Those implementing quantum-safe controls may see 10-25% reductions.
Third-Party Requirements: DORA requires assessing critical ICT service providers. If your cloud provider, HSM vendor, or payment processor isn’t quantum-safe, you inherit their compliance risk.
Crypto-Agility as a Resilience Measure
Article 8 of DORA requires financial entities to develop ICT business continuity policies for “switchover from primary to backup systems.” Crypto-agility – the ability to rapidly update cryptographic algorithms – is a core resilience capability DORA explicitly demands.
DORA’s resilience testing (Articles 24-25) requires demonstrating cryptographic components can execute transitions smoothly. Crypto-agility must be tested and proven.
The Competitive Dimension: Early PQC adopters capture security-conscious customers and qualify for preferred vendor status. Major tech firms increasingly mandate PQC from suppliers.
Other UK/EU Quantum-Safe Compliance Frameworks
UK/EU PQC compliance extends beyond GDPR and DORA. Multiple regulatory and commercial frameworks are converging on PQC:
| Framework | Applicability | Key Deadline | Impact |
| PCI DSS v4.0 | Payment card data | March 2025 | Quantum readiness assessments required |
| NIS2 | Essential sectors | October 2024 | “State-of-the-art” security includes PQC |
| Cyber Resilience Act | Digital product manufacturers | 2027 | Quantum-safe features required |
| CNSA 2.0 | U.S. national security systems | 2030 | Influences international standards |
| eIDAS 2.0 | Trust services, digital signatures | 2024-2026 | Quantum-safe signatures required |
| UK Cyber Security Bill | UK critical infrastructure | TBD | Expected to align with EU PQC roadmap |
Financial stress tests are evolving to include quantum scenarios.
Official NCSC roadmap: NCSC Guidance on Post-Quantum Cryptography
Steps to Achieve PQC-Ready Compliance
Building quantum-safe compliance isn’t a single project; it’s an ongoing programme that must integrate with broader security and operational resilience activities.
Building Compliance into Your Crypto Roadmap
Integrating compliance into your PQC roadmap involves clear governance and risk management:
- Ownership: Assign a quantum risk owner within the security or risk function
- Governance: Integrate PQC oversight into existing security committees with representation from security, risk, compliance, legal, and IT architecture
- Reporting: Establish board and audit committee reporting cadence
- GDPR: Systems handling personal data
- DORA: Systems underpinning operational resilience
- NIS2: Critical infrastructure systems
- 2026: National PQC strategies established
- 2030: High-risk systems transitioned
- 2035: Full adoption across critical infrastructure
Prioritisation: Focus on high-value, long-lived data and cryptographic components that are difficult to replace quickly.
Mapping Policies to Technology Choices
Compliance documentation and technical implementation must remain tightly aligned.
Specify NIST-Approved Algorithms: ML-KEM for key encapsulation, ML-DSA for digital signatures, SLH-DSA for long-term integrity.
Update Risk Artefacts: Include quantum risks in Information Security Risk Register, use Cryptographic Bills of Materials (CBOMs) to track PQC components.
Strengthen Supplier Oversight: Include quantum-readiness in contracts and due diligence.
Quick Wins: Inventory critical certificates, start pilot PQC deployments, update risk registers with quantum threats, engage suppliers on PQC readiness.
- For comprehensive implementation guidance: Practical PQC Roadmap for UK/EU Enterprises
Common Questions about PQC Regulatory Compliance
Does GDPR require quantum-safe encryption?
GDPR doesn’t explicitly mandate quantum-safe encryption, but Article 32 requires “state of the art” security. Given the documented “harvest now, decrypt later” threat and NIST-approved PQC standards (August 2024), regulators like the ICO increasingly expect quantum readiness planning. Failure to address known cryptographic vulnerabilities could constitute non-compliance.
What are DORA's specific cryptographic requirements?
DORA requires financial entities to maintain operational resilience including cryptographic systems. Article 8 mandates crypto-agility, Articles 24-25 require resilience testing. Institutions must demonstrate they can transition to quantum-safe cryptography without disrupting payment processing, authentication, or regulatory reporting.
