PQC Regulatory Compliance 2026: What NIST, EU, and G7 Mandates Mean for Your Organization
Post-quantum cryptography compliance is no longer a matter of voluntary best practice. In 2026, the regulatory landscape for PQC regulatory compliance spans binding federal mandates, evolving EU directives, and international financial sector guidance with named deadlines and enforcement mechanisms. NIST finalized its first three PQC standards in August 2024. The NSA’s CNSA 2.0 requires quantum-resistant algorithms for new National Security System acquisitions by January 2027.
The European Commission formally proposed writing post-quantum compliance requirements into the NIS2 Directive in January 2026. The G7 Cyber Expert Group published its financial sector quantum roadmap the same month. [1] The convergence of these frameworks across jurisdictions makes 2026 the year in which PQC regulatory compliance transitions from a forward-looking planning consideration to an active audit and procurement reality.
TECHNICAL DISCLAIMER: This article is for educational and informational purposes only. It does not constitute legal, compliance, or professional advice. Regulatory requirements vary by jurisdiction, sector, and system type. Organizations should verify all deadlines and algorithm requirements against primary regulatory sources and engage qualified legal and compliance counsel before acting on the information presented here.
The US Federal PQC Compliance Framework: CNSA 2.0, NIST, and Executive Order 14144
The most operationally specific PQC regulatory compliance requirements in the United States derive from three overlapping authorities: NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), NIST’s finalized standards and draft deprecation guidance, and Executive Order 14144, which updated the federal cybersecurity framework in January 2025.
CNSA 2.0 — The Binding NSS Deadline
CNSA 2.0, released in September 2022 and updated to version 2.1 in December 2024, establishes the most binding and specific PQC deadlines in the US regulatory landscape. It applies to all National Security Systems — classified and unclassified — operated by the Department of Defense, the Intelligence Community, and their vendor ecosystem. [2]
The suite mandates four core algorithms for general NSS use: AES-256 for symmetric encryption, ML-KEM-1024 (FIPS 203) for key establishment, ML-DSA-87 (FIPS 204) for digital signatures, and SHA-384 or SHA-512 for hashing. The compliance calendar runs in two phases: a preferred phase, during which CNSA 2.0 algorithms must be supported and preferred alongside classical alternatives, and an exclusive phase, at which point legacy algorithms may no longer be used.
January 1, 2027, is the first hard CNSA 2.0 deadline: all new NSS acquisitions must be CNSA 2.0 compliant from that date. Defense contractors and vendors selling cryptographic products into National Security System environments who have not initiated FIPS 140-3 validation for CNSA 2.0 algorithm implementations face a rapidly closing window — FIPS 140-3 validation currently averages more than 500 days. [3] The final mandatory compliance date for most NSS system types is 2033.
NIST IR 8547 — Federal Depreciation Timeline
NIST’s draft IR 8547 establishes the federal-level deprecation schedule for classical asymmetric algorithms. RSA and elliptic curve cryptography are deprecated for federal systems in 2030 and disallowed in 2035. [4] This timeline flows through FISMA, FedRAMP, and CMMC into every organization whose IT systems handle federal data or operate in the federal supply chain. CISA’s January 2026 publication of its Product Categories for Technologies That Use PQC Standards formally extended federal procurement expectations to cloud services, networking equipment, web software, and endpoint security products — signaling that NIST PQC mandates now shape acquisition decisions across the entire federal technology supply chain, not only for classified systems.
Executive Order 14144 and OMB M-23-02
Executive Order 14144, signed in January 2025, maintains PQC urgency within the federal cybersecurity framework while delegating oversight to NSA and OMB. TLS 1.3 or successor adoption is required for federal systems by January 2, 2030. OMB M-23-02, which remains technically binding, required federal agencies to submit prioritized cryptographic inventories with algorithm and key details by May 4, 2023, and annually thereafter. [5] The Quantum Cybersecurity Preparedness Act requires OMB to issue PQC migration guidance within one year of NIST’s final standards — placing that guidance deadline in August 2025. Organizations operating under federal frameworks should treat inventory submission and migration roadmap documentation as ongoing compliance obligations, not completed one-time deliverables.
