Europe’s New Cryptographic Rulebook Just Made PQC Official

30 Apr 2025 – For years, the EU’s position on post-quantum cryptography could be summarized as “we’re watching closely.” That changed in April 2025, when the European Cybersecurity Certification Group – the body that decides which cryptographic mechanisms are acceptable for products certified under Europe’s EUCC scheme – published Version 2.0 of its Agreed Cryptographic Mechanisms document. It’s the first time PQC algorithms have appeared on Europe’s official “recommended” list. And the document’s details reveal a regulatory philosophy that differs from NIST’s approach in ways that matter for anyone planning a migration.

The ACM v2 replaces the SOG-IS Agreed Cryptographic Mechanisms that had governed European Common Criteria evaluations for over a decade. Where its predecessor had nothing to say about post-quantum cryptography, the new document weaves PQC considerations into nearly every section — from key encapsulation and digital signatures to symmetric key lengths and hash function parameters. It’s not just an addendum. It’s a ground-up rewrite for the quantum era.

What’s In and What It Means

The headline additions are the NIST-standardized post-quantum algorithms. ML-KEM (FIPS 203) earns “recommended” status for key encapsulation. ML-DSA (FIPS 204) earns “recommended” for digital signatures. The stateless hash-based signature scheme SLH-DSA (FIPS 205) and the stateful schemes XMSS and LMS (SP 800-208) round out the signature portfolio.

But the more interesting story is what Europe added that NIST didn’t – and the conditions it attached.

FrodoKEM makes the cut. The ACM v2 grants “recommended” status to FrodoKEM, the conservative, unstructured-lattice key encapsulation mechanism that NIST declined to standardize. This is a deliberate hedge. FrodoKEM’s security rests on the plain Learning With Errors problem rather than the structured-lattice (Module-LWE) variant that underlies ML-KEM. The tradeoff is significantly larger key sizes – roughly 10x compared to ML-KEM – but the security argument is more conservative. European agencies including France’s ANSSI and Germany’s BSI have long advocated for FrodoKEM as a diversification play, and the ECCG has now formalized that position. The document recommends using FrodoKEM-1344 or FrodoKEM-976 – the two highest security parameter sets.

Hybrid is not optional for lattice-based schemes. This is where the ECCG draws its sharpest line. Note 40 of the document states plainly that LWE or MLWE-based mechanisms “shouldn’t be used in a standalone way” and “should be combined with a well established classical cryptomechanism.” Note 51 repeats this for ML-DSA signatures. Note 60 repeats it again for ML-KEM key encapsulation. Three separate notes, same message: if you’re deploying lattice-based PQC in a European-certified product, you must pair it with classical cryptography.

The reasoning is spelled out in the document’s PQC introduction: “Most post-quantum schemes currently proposed for standardisation are relatively new compared to existing schemes, and have received less scrutiny.” The hybrid mandate ensures that even if a lattice-based scheme is broken – the SIKE precedent looms large – the classical component provides a fallback.

For hash-based signature schemes (SLH-DSA, XMSS, LMS), the requirement is softer. Note 53 says hybridization is recommended but “they may however also be used in a standalone way.” The ECCG clearly regards hash-based constructions, whose security reduces to well-understood properties of hash functions, as mature enough to stand alone.

Parameter choices favor the high end. Note 55 recommends ML-DSA-87 or ML-DSA-65 – the two largest parameter sets. Note 61 recommends ML-KEM-1024 or ML-KEM-768. In both cases, the ECCG is steering implementers away from the smallest NIST parameter sets (ML-DSA-44 and ML-KEM-512), which target NIST Security Level 1. Europe wants Security Level 3 or 5.

The Classical Deprecation Clock

The PQC additions don’t exist in a vacuum. The ACM v2 simultaneously tightens the screws on classical asymmetric cryptography.

RSA key sizes below 3,000 bits are now “legacy” with a deprecation deadline of December 31, 2025 – meaning they are no longer acceptable for EUCC-certified products after that date. The recommended minimum is 3,000 bits. For context, many widely deployed systems still use RSA-2048.

Finite-field Diffie-Hellman groups below 3,072 bits get the same L[2025] deadline. The entire classical asymmetric ecosystem – RSA, finite-field DH, and elliptic curve DH – carries explicit quantum threat warnings throughout the document. Every relevant section includes a note stating that these mechanisms “shall not be used without being combined with a quantum resistant mechanism” in contexts requiring quantum resistance.

