Introduction

The Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography is a strategic document published by the NIS Cooperation Group (NIS CG), a body established under the European Union’s Network and Information Security (NIS) Directive to foster cooperation among EU Member States on cybersecurity matters. Released on June 11, 2025, as Version 1.1, this roadmap is the first deliverable of the NIS CG’s workstream on post-quantum cryptography (PQC). It responds to the European Commission Recommendation (EU) 2024/1101, issued on April 11, 2024, which calls for a coordinated EU-wide approach to transitioning to PQC to address the emerging threat of quantum computing to current cryptographic systems. This summary, aimed at high-level management, outlines the key points of the roadmap, its significance, and the recommended actions for EU Member States to ensure cybersecurity resilience in the face of quantum advancements.

Why Post-Quantum Cryptography Matters

Cryptography underpins the security of critical digital services, including banking, government operations, and communication platforms like messaging apps. However, the development of quantum computers poses a significant threat to widely used cryptographic algorithms, such as RSA and elliptic curve cryptography, which could be broken by quantum algorithms like those proposed by Peter Shor in 1994. While a cryptographically relevant quantum computer—one capable of breaking these algorithms—does not yet exist, experts estimate a 19–34% chance of such a computer emerging within the next decade, potentially by 2035, with a maximum timeline of 2040. This timeline is informed by studies like the German Federal Office for Information Security (BSI) report, Status of Quantum Computer Development (2024), and the Quantum Threat Timeline Report (2024) by the Global Risk Institute.

Two primary risks drive the urgency of transitioning to PQC:

• Harvest Now, Decrypt Later: Adversaries could collect encrypted data today and decrypt it later when quantum computers become available, threatening sensitive data like government secrets or personal information that requires long-term confidentiality.

• Long Transition Periods: Complex systems, such as public-key infrastructures (PKIs) or devices with extended lifespans, require significant time to migrate to quantum-safe solutions, necessitating early action to avoid vulnerabilities.

PQC refers to cryptographic algorithms designed to resist both classical and quantum attacks, executable on existing systems, making it a practical solution to mitigate these risks. The roadmap emphasizes the need for a proactive, coordinated transition to PQC to safeguard the EU’s digital infrastructure, economy, and security.

Purpose and Scope of the Roadmap

The NIS CG’s roadmap provides high-level guidance for EU Member States to develop national PQC transition strategies, aligning with the European Commission’s 2024 recommendation. It targets public administrations and critical infrastructure entities, particularly those under the NIS2 Directive (2022), which mandates robust cybersecurity measures, including state-of-the-art cryptography. The roadmap also supports compliance with the Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA), which set cybersecurity standards for financial sectors and digital products, respectively. By outlining a timeline and actionable steps, the document aims to ensure a synchronized EU-wide transition to PQC, enhancing cryptographic agility and cybersecurity resilience.

Key Recommendations and Timeline

The roadmap proposes a risk-based approach, prioritizing high-risk use cases where data confidentiality must be protected for over 10 years (e.g., governmental or sensitive business data). It recommends using standardized, tested hybrid cryptographic solutions—combining PQC with existing algorithms—to balance security and compatibility during the transition. The timeline is structured around three milestones:

By December 31, 2026:

• First Steps implemented, including stakeholder engagement, cryptographic asset inventories, dependency mapping, quantum risk analysis, supply chain coordination, awareness programs, and national PQC roadmap development.
• Initiate PQC transition planning and pilot projects for high- and medium-risk use cases.
• Establish initial national PQC transition roadmaps to ensure readiness.

By December 31, 2030:

• Complete Next Steps, such as supporting cryptographic agility, allocating resources, adapting certification schemes, updating regulations, and exploring ecosystem opportunities (e.g., private sector collaboration, training, and funding).
• Finalize PQC transition for high-risk use cases.
• Complete planning and pilots for medium-risk use cases.
• Ensure quantum-safe software and firmware upgrades are enabled by default.

By December 31, 2035:

• Complete PQC transition for medium- and low-risk use cases as feasible.
• Align with international timelines, such as the U.S. National Security Memorandum 10 and the UK NCSC, which target 2035 for mitigating quantum risks.

