The EU’s Cyber Resilience Act Doesn’t Say “Post-Quantum” but Its Crypto-Agility Requirement Will Shape PQC Migration

January 2025 — The EU Cyber Resilience Act (CRA), adopted in late 2024, introduces mandatory cybersecurity requirements for products with digital elements sold in the European market. While the regulation addresses a broad spectrum of cybersecurity concerns (from vulnerability disclosure to software update obligations), one requirement has direct and under-discussed implications for PQC migration: the mandate that products must support updates to their cryptographic mechanisms throughout their expected lifecycle.

The CRA applies to any hardware or software product with digital elements placed on the EU market. Manufacturers must ensure that products are “designed and developed in such a way that their security can be maintained throughout the product’s lifecycle,” including the ability to apply security updates that address vulnerabilities in cryptographic implementations. Products that cannot be updated to support new cryptographic algorithms face a compliance gap that will become acute as PQC requirements take effect.

The regulation does not specify which algorithms products must use. It does not reference ML-KEM, ML-DSA, or any NIST PQC standard by name. But the updateability requirement, read alongside the EU Commission’s April 2024 Recommendation on PQC transition and the ongoing work toward a coordinated EU migration roadmap, creates a regulatory chain: the EU expects PQC adoption within the decade, and the CRA ensures products can actually deploy whatever algorithms the EU settles on.

The Act entered into force in late 2024 with a phased compliance timeline. Manufacturers have until 2027 for full compliance with most provisions.

My Analysis

The CRA connects EU PQC policy to EU product law in a way that no prior regulation has done. Until now, the EU’s PQC guidance (the Commission Recommendation, the NIS2 directive, DORA) has targeted organizations: operators, financial entities, member state governments. The CRA targets products. That’s a fundamentally different enforcement surface.

Consider the IoT sector. A manufacturer ships an embedded sensor with a 15-year expected lifecycle. Under pre-CRA rules, if that sensor used hardcoded RSA-2048 for key exchange and its firmware couldn’t be updated, the manufacturer faced no EU-level penalty. The sensor worked, it met the security standards of the day, and the customer bore the risk if the cryptography became obsolete. Under the CRA, a product that ships in 2027 with cryptography that cannot be updated to meet future post-quantum requirements fails the regulation’s lifecycle-security mandate. The manufacturer, not the customer, holds that liability.

I’ve argued previously that crypto-agility is an architecture problem: you cannot bolt it on after the product ships. The CRA codifies that argument into law. Products designed today for a 2027 market entry must architect for algorithm substitution from the start, because the EU’s PQC timeline guarantees that cryptographic requirements will change during the product’s operational life.

For OT and industrial equipment, the implications are particularly sharp. Industrial control systems, medical devices, automotive components, and infrastructure sensors routinely operate for 10 to 20 years. Equipment entering the market in 2027 will still be operating in 2037–2047, well past NIST IR 8547’s proposed 2035 disallowance date. If these products cannot receive cryptographic updates, they will be running disallowed algorithms on the EU market. I’ve written about the specific challenges of upgrading OT systems to PQC; the CRA forces manufacturers to confront those challenges at the design stage rather than the deployment stage.

The CRA also creates a market access lever that extends beyond the EU. Manufacturers selling globally will build crypto-agility into their products for EU compliance and ship the same capability everywhere. Like GDPR’s effect on global privacy standards, the CRA’s crypto-agility requirement will raise the baseline for products worldwide.

For product manufacturers: if you’re building any product with digital elements that will be sold in the EU after 2027, your cryptographic architecture needs to support algorithm substitution. That means abstracted cryptographic APIs, updateable firmware, and key management systems that can handle different algorithm families. The cost of building this in at design time is a fraction of the cost of retrofitting it, or of losing EU market access.