DORA and NIS2: The PQC Compliance Obligations EU Financial Institutions Cannot Ignore in 2026

When the European Banking Authority reviews your ICT risk management framework this year, auditors will not ask whether you have a plan to address quantum cryptographic risk. They will ask for your cryptographic inventory, your standards alignment documentation, and your evidence of cryptographic agility - because DORA's Implementing Technical Standards make all three binding obligations, not aspirational goals. Financial institutions that treated post-quantum cryptography as a horizon issue discovered in January 2025 that the horizon had arrived.

DORA's Five Cryptographic Mandates - And What Each One Requires in Practice

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) entered full enforcement on 17 January 2025, bringing more than 22,000 financial entities and ICT third-party service providers under a single binding ICT risk management framework across the EU.^{[EUR-Lex: DORA Regulation (EU) 2022/2554]} Within that framework, the Regulatory Technical Standards on ICT Risk Management impose five distinct cryptographic obligations that compliance officers must be able to evidence on demand.

1. Cryptographic Policy

Institutions must maintain a documented, board-approved cryptographic policy that specifies approved algorithms, key management procedures, and the criteria by which deprecated algorithms will be identified and replaced. This policy cannot be a static document - DORA's RTS explicitly requires it to reflect the current threat landscape, which now formally includes quantum-computing threats as ENISA has recognised in its June 2025 NIS2 implementing guidelines.^{[ENISA: NIS2 Implementing Guidelines, June 2025]}

2. Cryptographic Inventory

Every system, application, and data flow that relies on cryptographic protection must be catalogued. The inventory must record algorithm type, key length, certificate expiry, data classification, and - critically - whether the cryptographic implementation would be vulnerable to a cryptographically relevant quantum computer. This is not an IT task delegated to a security team; under DORA's governance requirements, management bodies bear direct accountability for the completeness and accuracy of this record.

3. Standards Alignment

DORA's RTS requires alignment with recognised cryptographic standards. ETSI and NIST standards are the operative references.^{[ETSI: Cryptographic Standards]} NIST finalised three post-quantum cryptographic standards in August 2024 - FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) - which are now the baseline for quantum-resistant key encapsulation and digital signatures.^{[NIST: Post-Quantum Cryptography Standardization]} An institution that cannot demonstrate awareness of and a roadmap toward these standards is, by definition, out of alignment with DORA's requirements.

4. Cryptographic Agility

Perhaps the most operationally demanding obligation: institutions must demonstrate that their cryptographic architecture can absorb algorithm transitions without systemic disruption. This is the regulatory codification of what practitioners call crypto agility - the enterprise capability to swap cryptographic primitives without rebuilding entire systems. Institutions that have hardcoded RSA or ECC into payment infrastructure, messaging layers, or authentication systems will find this requirement the most expensive to remediate.

5. Exception Documentation

Where a deprecated or non-compliant algorithm remains in use - because of legacy system constraints, vendor dependencies, or migration sequencing - DORA requires formal exception documentation with a defined remediation timeline, a risk owner, and compensating controls. An undocumented exception is a violation; a documented, risk-accepted exception with an active remediation plan is a manageable finding. This distinction matters enormously in supervisory review conversations.

How NIS2 Layers Onto DORA for Financial Institutions - And Where the Boundaries Get Complicated

The relationship between DORA and NIS2 (Directive (EU) 2022/2555) is governed by the lex specialis principle: where DORA provides sector-specific requirements, it takes precedence over NIS2 for financial entities in scope.^{[EUR-Lex: DORA Recital 16 and Article 1(2)]} In practice, this means financial institutions do not need to maintain parallel compliance programmes - DORA compliance subsumes NIS2 obligations for core ICT risk management, incident reporting, and cryptographic controls.