This timeline reflects the urgency of acting now, given the potential for quantum computers to emerge within 10–16 years and the lengthy transition periods required for complex systems. Delays could expose critical systems to vulnerabilities, particularly if quantum advancements accelerate.

First Steps for Immediate Action

The roadmap outlines First Steps to initiate the transition, described as “no-regret” moves that enhance overall cybersecurity:

• Stakeholder Engagement: Involve key players like government CTOs, CISOs, academics, and industry to develop national strategies.
• Cryptographic Asset Management: Create and maintain inventories of cryptographic assets using tools like Cryptographic Bill of Materials (CBOM) to support vulnerability management.
• Dependency Mapping: Identify internal and third-party dependencies to plan efficient migrations.
• Quantum Risk Analysis: Integrate quantum threats into risk management, prioritizing high-risk use cases.
• Supply Chain Coordination: Engage suppliers to ensure PQC integration in products and services.
• Awareness Programs: Develop tailored communication strategies to raise urgency among stakeholders.
• Knowledge Sharing: Participate in the NIS CG workstream and international standardization efforts to align transitions.

Next Steps for Sustained Progress

The Next Steps focus on long-term implementation:

• Cryptographic Agility: Design systems to allow easy updates to cryptographic components, ensuring quantum-safe upgrades by 2027, as mandated by the CRA.
• Resource Allocation: Secure budgets and personnel for the transition.
• Certification Updates: Adapt cybersecurity certification schemes to include PQC, aligning with the EU Cybersecurity Certification Scheme.
• Regulatory Evolution: Update national laws and procurement policies to incorporate PQC requirements.
• Ecosystem Opportunities: Collaborate with private sectors, enhance training, and leverage funding programs like the Digital Europe Program.
• Pilot and Testing: Implement pilot projects and support testing centers to ensure interoperability of PQC solutions.

EU’s Role in Supporting the Transition

The European Commission, alongside the European Union Agency for Cybersecurity (ENISA), plays a pivotal role in facilitating the PQC transition. Through programs like Digital Europe and Horizon Europe, the EU supports standardization, research, and testing infrastructures. The Commission fosters international cooperation and peer-sharing of best practices among Member States, ensuring a cohesive approach. The roadmap aligns with these efforts, providing a framework for Member States to coordinate with EU initiatives and global standards.

Quantum Risk Assessment

The roadmap introduces a quantum risk assessment framework, based on The PQC Migration Handbook (2024), to prioritize transitions. It categorizes risks as:

• High: Use cases where data confidentiality must be protected for over 10 years or where high-impact breaches (e.g., software updates) are possible.

• Medium: Use cases requiring long-term confidentiality or significant transition effort (over 8 years).

• Low: Less critical use cases with shorter confidentiality needs.

This risk-based approach helps organizations allocate resources effectively, ensuring critical systems are protected first.

Conclusion

The Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography, authored by the NIS Cooperation Group, is a critical response to the European Commission’s 2024 recommendation (EU) 2024/1101. It provides EU Member States with a clear, actionable plan to transition to PQC, addressing the looming quantum threat to digital security. By setting milestones for 2026, 2030, and 2035, and outlining practical steps, the roadmap ensures a synchronized, risk-based approach to safeguard critical infrastructures. High-level management should prioritize stakeholder engagement, resource allocation, and awareness to drive this transition, aligning with EU regulations like NIS2 and CRA to maintain cybersecurity resilience in a quantum future.

Supplemental Sources and Notes

• European Commission Recommendation (EU) 2024/1101: The foundational document mandating a coordinated PQC transition, published April 11, 2024. URL: https://eur-lex.europa.eu/eli/reco/2024/1101/oj

• BSI Study: Status of Quantum Computer Development (2024): Provides estimates on quantum computer timelines, informing the roadmap’s urgency.

• Global Risk Institute: Quantum Threat Timeline Report (2024): Offers expert estimates on quantum risks, cited for the 19–34% chance of RSA-2048 being broken within a decade.

• The PQC Migration Handbook (2024): Guides the quantum risk assessment framework used in the roadmap.