When must UK/EU organisations complete PQC migration?
PCI DSS v4.0: March 2025 (quantum readiness planning). DORA: January 2025 (crypto-agility). EU PQC roadmap: 2026 (national strategies), 2030 (high-risk systems), 2035 (full critical infrastructure). Organisations should begin by 2025-2026 to allow 3-5 years for completion.
What documentation do regulators expect for audits?
Cryptographic inventories (CBOMs), DPIAs covering quantum risks, transition roadmaps with timelines, vendor attestations, board oversight minutes, and pilot test results for hybrid cryptography deployments.
What are the penalties for failing to implement PQC?
GDPR: Fines of up to 4% of global revenue. DORA: Sanctions, operational restrictions, remediation plans. Additionally: cyber insurance premium increases (20-50%), contract losses, and reputational damage from quantum-vulnerable breaches.
How does crypto-agility satisfy DORA's requirements?
Crypto-agility enables financial entities to update algorithms without operational disruption (Article 8). It demonstrates preparedness for resilience testing (Articles 24-25) through abstracted cryptographic interfaces, comprehensive inventories, hybrid deployments, and documented switchover procedures.
The Bottom Line
Migration to quantum-safe cryptography takes 3-5 years. Starting now ensures organisations are ready when quantum computers become capable (estimated 2030-2035) or when regulators mandate PQC adoption. Every quarter of delay increases exposure of intellectual property, customer information, and strategic plans to adversaries already harvesting encrypted data today.
By 2030-2035, quantum computers could break current TLS in real-time, compromising secure e-commerce, financial transactions, healthcare records and government services. Compliance frameworks are rapidly evolving – failure to act risks GDPR/DORA fines, lost customers and diminished competitive standing.
- For emerging cryptographic technologies: Beyond PQC: Zero-Knowledge Proofs and Advanced Techniques
Venari’s Compliance-First Approach
As organisations across the UK and Europe prepare for the transition to post-quantum cryptography, many are discovering the process is more complex than anticipated – especially when balancing regulatory compliance, vendor dependencies and sector-specific operational risks.
At Venari, we help enterprises navigate these challenges by:
- Conducting cryptographic inventories and quantum risk assessments aligned with GDPR, DORA and broader PQC frameworks
- Integrating NCSC and EU PQC roadmap-aligned timelines into digital transformation and resilience strategies
- Building long-term cryptographic agility, including hybrid deployments and certificate migration planning
- Strengthening third-party oversight to ensure vendor PQC readiness and reduce inherited compliance risk
Our deep experience across finance, government, telecoms and critical infrastructure means we understand the practical constraints UK and EU organisations face.
Quantum threats aren’t a distant risk. They’re already harvesting sensitive data, and regulatory deadlines are approaching. Starting your PQC journey today ensures your organisation stays compliant, resilient, and competitively positioned before the 2030-2035 quantum cliff.
Next Steps: Assess Your Quantum Risk
Book a 30-minute strategy session with one of our PQC advisors to assess your current posture, prioritise regulatory obligations, and define practical next steps toward crypto-agility and quantum-safe compliance.
About Venari Security
Venari is the leading provider of Adaptive Cryptographic Intelligence for enterprise organisations. Our AI-powered platform delivers live visibility, guided migration, and continuous assurance – turning cryptographic complexity into business clarity. Trusted by financial institutions, critical infrastructure operators, and government agencies across the UK and Europe. Learn more: www.venarisecurity.com
Related Content
A Practical Roadmap to Quantum-Safe Cryptography for UK/EU Enterprises
Key Takeaways Timeline: Start now-3-5 year migration timelines mean immediate action required For: CISOs, IT Directors, Security Architects,…
Beyond PQC Zero-Knowledge Proofs, Secure Multiparty Computation and Cryptographic Innovation
Key Takeaways Advanced Techniques: Zero-knowledge proofs (ZKPs) and secure multiparty computation (SMPC) extend beyond PQC encryption – enabling…