Table 1: US Federal PQC Compliance Requirements by Authority and Deadline
| Authority | Requirement | Deadline | Who Is Directly Affected |
| NSA CNSA 2.0 | All new NSS acquisitions must be CNSA 2.0 compliant (ML-KEM-1024, ML-DSA-87) | January 1, 2027 | DoD / IC contractors; NSS product vendors |
| NSA CNSA 2.0 | CNSA 2.0 exclusively — legacy algorithms prohibited for most NSS types | 2033 | All NSS operators and their vendor ecosystem |
| NIST IR 8547 (draft) | RSA and ECC are deprecated for federal systems | 2030 | US federal agencies; FedRAMP CSPs; FISMA-subject organizations |
| NIST IR 8547 (draft) | RSA and ECC are disallowed for federal systems | 2035 | US federal agencies; FedRAMP CSPs; FISMA-subject organizations |
| Executive Order 14144 | TLS 1.3 or successor required for federal systems | January 2, 2030 | All federal agencies and their IT vendors |
| OMB M-23-02 | Annual cryptographic inventory with algorithm and key details | Ongoing — annually from May 2023 | All federal agencies |
| CMMC Level 2 (NIST SP 800-171 control 3.13.11) | FIPS-validated cryptography for CUI protection | Enforcement began in November 2025 | DoD contractors handling Controlled Unclassified Information |
The EU PQC Compliance Framework: NIS2, DORA, and COM(2026) 13
The European Union’s approach to PQC regulatory compliance differs from the US model in form but is converging rapidly in substance. Rather than a single authoritative mandate, the EU operates through layered directives and regulations that collectively create enforceable post-quantum compliance obligations for organizations operating in EU markets. The critical development of 2026 is COM(2026) 13 — the European Commission’s January 2026 proposal to amend the NIS2 Directive with the first explicit post-quantum cryptography requirement written directly into the directive text.
COM(2026) 13 and the NIS2 Amendment
Until January 2026, PQC readiness under NIS2 was a matter of regulatory interpretation: NIS2 requires cryptography policies, the EU recognizes quantum as a material threat; therefore, PQC is in scope. COM(2026) 13 closed that interpretive gap by proposing to make PQC transition policies a mandatory component of each EU Member State’s national cybersecurity strategy. [6] Once adopted, Member States would have 12 months to transpose the amendments.
The EU’s explicit migration milestones — national strategies by the end of 2026, transition of high-risk and critical infrastructure systems by 2030, and full system completion by 2035 — are now regulatory targets backed by a legislative proposal, not merely advisory guidance. Organizations operating under NIS2 that have not begun cryptographic inventory work are already running behind a publicly stated legislative intent.
DORA and Financial Sector Cryptographic Agility
The Digital Operational Resilience Act (DORA), which entered force in January 2025, creates PQC regulatory compliance obligations for EU financial entities through its ICT risk management and cryptographic guidance provisions. DORA Article 9 requires financial entities to use ICT solutions that ensure the security of data transfer and protect the authenticity and integrity of data.
The associated regulatory technical standards — JC 2023 86 — provide cryptographic guidance that explicitly references cryptographic agility as a compliance requirement. [7] For DORA-subject institutions, this means demonstrating the ability to update cryptographic algorithms without operational disruption — a capability that post-quantum migration programs must build by design. DORA’s resilience testing provisions under Articles 24 to 25 further create audit exposure for institutions that cannot demonstrate a credible PQC readiness posture.
The EU PQC Roadmap Milestones
The European Commission and Member States published the first EU PQC roadmap deliverable in June 2025, establishing explicit milestones that flow into national regulatory expectations. The milestones are: initial national strategies by the end of 2026; transition of high-risk and critical systems by 2030; and completion of remaining systems by 2035. [8] The roadmap is not a standalone cryptography program — it is explicitly positioned within NIS2, DORA, and the EU Cyber Resilience Act’s requirements for products with digital elements. Organizations should expect PQC regulatory compliance to surface through procurement requirements, supervisory audits, and national implementation measures rather than through a single EU-wide PQC enforcement mechanism.
