CNSA 2.0 vs. the World: Navigating Diverging Global PQC Requirements

Introduction

If post-quantum cryptography had a single global standard, this article would not exist. NIST published the algorithms. Everyone could adopt them, set deadlines, and get on with the migration. That was, roughly, what many in the cybersecurity community expected when NIST finalized FIPS 203, 204, and 205 in August 2024.

What happened instead is more interesting and more complicated. Every major cryptographic authority reviewed NIST’s output and made different choices about which algorithms to approve, which parameter levels to require, whether hybrid deployments are mandatory or optional, which additional algorithms to endorse beyond NIST’s selections, and how fast the transition must happen. The result is a global PQC requirements map with meaningful divergences that create real operational headaches for any organization working across jurisdictions.

For multinationals, defense contractors with allied-nation obligations, and technology vendors selling globally, the practical question is: which standard governs, and can a single implementation satisfy them all? This article maps the divergences, identifies the points of genuine conflict, and offers a framework for working through the mess.

The CNSA 2.0 Baseline

As I cover in detail in the complete CNSA 2.0 guide, NSA’s approach is defined by its narrowness. The algorithm menu is deliberately constrained to one option per function at the highest parameter level: ML-KEM-1024 for key establishment, ML-DSA-87 for signatures, AES-256 for symmetric encryption, SHA-384 or SHA-512 for hashing, plus LMS/XMSS for firmware signing. SLH-DSA is excluded. FN-DSA will not be added. HashML-DSA is prohibited. Multi-tree signature schemes are not allowed. NSA does not require hybrid deployments during the transition; the target is pure CNSA 2.0 by the exclusive-use dates.

This approach optimizes for interoperability and operational simplicity across thousands of NSS implementations. It also makes a specific security bet: that lattice-based constructions are strong enough to protect national security information without a non-lattice fallback.

Now compare that with what everyone else is doing.

Europe: Algorithm Diversity and Mandatory Hybrid

The European approach begins from a different premise than NSA’s. Where NSA asks “what is the minimum algorithm set that provides sufficient security with maximum interoperability?”, European authorities ask “how do we hedge against the possibility that any single algorithmic family might be weaker than we think?”

The answers differ country by country, but the general European pattern includes broader algorithm menus, mandatory hybrid deployments, and explicit inclusion of conservative fallback options.

BSI (Germany)

Germany’s Federal Office for Information Security publishes algorithm recommendations through its Technical Guideline TR-02102, updated to a 2025 version that incorporates NIST’s finalized standards.

BSI recommends ML-KEM for key establishment but also endorses FrodoKEM and Classic McEliece as approved alternatives. FrodoKEM is particularly significant: it uses unstructured lattices (plain Learning With Errors) rather than the structured lattice (Module-LWE) construction that underlies ML-KEM. The security argument is more conservative: if a mathematical breakthrough specifically targeted structured lattices, FrodoKEM would remain secure. The cost is roughly 10x larger key sizes than ML-KEM, which makes it impractical for most TLS deployments but viable as a defense-in-depth option for high-assurance applications.

For signatures, BSI recommends ML-DSA alongside SLH-DSA, at NIST Security Levels 3 and 5 (meaning both ML-DSA-65 and ML-DSA-87 are acceptable, as are the corresponding SLH-DSA parameter sets). BSI also approves LMS/HSS and XMSS/XMSS^MT for hash-based signatures, including the multi-tree variants that CNSA 2.0 excludes.

The most significant policy difference: BSI mandates that PQC algorithms be deployed in hybrid mode (combined with a classical algorithm) for all use cases except hash-based signatures. The rationale is explicit: the lattice-based algorithms have not been subjected to the same decades of cryptanalytic scrutiny as RSA and ECC, so combining them with a classical algorithm ensures security even if the new algorithms contain undiscovered weaknesses. BSI’s position is that the hybrid requirement should persist until sufficient confidence in the standalone security of PQC algorithms has been established.

