DORA's implicit post-quantum mandate: RTS 2024/1774, Articles 6 and 7
DORA never names post-quantum cryptography. RTS 2024/1774 Articles 6 and 7 still set the requirement more than 22,000 EU financial entities must meet.
More than 22,000 financial entities fall under the Digital Operational Resilience Act, Regulation (EU) 2022/2554, per the European Commission’s impact assessment (SWD(2020) 198 final). DORA has applied since 17 January 2025. Its text never names post-quantum cryptography.
The cryptography requirements sit one layer down. Commission Delegated Regulation (EU) 2024/1774, the regulatory technical standards on ICT risk management adopted under DORA, sets the operational rules in Articles 6 and 7. The preamble names cryptographic threats, including those arising from quantum advancements, and requires a flexible approach based on mitigation and monitoring. That wording traces to the ESAs Joint Committee final report on the draft RTS (JC 2023 86, January 2024).
Does DORA mandate post-quantum cryptography?
Not by name. The distance between the two honest readings of that fact is where the supervisory dialogue of the next three years will play out.
Counsel tends to read the RTS as “PQC is not mandated.” True, narrowly. Supervisors read the same text as “cryptographic agility is mandated, and quantum is the named test of that agility.” Also true, and more useful. The first reading produces a clean memo for the risk committee. The second produces a funded roadmap.
We expect supervisory dialogue to reward the second reading by 2027 and to penalise the first. The cost of holding the narrow reading is not a fine. It is the slow narrowing of the acceptable answer to a routine ICT risk question, until “we are monitoring developments” stops landing.
What are the institutions ahead of the requirement doing?
They are not running quantum research programmes. The institutions ahead of this treated the RTS preamble as an instruction and produced three artefacts: a cryptographic asset inventory, a classification of systems by data shelf-life, and a dated migration plan pointing at NIST FIPS 203, 204 and 205 as the destination.
NIST finalised those three standards in August 2024, so the destination has stopped moving. The shelf-life classification decides sequence: systems carrying data whose confidentiality must outlive the transition window come first. DQ collects documented migration cases in its open PQC case intelligence.
How does the EU calendar compare with other jurisdictions?
| Jurisdiction | Instrument | Milestone |
|---|---|---|
| European Union | Commission Recommendation on a Coordinated Implementation Roadmap, 11 April 2024 | 2030 for high-risk systems, 2035 for full transition |
| United States | NIST FIPS 203, 204 and 205 | Standards finalised August 2024 |
| Canada | Canadian Centre for Cyber Security ITSM.40.001 | April 2026 federal planning deadline |
| Australia | ASD/ACSC post-quantum planning guidance | End-2030 cessation of classical asymmetric cryptography |
The cluster is real and the calendar is tight. A financial entity that waits for an explicit PQC mandate inside DORA will reach the 2030 milestone unprepared, because the work the milestone assumes, inventory, classification and a dated plan, consumes the years in between.
The narrow reading of DORA buys two budget cycles of comfort. The wider reading buys a 2030 audit that closes clean. Either way, the choice sits on the board paper this quarter, named or unnamed.
- Regulation (EU) 2022/2554 (DORA) (verified May 7, 2026)
- Commission Delegated Regulation (EU) 2024/1774, Articles 6 and 7 (verified May 7, 2026)
- ESAs Joint Committee Final Report on the draft RTS (JC 2023 86), January 2024 (verified May 7, 2026)
- European Commission Recommendation on a Coordinated Implementation Roadmap, 11 April 2024 (verified May 7, 2026)
- European Commission DORA impact assessment, SWD(2020) 198 final (verified May 7, 2026)
- NIST FIPS 203, 204 and 205, finalised August 2024 (verified May 7, 2026)
- Canadian Centre for Cyber Security ITSM.40.001 (verified May 7, 2026)
- ASD/ACSC Planning for Post-Quantum Cryptography (verified May 7, 2026)