However, the boundary is not absolute. NIS2 continues to apply as a complementary layer in three scenarios: where an institution operates services outside the financial sector (a conglomerate with energy or transport subsidiaries, for example); where national NIS2 transposition laws impose obligations that DORA does not specifically address; and where Implementing Regulation (EU) 2024/2690 - which entered force in November 2024 for digital service providers - introduces technical requirements applicable to ICT third-party providers that serve financial entities but are not themselves financial institutions.^{[EUR-Lex: Implementing Regulation (EU) 2024/2690]}

The practical implication for compliance teams is this: a single, well-structured cryptographic governance policy - built to DORA's higher standard - will satisfy NIS2 obligations for in-scope activities. But supply chain due diligence must account for the NIS2 posture of third-party providers who are not themselves subject to DORA, particularly cloud infrastructure providers and SaaS vendors operating under NIS2's digital service provider category rather than DORA's CTPP regime.

One operational difference compliance officers should note: DORA's major incident reporting deadline is four hours for initial notification to the competent authority, compared to NIS2's 24-hour threshold. For hybrid entities, the stricter DORA standard governs financial services operations - and building reporting workflows to the higher bar reduces the risk of inadvertent NIS2 non-compliance for adjacent business lines.^{[EUR-Lex: DORA Article 19]}

The 2025-2026 Regulatory Timeline Every Compliance Officer Must Track

The regulatory calendar for quantum cryptographic compliance is not static. Understanding the sequencing of obligations helps compliance teams allocate effort correctly and avoid the common mistake of waiting for a single definitive deadline that does not exist.

• October 2024: NIS2 national transposition deadline across all EU Member States. Institutions should verify their home state's transposition status, as implementation fidelity varies.
• November 2024: Implementing Regulation (EU) 2024/2690 entered force for digital service providers, establishing baseline technical security requirements including cryptographic standards alignment.^{[EUR-Lex: Implementing Regulation (EU) 2024/2690]}
• January 2025: DORA full enforcement. All five cryptographic RTS obligations are binding. Supervisory reviews began immediately.
• June 2025: ENISA published NIS2 implementing guidelines explicitly recommending quantum-resistant algorithms as a long-term security baseline and naming harvest-now-decrypt-later attacks as a current threat requiring immediate inventory and migration planning.^{[ENISA: NIS2 Technical Guidelines, June 2025]}
• January 2026: The EU proposed explicit post-quantum cryptography inclusion in NIS2, signalling that PQC will become a named requirement rather than an implied obligation under broader cryptographic standards alignment clauses.
• End-2026: The EU's coordinated PQC transition roadmap requires Member States to have initiated active transition activities for critical infrastructure, with financial services designated as highest priority due to systemic risk classification.^{[ENISA: EU Coordinated PQC Roadmap]}
• Q2 2026 (expected): European Commission proposal for an EU Quantum Act, which is anticipated to establish binding PQC transition timelines as primary legislation, removing the current reliance on interpretive guidance and soft-law instruments.^{[EU Quantum Flagship: Quantum Europe Strategy]}

The practical read of this timeline: the regulatory floor is rising continuously. Institutions that begin cryptographic inventory and migration planning now will be demonstrating active compliance progress when the EU Quantum Act creates binding timelines - institutions that wait for the Act to act will face compressed timelines with no runway.

Building a DORA-Compliant Cryptographic Inventory - Scope, Granularity, and Governance

The cryptographic inventory is the foundational compliance artefact from which every other obligation flows. Without it, institutions cannot identify harvest-now-decrypt-later exposure, cannot prioritise migration sequencing, cannot evaluate third-party vendor risk, and cannot demonstrate credible regulatory progress. Yet in supervisory examinations to date, the inventory is consistently the item most frequently cited as absent or inadequate.

What Must Be Catalogued

Scope should cover every system, service, and data flow that relies on cryptographic protection. In practice for a financial institution, this means: customer-facing authentication and session management; inter-bank communication channels (SWIFT, TARGET2, domestic clearing networks); internal data-at-rest encryption for customer records, transaction data, and audit logs; TLS implementations across all web-facing and API infrastructure; certificate authorities and PKI infrastructure; hardware security modules and key management systems; and all third-party integrations that exchange or store encrypted data.

Granularity Requirements

For each catalogued item, the inventory should record: the algorithm and key length in use; the implementation library or hardware component; certificate expiry dates and renewal ownership; the data classification of protected assets; whether the algorithm is quantum-vulnerable (RSA, ECC, and Diffie-Hellman key exchange are all vulnerable to Shor's algorithm on a cryptographically relevant quantum computer); and the estimated migration complexity and timeline.

