Proposal for a Directive as regards simplification measures and alignment with the Cybersecurity Act

The European Commission has proposed a new cybersecurity package to further strengthen the EU’s cybersecurity resilience and capabilities

From the document:
“Other targeted amendments to the NIS 2 Directive include:
[…] the requirement for Member States to adopt policies for the migration to post-quantum cryptography (PQC) as part of their national cybersecurity strategy […]

Given the continuously increasing reliance of our society and the economy on digital technologies, it is necessary to take mitigation measures against the quantum threat. The possibility of ‘harvest now – decrypt later attacks’, likely occurring already now, and the future risks induced by quantum attacks on forging signatures, as well as the planned deprecation of certain algorithm implementations and full disallowance of current public-key cryptographic algorithms, increase the urgency of initiating actions for the migration to post-quantum cryptography (PQC). Therefore, Member States should be required to adopt policies for the migration to PQC as part of their national cybersecurity strategy. Such policies should facilitate the acceleration of strategic planning and the creation of support measures and tools to assess the exposure of 8 COM(2025) 838 final EN 9 EN cryptographic assets to the risks posed by quantum computers. Further, they should assist in creating a migration plan and in testing the roll-out of PQC in digital applications and networks, while simultaneously fostering the emergence and uptake of formally verified and evaluated European PQC solutions adhering to compliance frameworks in products and services. Those policies should align with the milestones set out in Union legal acts and Union policies as well as documents adopted by the NIS Cooperation Group, in particular the Coordinated Implementation Roadmap for the transition to PQC, adopted by the NIS Cooperation Group in June 2025, thus achieving the migration to PQC by 2030 for critical use cases and by 2035 for medium and low level use cases. […]”

---

Full text, more information and source of information: https://digital-strategy.ec.europa.eu/en/library/proposal-directive-regards-simplification-measures-and-alignment-cybersecurity-act
Foto von Hassan Anayi auf Unsplash