Table 2: EU PQC Compliance Framework — Key Directives, Requirements, and Timelines
| EU Framework | Compliance Mechanism | Key PQC Obligation | Target Date | Applies To |
| NIS2 Directive (COM(2026) 13 amendment) | Mandatory PQC in national cybersecurity strategies | Transition efforts have demonstrably begun | End of 2026 | NIS2 essential entities across all sectors |
| NIS2 / EU PQC Roadmap | Supervisory expectation via national implementation | High-risk and critical infrastructure migrated | 2030 | Critical infrastructure; essential entities under NIS2 |
| EU PQC Roadmap | National strategies and procurement requirements | Full system migration completed | 2035 | All EU organizations are subject to the NIS2 scope |
| DORA (Art. 9 + JC 2023 86) | ICT risk management and RTS cryptographic guidance | Cryptographic agility demonstrated; PQC roadmap documented | In force January 2025 (ongoing) | EU credit institutions, investment firms, payment services, and insurance |
| EU Cyber Resilience Act | Horizontal cybersecurity requirements for digital products | PQC-capable by design for new product certifications | Phased from 2027 | Manufacturers of products with digital elements sold in the EU |
| GDPR Article 32 | Appropriate technical measures for data security | Quantum risk addressed in encryption impact assessments | Ongoing — 2026 supervisory expectation | All organizations processing personal data of EU residents |
The G7 Financial Sector Roadmap and UK NCSC Guidance
Two additional international frameworks shape PQC regulatory compliance for organizations outside the direct scope of US federal mandates and EU directives: the G7 Cyber Expert Group’s January 2026 financial sector quantum roadmap and the UK National Cyber Security Centre’s staged migration guidance.
G7 Cyber Expert Group Quantum Roadmap
The G7 Cyber Expert Group (CEG), co-chaired by the US Department of the Treasury and the Bank of England, published its coordinated G7 quantum roadmap for the financial sector in January 2026. [9] The roadmap explicitly states it does not set guidance or regulatory expectations — it is framed as informational support for migration planning. However, its significance is institutional: the G7 CEG advises G7 Finance Ministers and Central Bank Governors, and its publication signals that quantum preparedness has reached systemic financial stability standing.
The roadmap outlines a six-phase migration framework spanning governance, discovery, planning, pilot deployment, execution, and continuous validation. It explicitly links PQC readiness to existing compliance frameworks — DORA, the Basel Committee’s operational resilience principles, and SEC cybersecurity disclosure rules — rather than treating quantum as a standalone program.
For financial institutions, the G7 roadmap’s practical implication is that quantum preparedness will increasingly surface through existing supervisory relationships, not a new dedicated quantum regulator. Institutions that cannot demonstrate a credible PQC regulatory compliance posture during routine prudential examinations — particularly those examining ICT risk management under DORA or operational resilience under Basel — face audit exposure even without a binding quantum-specific mandate. The CEPS Task Force warned in December 2025 that capable quantum computers pose systemic risk to financial systems, reinforcing the trajectory: financial regulators are approaching quantum readiness as a systemic resilience issue, not a niche cryptography concern.
UK NCSC Staged Migration Guidance
The UK National Cyber Security Centre’s PQC migration guidance establishes a three-phase roadmap with milestones at 2028, 2031, and 2035. By 2028, organizations are expected to have completed migration planning. By 2031, critical systems should be migrated. By 2035, full migration should be complete. [10] The NCSC guidance applies to UK organizations and carries particular weight for those operating under UK financial regulation, critical national infrastructure requirements, or government procurement frameworks. Organizations headquartered in the UK but operating internationally should also track whether their EU operations fall under NIS2 scope — the UK NCSC and EU roadmaps operate on parallel but non-identical timelines.