Governance and Review Cadence

DORA requires cryptographic risk assessments to be updated at least annually - but given the pace of regulatory change in 2025-2026, quarterly reviews of the inventory's high-risk entries are prudent. The inventory must have a named owner at management level, an approved governance process for exception handling, and version control that demonstrates to auditors the institution's evolving awareness of and response to cryptographic risk. Understanding the cost structure of cryptographic migration - including the phased budget framework across discovery, remediation, and third-party remediation - will also inform how the inventory feeds into capital planning and operational resilience budgets.

Third-Party and Supply Chain Risk - Assessing ICT Provider PQC Readiness Under DORA

DORA's third-party risk framework (Articles 28-44) is among the most demanding ICT supply chain oversight regimes globally. For quantum cryptographic risk, it creates an obligation that many institutions have not yet operationalised: financial entities must assess and document the post-quantum cryptography posture of their critical ICT third-party providers (CTPPs), not merely their own internal systems.

Contractual Mechanisms

DORA's mandatory contractual provisions for CTPP agreements must include the right to audit, the right to information on cryptographic controls, and - importantly - clauses requiring providers to notify institutions of material changes to their cryptographic implementations. Compliance teams should review existing CTPP contracts to verify these provisions are present and enforceable, and should add PQC roadmap disclosure requirements to new and renegotiated agreements.

Due Diligence Documentation

For each critical provider, institutions should obtain and document: the provider's current cryptographic algorithm inventory for services delivered to the institution; the provider's published or committed PQC migration roadmap; evidence of the provider's alignment with NIST FIPS 203/204/205 or ETSI standards; and the provider's position on hybrid classical/post-quantum implementations during the transition period. Where a provider cannot furnish this documentation, the gap itself must be recorded as a risk finding with a remediation timeline - supervisors will expect to see evidence of active vendor engagement, not passive acceptance of cryptographic opacity.

Cloud Infrastructure Considerations

Major cloud providers (AWS, Azure, GCP) have published PQC roadmaps and begun hybrid TLS implementations, but financial institutions must verify that their specific service configurations - not just the provider's general capability - align with DORA requirements. A cloud provider offering post-quantum TLS as an opt-in feature does not satisfy DORA's standards alignment obligation if the institution's configured workloads are still using classical-only cipher suites.

From Inventory to Action - A Phased PQC Migration Roadmap for Financial Institutions

Once the cryptographic inventory exists, institutions face the prioritisation question: where to migrate first, and on what timeline. A risk-tiered approach aligned with DORA's materiality framework and ENISA's threat guidance provides the most defensible sequencing rationale.

Tier 1: Harvest-Now-Decrypt-Later Exposure (Immediate Priority)

Data that carries long-term confidentiality requirements - customer identity records, transaction histories, inter-bank settlement data, regulatory filings - is already being targeted by adversaries who are exfiltrating encrypted archives today with the intention of decrypting them once quantum computers become capable. ENISA's June 2025 guidance explicitly names this threat vector as the primary justification for immediate PQC action rather than deferred planning.^{[ENISA: NIS2 Technical Guidelines, June 2025]} Migration of the encryption protecting this data class - particularly data at rest with confidentiality requirements extending beyond five to ten years - should begin immediately, prioritised above systems where data has shorter relevance windows. The mechanics of harvest-now-decrypt-later attacks and why each month of delay constitutes an irreversible security decision are well-documented and should inform board-level briefings on migration urgency.