This creates a direct conflict with CNSA 2.0. NSA’s timeline moves toward pure PQC by the exclusive-use dates, and hybrid deployments are treated as a transitional concession, not a long-term architectural requirement. BSI treats hybrid as the target state. An organization subject to both authorities must decide which one to satisfy. Satisfying BSI’s hybrid mandate does not conflict with CNSA 2.0 (hybrid that prefers CNSA 2.0 algorithms is CNSA 2.0 compliant), but satisfying CNSA 2.0’s pure-PQC endpoint would eventually violate BSI’s hybrid requirement.

ANSSI (France)

France’s Agence nationale de la sécurité des systèmes d’information aligns with BSI on the principle of hybrid deployment but adds its own algorithm preferences. ANSSI recommends ML-KEM alongside FrodoKEM for key establishment (requiring hybrid with classical algorithms), and accepts ML-DSA, FN-DSA at Levels 3 and 5, and SLH-DSA for signatures.

The FN-DSA endorsement is notable. CNSA 2.0 will not include FN-DSA even after NIST standardizes it, citing susceptibility to implementation errors. ANSSI considers it acceptable. For organizations building products that must work in both U.S. NSS and French government environments, this creates a divergence: implementing FN-DSA for ANSSI compliance is wasted effort from NSA’s perspective.

ECCG (EU-wide)

As I analyzed in my coverage of Europe’s new cryptographic rulebook, the European Cybersecurity Certification Group published version 2 of its Agreed Cryptographic Mechanisms in May 2025. This document provides the closest thing to a unified European position.

The ECCG grants “recommended” status to FrodoKEM, the conservative KEM that NIST declined to standardize. It includes ML-KEM, ML-DSA, SLH-DSA, LMS, and XMSS. And it contains a provision in Note 40 that LWE or MLWE-based mechanisms “shouldn’t be used in a standalone way” and “should be combined with a well-established mechanism.” The European position is that lattice-based algorithms require a classical companion in production deployments.

The EU’s Coordinated Implementation Roadmap, adopted by the NIS Cooperation Group in June 2025, sets milestones at end of 2026 (Member States develop national PQC plans), end of 2030 (high-risk systems secured with PQC), and 2035 (full transition). The proposed amendment to NIS2 would write PQC transition requirements directly into EU directive text for the first time.

NCSC (United Kingdom)

The UK’s National Cyber Security Centre published detailed migration guidance with three phases: planning complete by 2028, critical systems migrated by 2031, full migration by 2035.

The algorithm recommendations are less restrictive than CNSA 2.0: ML-KEM-768 and ML-DSA-65 (Level 3 parameters) are considered acceptable, not just Level 5. For organizations in the UK that do not also serve U.S. NSS customers, this means smaller key sizes, smaller signatures, and less performance impact. But for organizations straddling both jurisdictions, the Level 3 implementations that satisfy NCSC will not satisfy CNSA 2.0’s Level 5 requirement.

NCSC treats hybrid as an interim measure on the path to full PQC adoption, closer to NSA’s eventual pure-PQC position than to BSI’s view of hybrid as a long-term architecture. This puts the UK somewhere between the American and Continental European positions.

Australia: The Earliest Pure-PQC Deadline

Australia’s Signals Directorate (ASD) has set what may be the most aggressive national PQC timeline outside the U.S. defense establishment. The ASD Information Security Manual mandates that traditional asymmetric cryptography must not be used beyond the end of 2030. Organizations should develop a refined transition plan by end of 2026 and begin transitioning critical systems by end of 2028.

ASD recommends ML-DSA-87 (the same parameter level as CNSA 2.0), with ML-DSA-65 acceptable until 2030. The target is pure PQC, not hybrid. For organizations operating in both Australia and Europe, this creates a tension: ASD requires classical algorithm elimination by 2030, while BSI requires classical algorithms to be retained alongside PQC indefinitely (through the hybrid mandate). Satisfying both simultaneously means running hybrid until 2030, then removing the classical component for Australian compliance while maintaining it for European compliance — a split that in practice means maintaining two configurations.