Table 3: Global PQC Compliance Deadline Summary — Organization Type Impact Matrix
| Organization Type | Governing Framework(s) | 2026 Compliance Action Required | Key Hard Deadline | Enforcement Mechanism |
| US DoD contractor (NSS scope) | CNSA 2.0 + CMMC Level 2 + FIPS 140-3 | FIPS 140-3 cert for CUI modules; CNSA 2.0 product roadmap | January 2027 (new NSS acquisitions) | C3PAO assessment; contract award eligibility |
| US FedRAMP cloud service provider | NIST IR 8547 + FedRAMP policy + EO 14144 | Active FIPS 140-3 module certs; PQC migration timeline in SSP | FIPS 140-2 sunset Sept 2026; NIST deprecation 2030 | FedRAMP authorization review; annual assessment |
| EU NIS2 essential entity | NIS2 (COM(2026) 13 amendment) + EU PQC Roadmap | Cryptographic inventory begun; migration roadmap documented | National strategies end of 2026; critical systems 2030 | National supervisory authority audit; NIS2 penalties |
| EU financial institution (DORA) | DORA Art. 9 + JC 2023 86 + G7 CEG Roadmap | Cryptographic agility documented; quantum risk in the ICT risk register | Ongoing (DORA in force Jan 2025) | ECB / national competent authority; DORA sanctions |
| UK critical infrastructure operator | NCSC PQC Guidance + UK GDPR + sector regulators | Migration planning complete | 2028 (planning); 2031 (critical systems) | Sector regulator audit; NCSC engagement |
| Multinational enterprise (no direct federal scope) | Voluntary: NIST PQC + GDPR + EU CRA + G7 signal | Begin cryptographic inventory; vendor PQC roadmap requests | Procurement pressure from 2026; EU scope obligations by 2030 | Procurement eligibility, cyber insurance, and contractual |
Counter-Arguments
Objection: Our organization is in the private sector with no federal contracts. None of these mandates applies to us.
Discussion: Correct that CNSA 2.0 and FISMA apply only to organizations within the federal ecosystem. However, three indirect compliance pressures apply to most private-sector organizations. First, NIST PQC standards are increasingly incorporated into commercial procurement requirements by regulated-sector buyers — financial institutions, healthcare organizations, and critical infrastructure operators who face their own compliance obligations. Second, the EU NIS2 amendment and DORA apply to organizations operating in EU markets regardless of headquarters location. Third, CISA’s January 2026 product categories publication signals that PQC capability is becoming a procurement eligibility factor in the federal supply chain. Organizations that defer PQC readiness until regulatory pressure reaches them directly will find that customer and procurement pressure arrived earlier.
Objection: The EU NIS2 amendment is still a proposal. We don’t need to act until it becomes law.
Discussion: COM(2026) 13 is in the legislative process, and the 12-month transposition window means binding national obligations may not arrive until 2028 in some Member States. However, waiting for the final text as a planning trigger is the wrong response for two reasons. First, the EU’s migration milestones — national strategies by the end of 2026, critical systems by 2030 — are already operational targets that national supervisory authorities are applying through existing NIS2 enforcement powers.
National competent authorities are not waiting for the amendment to complete transposition before asking organizations about their cryptographic posture. Second, the 12 to 24 months required for cryptographic inventory alone means that organizations beginning their program at legislative enactment will be executing against their supervisors’ expectations with a two-year preparation deficit.
Objection: The G7 roadmap explicitly says it does not set guidance or regulatory expectations. It is a non-binding document.
Discussion: The G7 CEG roadmap is technically non-binding, and this is accurate. Its compliance significance is institutional rather than legal. The G7 CEG advises G7 Finance Ministers and Central Bank Governors — the same authorities that set supervisory expectations for the institutions the roadmap addresses. Prudential supervisors in G7 jurisdictions will increasingly interpret their ICT risk management and operational resilience expectations through the quantum preparedness lens that the G7 roadmap establishes. A financial institution whose DORA documentation or Basel operational resilience program does not refer to quantum risk assessment faces a growing gap between supervisory expectations and documented compliance posture, regardless of whether the G7 roadmap is formally binding.
Objection: We operate across multiple jurisdictions with conflicting timelines. Compliance is impossible to coordinate.