Tier 2: Authentication and Key Exchange Infrastructure (2025-2026)

TLS implementations, certificate authorities, PKI infrastructure, and authentication systems should be migrated to hybrid classical/post-quantum configurations in 2025-2026. The hybrid approach - running ECDH alongside ML-KEM, for example - allows institutions to maintain classical security guarantees while adding quantum resistance, without requiring a hard cutover that could disrupt operational continuity. ETSI has published guidance on hybrid key exchange and signature schemes that satisfies DORA's standards alignment requirement during the transition period.^{[ETSI: Post-Quantum Cryptography Standards]}

Tier 3: Legacy and Embedded Systems (2026-2028)

Core banking systems, payment processing infrastructure, and embedded cryptographic hardware represent the longest migration timelines and the highest remediation costs. These should be inventoried and risk-assessed now, with vendor roadmap commitments obtained and documented, even where active migration cannot begin immediately. Regulators expect to see evidence of planning and vendor engagement - the absence of a remediation plan for known legacy vulnerabilities is a more serious finding than a documented plan with a realistic multi-year timeline. Compliance teams managing budget allocation across these tiers will find the structured approach to building a CFO-ready business case for PQC investment useful for securing capital allocation against competing operational priorities.

Demonstrating Progress to Regulators by End-2026

The EU's coordinated PQC roadmap end-2026 deadline is not a migration completion deadline - it is a transition activity initiation deadline. What regulators will expect to see by end-2026 is: a completed cryptographic inventory with governance ownership; a documented risk-tiered migration plan with timelines; evidence of active vendor engagement on third-party PQC readiness; at least one completed migration or hybrid implementation in a Tier 1 or Tier 2 system; and a board-approved cryptographic policy that explicitly addresses quantum risk. Institutions that have all five of these artefacts are materially ahead of the regulatory curve. Those with none are in an indefensible position.

Key Takeaways

• DORA has been enforceable since January 2025, imposing five binding cryptographic obligations on more than 22,000 EU financial entities: policy, inventory, standards alignment, cryptographic agility, and exception documentation.
• NIS2 applies as a complementary layer where DORA does not have lex specialis precedence - particularly for third-party ICT providers not subject to DORA's CTPP regime and for conglomerate entities with non-financial subsidiaries.
• ENISA's June 2025 guidelines explicitly name harvest-now-decrypt-later attacks as a current threat requiring immediate cryptographic inventory and migration action - not deferred planning.
• The EU's coordinated PQC roadmap requires Member States to have initiated transition activities for critical financial infrastructure by end-2026; a Q2 2026 EU Quantum Act proposal is expected to convert soft-law guidance into binding primary legislation.
• The cryptographic inventory is the foundational compliance artefact. An imperfect, documented inventory with a named owner is exponentially more defensible to a regulator than one that does not exist.
• Third-party risk under DORA requires financial institutions to assess and document the PQC posture of critical ICT providers - not just their own internal systems. Existing CTPP contracts should be reviewed for PQC disclosure and audit rights provisions.
• A risk-tiered migration approach - prioritising long-lived confidential data (harvest-now-decrypt-later exposure) first, authentication infrastructure second, and legacy embedded systems third - aligns with DORA's materiality framework and provides the most defensible sequencing rationale to regulators.

This article draws on primary documentation from EUR-Lex (DORA Regulation (EU) 2022/2554 and Implementing Regulation (EU) 2024/2690), ENISA official publications, ETSI cryptographic standards documentation, NIST Post-Quantum Cryptography Standardization project (csrc.nist.gov), and the EU Quantum Flagship strategy documents (qt.eu). All claims verified against official sources as of March 2026.

Related Reading

• What Is Crypto Agility and Why Every Enterprise Needs It Before 2030 - Understand the operational capability DORA's cryptographic agility mandate requires, including the NIST framework and migration architecture considerations.
• Harvest Now, Decrypt Later: Why Every Month of PQC Delay Is an Irreversible Security Decision - The threat model explicitly cited in ENISA's June 2025 guidance, explained with technical and regulatory context.
• PQC Migration Cost: A Budget Framework for Finance Teams and CISOs - A phased cost framework covering the four primary migration cost buckets, useful for structuring capital allocation requests alongside DORA compliance planning.
• FIPS 203, 204, and HQC Explained: What Security Architects Need to Know About NIST's Finalized PQC Standards - Technical primer on the NIST standards referenced in DORA's RTS framework, including ML-KEM and ML-DSA implementation considerations.
• PQC Business Case: How to Justify Migration Investment to Your CFO - A structured approach to building the financial case for PQC migration investment, aligned with the regulatory deadlines and risk exposure described in this article.