China: Cryptographic Sovereignty

China’s approach to post-quantum cryptography represents the most significant divergence in the global PQC picture. Rather than adopting NIST’s algorithms, China is developing its own PQC national standards through the Institute of Commercial Cryptography Standards (ICCS) and the Chinese Association for Cryptographic Research (CACR).

China’s existing commercial cryptographic algorithm system (the SM series: SM2, SM3, SM4, SM9) already operates independently of Western standards. The PQC extension follows the same pattern. Chinese researchers ran a domestic PQC competition in 2018-2020 that produced algorithms like LAC (a lattice-based KEM) and Aigis (a signature scheme) as finalists. China is now pursuing lattice-based algorithms built on unstructured lattice problems, prioritizing security conservatism in a manner similar to FrodoKEM’s approach but with independent constructions.

As I detailed in my analysis of sovereignty in the PQC era, China’s pursuit of independent PQC standards is driven partly by legitimate concerns about algorithmic backdoors in Western-designed cryptography and partly by the same industrial policy logic that produced the SM series. A recent analysis projected that China expects to release its first batch of PQC national standards (KEM and digital signature GB/T standards) within three years. If that timeline holds, China’s PQC ecosystem will be based on entirely different algorithms than those used by the rest of the world.

For multinational organizations with Chinese operations, this is not a hypothetical problem. China’s Cryptography Law already requires commercial cryptographic products used in government and critical infrastructure to comply with national standards. If China’s PQC standards require algorithms different from ML-KEM and ML-DSA, organizations will need to implement and maintain two complete PQC stacks: one for Chinese compliance and one for everyone else. The crypto-agility imperative becomes architectural, not optional.

South Korea is following a similar path. Its own PQC standardization process has produced different algorithm candidates, creating another jurisdiction where NIST alignment cannot be assumed. Organizations operating across East Asia need to track these developments closely.

The Divergence Map

The practical divergences sort into five categories, each with distinct operational implications.

Algorithm Menu

CNSA 2.0 approves the narrowest algorithm set: ML-KEM, ML-DSA, LMS/XMSS, AES-256, SHA-384/512. Europe adds SLH-DSA, FrodoKEM, Classic McEliece, FN-DSA, and multi-tree hash-based schemes. China is building an independent set. The common denominator across NIST-aligned jurisdictions is ML-KEM and ML-DSA. These two algorithms are approved everywhere outside China. An implementation that supports ML-KEM-1024 and ML-DSA-87 will be acceptable across all NIST-aligned jurisdictions, though it may not satisfy the additional requirements that some impose.

Parameter Levels

CNSA 2.0 and ASD both require the highest parameter levels: ML-KEM-1024, ML-DSA-87 (Security Level 5). NCSC accepts ML-KEM-768 and ML-DSA-65 (Level 3). BSI and ANSSI accept both Levels 3 and 5. For a vendor building a single product for global markets, the safe choice is Level 5: it satisfies every NIST-aligned jurisdiction, and the performance penalty over Level 3 is noticeable but manageable for most applications. The exception is constrained environments where the larger key and ciphertext sizes of Level 5 create genuine operational problems.

Hybrid Requirements

This is the sharpest point of genuine conflict. BSI and the ECCG require hybrid (PQC combined with classical) for lattice-based algorithms. NSA and ASD target pure PQC by their exclusive-use dates. NCSC treats hybrid as transitional. For an organization subject to both BSI and ASD, the intersection is impossible to satisfy after 2030 without maintaining separate configurations: hybrid for Europe, pure PQC for Australia.

In practice, most organizations will run hybrid during the transition period regardless of what their jurisdiction mandates, because the backward compatibility benefits of hybrid are too significant to ignore. The question is whether hybrid remains the long-term architecture (BSI’s view) or whether the classical component is eventually removed (NSA/ASD/NCSC’s view). The answer depends on your regulatory exposure, and for global organizations, the answer may be “both, depending on which system we’re talking about.”

Algorithm Diversity

Europe has made a deliberate bet on algorithmic diversity as a hedge against lattice weaknesses. FrodoKEM, Classic McEliece, and SLH-DSA all provide security based on non-lattice (or conservatively-constructed lattice) assumptions. CNSA 2.0 has made the opposite bet: a tight, lattice-focused suite that maximizes interoperability at the cost of diversity.