Discussion: The timelines across the US, EU, and UK frameworks are different in label but largely convergent in substance. All three establish a 2030 horizon for high-risk and critical systems and a 2035 outer boundary for full migration. The practical sequencing — cryptographic inventory first, risk prioritization second, critical systems migrated by 2030, full completion by 2035 — is consistent across NIST IR 8547, the EU PQC Roadmap, and NCSC guidance.
Organizations operating across jurisdictions do not need to run three parallel compliance programs. They need a single PQC migration program structured around the most demanding applicable requirements, with documentation that maps each element to the relevant jurisdictional framework. The G7 roadmap’s emphasis on coordination and harmonized transition reflects this design intent precisely.
FAQ
Q1: Is post-quantum cryptography compliance legally required for private-sector organizations in 2026?
A: Direct legal mandates apply to specific categories: US federal agencies and their contractors under FISMA and CNSA 2.0; EU organizations subject to NIS2 and DORA; and UK organizations under NCSC and sector-specific frameworks. Most private-sector organizations without federal contracts or EU market presence face no binding PQC regulatory compliance mandate today. However, procurement eligibility pressure, regulated-sector customer requirements, and the EU’s extraterritorial reach through GDPR and DORA create de facto compliance obligations for many organizations before direct mandates arrive.
Q2: What does CNSA 2.0 require and who does it apply to?
A: CNSA 2.0 requires National Security System operators and their vendors to support and prefer ML-KEM-1024, ML-DSA-87, AES-256, and SHA-384/512 for all new NSS acquisitions from January 1, 2027. It applies to the Department of Defense, the Intelligence Community, and the commercial ecosystem — vendors, contractors, and software providers — whose products operate in NSS environments. The suite mandates FIPS 140-3 validated implementations, creating an indirect compliance requirement for any cryptographic module vendor seeking continued NSS market access.
Q3: What does the EU’s NIS2 amendment COM(2026) 13 require from organizations today?
A: COM(2026) 13 proposes making PQC transition policies a mandatory component of EU Member State national cybersecurity strategies. It has not yet completed the legislative process. However, national competent authorities are already applying the EU’s 2026 milestone — demonstrably begun transition efforts — through existing NIS2 supervisory powers. Organizations under the NIS2 scope should treat post-quantum compliance as a current supervisory expectation, not a future legislative trigger. The practical requirement is documented cryptographic inventory progress and a migration roadmap by the end of 2026.
Q4: How does DORA create post-quantum compliance obligations for financial institutions?
A: DORA Article 9 requires financial entities to ensure the security, authenticity, and integrity of data through ICT solutions and processes. The associated regulatory technical standard JC 2023 86 specifies cryptographic guidance that includes cryptographic agility — the ability to update algorithms without disruption — as a compliance requirement. This directly maps to PQC readiness: institutions that cannot demonstrate a migration path from quantum-vulnerable algorithms to NIST PQC standards cannot satisfy the crypto-agility requirement. DORA’s resilience testing provisions under Articles 24 to 25 create additional audit exposure for institutions without a documented PQC regulatory compliance posture.
Q5: What does the G7 financial sector quantum roadmap require organizations to do?
A: The G7 quantum roadmap explicitly states it does not set guidance or regulatory expectations. Its compliance significance is that it signals how G7 prudential supervisors — who advise Finance Ministers and Central Bank Governors — will interpret quantum preparedness in the context of existing ICT risk management and operational resilience frameworks. Financial institutions should treat the roadmap as a preview of supervisory expectations that will be expressed through DORA, Basel operational resilience principles, and national financial sector regulations — not a separate compliance instrument.
Q6: How should multinational organizations prioritize when facing multiple jurisdiction deadlines?
A: Build a single PQC regulatory compliance program structured around the most demanding requirement that applies to each system. For systems within the US NSS scope, CNSA 2.0’s January 2027 acquisition deadline and the FIPS 140-2 sunset in September 2026 set the most immediate obligations. For EU-market systems, DORA’s ongoing crypto-agility requirement and the 2026 NIS2 supervisory expectation apply. For all systems, the 2030 critical infrastructure deadline across the US, EU, and UK frameworks provides a shared planning horizon. Document the jurisdictional mapping in your compliance program to satisfy supervisors in each region without duplicating the underlying technical work.
