In January 2025, the EU’s Digital Operational Resilience Act (DORA) entered into application. It’s a regulation that aims for digital resilience in financial bodies and organizations across Europe, particularly in the light of potential disruptions, failures or cyber attacks.
While DORA’s focus is wider than the challenges of cryptography, its Regulatory Technical Standards do cover the importance of PQC, specifically Article 9 (Protection and Prevention) and Article 15 (Cryptographic Controls). These provisions recognize that financial entities must consider the quantum threat, and in particular, formulate policy that includes crypto agility.
Cryptographic agility is the ability of an organization to replace or upgrade cryptography quickly and efficiently, without disrupting operation or security. DORA Section 4, Article 6 explicitly details requirements:
- Financial entities must ensure their cryptographic technology remains resilient against evolving ‘cryptanalysis and cyber threats’.
- Proactive monitoring is also called out, with reference to ‘threats from quantum advancements’ as a reason why organizations must remain aware and abreast of developments in cryptographic techniques
- Algorithm updates are mandated by DORA, and organizations must have a policy that includes provisions for updating or changing cryptographic technology when threats emerge.
With a focus on risk management, inventorying, reporting suspected HNDL attacks and resilience testing, the legislation applies stringency to the way financial bodies must consider their readiness. Interestingly, DORA also highlights the ‘third-party risk’ pointing out that financial firms are legally responsible for their vendors. In other words, you cannot be ‘quantum-safe’ if your cloud provider or payment gateway is still using legacy cryptography.
At PQShield, these are considerations that have fueled our operation for the last few years. Our suite of products is focused on crypto agility, providing solutions that can keep networks and systems future-proofed from the evolving threat landscape.