DORA does not mandate post-quantum cryptography by name. Commission Delegated Regulation (EU) 2024/1774, Articles 6 and 7, requires in-scope financial entities to monitor cryptographic threats, named in the preamble to include quantum advancements, and to mitigate them through a flexible, risk-based approach. More than 22,000 EU financial entities are in scope, per the European Commission's DORA impact assessment. Supervisors read the RTS as requiring a dated migration plan toward NIST FIPS 203, 204 and 205.

Regulation 3 min

DORA's implicit post-quantum mandate: RTS 2024/1774, Articles 6 and 7

DORA never names post-quantum cryptography. RTS 2024/1774 Articles 6 and 7 still set the requirement more than 22,000 EU financial entities must meet.

More than 22,000 financial entities fall under the Digital Operational Resilience Act, Regulation (EU) 2022/2554, per the European Commission’s impact assessment (SWD(2020) 198 final). DORA has applied since 17 January 2025. Its text never names post-quantum cryptography.

The cryptography requirements sit one layer down. Commission Delegated Regulation (EU) 2024/1774, the regulatory technical standards on ICT risk management adopted under DORA, sets the operational rules in Articles 6 and 7. The preamble names cryptographic threats, including those arising from quantum advancements, and requires a flexible approach based on mitigation and monitoring. That wording traces to the ESAs Joint Committee final report on the draft RTS (JC 2023 86, January 2024).

Does DORA mandate post-quantum cryptography?

Not by name. The distance between the two honest readings of that fact is where the supervisory dialogue of the next three years will play out.

Counsel tends to read the RTS as “PQC is not mandated.” True, narrowly. Supervisors read the same text as “cryptographic agility is mandated, and quantum is the named test of that agility.” Also true, and more useful. The first reading produces a clean memo for the risk committee. The second produces a funded roadmap.

We expect supervisory dialogue to reward the second reading by 2027 and to penalise the first. The cost of holding the narrow reading is not a fine. It is the slow narrowing of the acceptable answer to a routine ICT risk question, until “we are monitoring developments” stops landing.

What are the institutions ahead of the requirement doing?

They are not running quantum research programmes. The institutions ahead of this treated the RTS preamble as an instruction and produced three artefacts: a cryptographic asset inventory, a classification of systems by data shelf-life, and a dated migration plan pointing at NIST FIPS 203, 204 and 205 as the destination.

NIST finalised those three standards in August 2024, so the destination has stopped moving. The shelf-life classification decides sequence: systems carrying data whose confidentiality must outlive the transition window come first. DQ collects documented migration cases in its open PQC case intelligence.

How does the EU calendar compare with other jurisdictions?

JurisdictionInstrumentMilestone
European UnionCommission Recommendation on a Coordinated Implementation Roadmap, 11 April 20242030 for high-risk systems, 2035 for full transition
United StatesNIST FIPS 203, 204 and 205Standards finalised August 2024
CanadaCanadian Centre for Cyber Security ITSM.40.001April 2026 federal planning deadline
AustraliaASD/ACSC post-quantum planning guidanceEnd-2030 cessation of classical asymmetric cryptography

The cluster is real and the calendar is tight. A financial entity that waits for an explicit PQC mandate inside DORA will reach the 2030 milestone unprepared, because the work the milestone assumes, inventory, classification and a dated plan, consumes the years in between.

The narrow reading of DORA buys two budget cycles of comfort. The wider reading buys a 2030 audit that closes clean. Either way, the choice sits on the board paper this quarter, named or unnamed.

Sources
  • Regulation (EU) 2022/2554 (DORA) (verified May 7, 2026)
  • Commission Delegated Regulation (EU) 2024/1774, Articles 6 and 7 (verified May 7, 2026)
  • ESAs Joint Committee Final Report on the draft RTS (JC 2023 86), January 2024 (verified May 7, 2026)
  • European Commission Recommendation on a Coordinated Implementation Roadmap, 11 April 2024 (verified May 7, 2026)
  • European Commission DORA impact assessment, SWD(2020) 198 final (verified May 7, 2026)
  • NIST FIPS 203, 204 and 205, finalised August 2024 (verified May 7, 2026)
  • Canadian Centre for Cyber Security ITSM.40.001 (verified May 7, 2026)
  • ASD/ACSC Planning for Post-Quantum Cryptography (verified May 7, 2026)