On TLS, the document designates TLS 1.3 as the recommended protocol version, with TLS 1.2 classified as legacy. Several TLS 1.2 cipher suites using CBC-mode encryption are marked L[2025], meaning they expire at year’s end. The document explicitly prohibits SSLv2 support to prevent protocol downgrade attacks.

Symmetric Adjustments for the Quantum Era

A detail that many coverage summaries will miss: the ACM v2 adjusts symmetric cryptography parameters for quantum resistance, too.

For block ciphers, Note 3 recommends key sizes of at least 192 bits in contexts requiring quantum resistance – ruling out AES-128 for quantum-sensitive applications, due to Grover’s algorithm. For hash functions, Note 4 recommends output lengths of at least 384 bits, which means SHA-256 and SHA3-256 are not sufficient for quantum-resistant contexts. For MAC schemes based on hash functions, Note 19 recommends key sizes of at least 192 bits.

These are not exotic, forward-looking provisions. They affect decisions organizations are making right now about which symmetric algorithms to deploy in new systems.

Why This Document Matters Beyond Certification

The ACM v2 is technically addressed to “developers and evaluators” working within the EUCC certification framework. But its influence extends well beyond Common Criteria labs.

The European Commission’s Coordinated Implementation Roadmap for PQC transition – which targets high-risk systems by 2030 and full migration by 2035 – references the ECCG’s agreed mechanisms as the cryptographic baseline. The EU Cyber Resilience Act standardization work is moving toward a model where the ACM’s mechanism list defines “state of the art” cryptography for internet-connected products. Any organization that sells ICT products into the European market, or that supplies components to companies that do, will eventually feel the pull of these recommendations.

The mandatory hybrid requirement is particularly consequential. While NIST’s own guidance has been increasingly supportive of hybrid deployments, it has not mandated them. The ECCG has. For organizations operating across both U.S. and European regulatory environments, the European hybrid mandate becomes the binding constraint – you can comply with both by deploying hybrid, but you cannot comply with both by deploying standalone PQC.

What to Do With This

The ACM v2 doesn’t change the physics of quantum computing or the mathematics of post-quantum algorithms. What it changes is the regulatory landscape. Specific actions for security leaders:

Audit your European product portfolio for classical-only asymmetric crypto. RSA below 3,000 bits and DH groups below 3,072 bits are losing their “agreed” status at year-end. If you’re shipping products into EUCC certification pipelines with these parameters, the clock is running.

Plan for hybrid from the start. If your PQC migration roadmap includes standalone ML-KEM or ML-DSA deployments, it won’t satisfy the European framework. Design for hybrid – ML-KEM + ECDH for key agreement, ML-DSA + ECDSA for signatures. The document even specifies agreed key combiners (CatKDF and CasKDF from ETSI’s hybrid specification) for combining the classical and post-quantum key material.

Evaluate FrodoKEM for high-assurance use cases. The performance penalty is real – larger keys, more bandwidth – but for environments where the conservatism of unstructured lattices matters (government, financial infrastructure, long-term data protection), FrodoKEM now has institutional backing from Europe’s certification framework.

Don’t overlook the symmetric adjustments. If you’re deploying new systems that need to remain secure against quantum adversaries, AES-128 and SHA-256 alone are no longer sufficient under European guidance. Move to AES-256 and SHA-384 or SHA-512 for quantum-resistant contexts.

The Bigger Picture

The ACM v2 is Europe drawing a line. Not a dramatic one – no panic, no ultimatums – but a clear, technically detailed line that says: post-quantum cryptography is no longer experimental, it is now part of the approved toolbox, and classical asymmetric cryptography alone is no longer sufficient for products that need to maintain security assurance over any meaningful time horizon.

The hybrid mandate is the most strategically significant element. It reflects a mature, pragmatic risk calculus: deploy PQC now, but don’t bet everything on algorithms that are younger than most of the systems they’re meant to protect. The inclusion of FrodoKEM alongside ML-KEM signals that Europe is not content to follow NIST’s selections uncritically – it wants algorithmic diversity as a hedge against future cryptanalytic surprises.

For organizations still debating when to start their PQC migration, the ECCG just simplified the decision. If you sell into the European market, the answer is now.

Related Content

How ECC Became the Easiest Quantum Target

A New Algorithm Shrinks the Quantum Attack Surface for ECC

Shor’s Algorithm: A Quantum Threat to Modern Cryptography

Post-Quantum Cryptography (PQC) Standardization – 2025 Update