Key Points
What Every Compliance Team Needs to Know About PQC Regulatory Compliance in 2026
- CNSA 2.0 requires all new NSS acquisitions to use ML-KEM-1024, ML-DSA-87, AES-256, and SHA-384/512 from January 1, 2027. FIPS 140-3 validation for these implementations averages more than 500 days — that window has effectively closed for vendors who have not yet initiated the process.
- COM(2026) 13, published January 2026, proposes writing explicit post-quantum compliance requirements into the EU NIS2 Directive for the first time. National supervisory authorities are applying the 2026 milestone — demonstrably begun transition efforts — through existing powers regardless of legislative completion.
- DORA’s crypto-agility requirement under JC 2023 86 creates active PQC regulatory compliance obligations for EU financial institutions today. Institutions without documented PQC migration roadmaps face audit exposure in DORA resilience testing.
- The G7 quantum roadmap, co-chaired by the US Treasury and Bank of England, signals that quantum preparedness has reached systemic financial stability standing — prudential supervisors will incorporate these expectations into DORA and Basel operational resilience assessments.
- Despite different intermediate milestones, US, EU, and UK PQC regulatory compliance frameworks converge at 2030 for critical systems and 2035 for full migration — enabling multinational organizations to build a single program aligned to the most demanding applicable requirement.
Continue your PQC compliance research:
- Read the previous article: PQC for Blockchain 2026: How Bitcoin and Ethereum Are Preparing for Quantum Threats
- Read the pillar article: Year of Quantum Security 2026: The Complete Action Plan for CISOs
PQC Series Overview
This article is part of the Post-Quantum Security Series — a technical collection of guides exploring cryptographic vulnerabilities exposed by quantum computing, migration strategies for organizations, and the steps required to protect sensitive data before quantum decryption becomes operationally viable.
References
- [1] Post Quantum. (February 2026). NIS2, DORA, and the EU post-quantum roadmap. PostQuantum.com.
https://postquantum.com/quantum-policies/nis2-dora-pqc-quantum/ - [2] Post Quantum. (May 2026). The complete US post-quantum cryptography regulatory framework in 2026. PostQuantum.com.
https://postquantum.com/quantum-policies/us-pqc-regulatory-framework-2026/ - [3] SafeLogic. (2026). Post-quantum cryptography compliance standards. SafeLogic Compliance Hub. https://www.safelogic.com/compliance/pqc-standards
- [4] National Institute of Standards and Technology. (2024, draft). NIST IR 8547: Transition to post-quantum cryptography standards. NIST CSRC.
https://csrc.nist.gov/news/2024/draft-nist-ir-8547-is-available-for-comment - [5] Office of Management and Budget. (November 2022). OMB M-23-02: Migrating to post-quantum cryptography. White House OMB.
https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf - [6] Decent Cybersecurity. (April 2026). EU moves to write post-quantum cryptography directly into NIS2 law.
https://decentcybersecurity.eu/post-quantum-cryptography-nis2/ - [7] IBM. (2025). DORA and your quantum-safe cryptography migration. IBM Think Insights. https://ibm.com/think/insights/dora-quantum-safe-cryptography-migration
- [8] AppViewX. (April 2026). Post-quantum cryptography PQC readiness in 2026 — EU roadmap milestones. AppViewX Blog.
https://www.appviewx.com/blogs/pqc-readiness-2026/ - [9] G7 Cyber Expert Group. (January 2026). Advancing a coordinated roadmap for the transition to post-quantum cryptography in the financial sector. US Department of the Treasury. https://home.treasury.gov/system/files/136/G7-CEG-Quantum-Roadmap.pdf
- [10] SoftwareSeni. (May 2026). Post-quantum cryptography compliance deadlines and what the global regulatory mandates require.
https://www.softwareseni.com/post-quantum-cryptography-compliance-deadlines-and-what-the-global-regulatory-mandates-require/