The SLH-DSA exclusion is where this tension is most visible. NSA excludes NIST’s own conservative hash-based signature algorithm. BSI recommends it. ANSSI recommends it. The ECCG recommends it. If lattice assumptions hold, NSA’s approach is cleaner and simpler. If they weaken, Europe’s approach provides a fallback that NSA-only organizations would not have. Organizations designing for crypto-agility should consider supporting SLH-DSA even if their primary compliance obligation is CNSA 2.0, not because CNSA 2.0 requires it but because the ability to switch to a non-lattice signature algorithm rapidly is valuable insurance.

Timeline

The timelines vary by several years across jurisdictions. CNSA 2.0’s first hard enforcement is January 2027 (new acquisition gate). ASD targets classical algorithm elimination by 2030. The EU roadmap starts with national plans by end of 2026 and critical infrastructure transition by 2030. NCSC targets critical systems by 2031. The 2035 full-migration target is broadly shared across the US (NSM-10), EU, UK, and Australia.

For global organizations, the binding constraint is the earliest applicable deadline. An organization subject to both CNSA 2.0 and the EU roadmap should plan against CNSA 2.0’s 2027 acquisition gate for any NSS-adjacent products and the EU’s 2030 critical infrastructure target for European operations.

The Rule of the Most Stringent

When requirements conflict across jurisdictions, one principle simplifies the analysis: implement to the most stringent applicable requirement, then verify that the result does not violate any other applicable requirement.

In most cases, this means:

Implement ML-KEM-1024 and ML-DSA-87 (Level 5 satisfies everyone who accepts NIST algorithms). Deploy in hybrid mode during the transition (satisfies BSI and ANSSI, does not violate CNSA 2.0 as long as CNSA 2.0 algorithms are present and preferred). Support SLH-DSA where feasible (satisfies European diversity expectations, provides a fallback regardless of jurisdiction). Track China’s national PQC standards if you operate there (no common implementation will cover this divergence).

The one genuine conflict — BSI’s permanent hybrid requirement versus ASD’s 2030 classical elimination, requires a geographic or system-level policy split. For systems deployed in Australia, plan for pure PQC by 2030. For systems deployed in Europe, plan for hybrid to continue indefinitely. Systems that must operate in both environments need the architectural flexibility to support both configurations.

Implications for Crypto-Agility

The global divergence in PQC requirements is, ironically, the strongest argument for crypto-agility as an architectural principle. If every jurisdiction agreed on exactly the same algorithms, parameter levels, and deployment modes, organizations could perform a one-time migration and be done. The reality is that requirements will continue to evolve, additional algorithms will be standardized (HQC is expected as a NIST backup KEM, FN-DSA as FIPS 206), and national authorities will periodically revise their recommendations as cryptanalytic understanding deepens.

An organization that hard-codes ML-KEM-1024 and ML-DSA-87 as its only PQC capability is CNSA 2.0 compliant today. But if BSI tightens its hybrid requirements, if China mandates its national algorithms for data processed on Chinese soil, or if a mathematical advance weakens lattice assumptions, that organization faces another emergency migration. An organization that builds crypto-agility into its architecture from the beginning (the ability to add, swap, and remove algorithms without re-architecting systems) can absorb these changes as configuration updates rather than engineering crises.

The PQC Migration Framework builds crypto-agility into the migration methodology from the first phase. The framework applies regardless of jurisdiction: whether your primary driver is CNSA 2.0, BSI TR-02102, ASD’s ISM, or a combination, the underlying process of inventory, risk assessment, algorithm selection, pilot deployment, and migration remains the same. The jurisdiction-specific requirements determine which algorithms you deploy and when; the framework determines how you deploy them sustainably.

The PQC world is not converging toward a single standard. It is diverging into a set of overlapping, partially compatible national requirements. Organizations that recognize this early and design for flexibility will manage the transition with far less friction than those that optimize for a single jurisdiction and discover the conflicts later.