The EU Just Proposed Including Post-Quantum Cryptography (PQC) in NIS2

13 Feb 2026 – On 20 January 2026, the European Commission published COM(2026) 13 final – a proposed directive amending NIS2 as part of a broader cybersecurity simplification package tied to the upcoming Cybersecurity Act 2. The proposal covers a range of updates: streamlining scope definitions, simplifying cross-border supervision, introducing ransomware reporting requirements, and enabling cyber posture certification as a compliance tool.

But buried in the targeted amendments is a provision that fundamentally changes how the EU treats quantum risk in law.

PQC goes from implied to named

The proposal adds a new Article 7(2)(k) to NIS2, requiring Member States to adopt policies within their national cybersecurity strategies “for the transition to post-quantum cryptography, taking into account the transition timelines and relevant requirements set out in applicable Union legal acts and policies.”

Until now, PQC readiness under NIS2 was a matter of connecting dots – between the directive’s general requirement for “state-of-the-art” cryptography policies, the EU’s PQC Recommendation from April 2024, and the coordinated implementation roadmap published in June 2025. The legal logic was sound, but it required interpretation. COM(2026) 13 eliminates that interpretive gap. If adopted, PQC migration planning becomes a mandatory, named component of national cybersecurity strategy for every EU Member State.

The recitals say what the articles don’t

In EU legislation, recitals carry interpretive weight – they explain the intent behind the operative provisions. Recital (8) of the proposal is the most explicit statement on quantum risk to appear in any EU legislative text to date.

It names “harvest now, decrypt later” attacks as “likely occurring already now.” It flags “future risks induced by quantum attacks on forging signatures.” And it references something the cybersecurity community has been anticipating with growing urgency: the “planned deprecation of certain algorithm implementations and full disallowance of current public-key cryptographic algorithms.”

The recital doesn’t stop at threat framing. It calls on Member States to create “support measures and tools to assess the exposure of cryptographic assets to the risks posed by quantum computers,” to assist in building migration plans, and to test the deployment of PQC in digital applications and networks. It even pushes for “the emergence and uptake of formally verified and evaluated European PQC solutions” – a signal that the EU sees PQC not just as a security imperative but as an industrial opportunity.

And the timeline references are deliberate: the recital explicitly aligns with the NIS Cooperation Group’s Coordinated Implementation Roadmap from June 2025, reaffirming the migration targets of 2030 for critical use cases and 2035 for medium- and low-risk systems.

What else is in the package

The PQC provision is part of a larger set of NIS2 amendments worth tracking:

Scope adjustments. Providers of European Digital Identity Wallets and European Business Wallets are brought explicitly into NIS2 scope as essential entities, regardless of size. Given that the eIDAS ecosystem is PKI-heavy, this directly intersects with PQC migration – identity systems have some of the longest cryptographic transition lead times in any enterprise.

Submarine data transmission infrastructure gets its own definition and inclusion, closing a gap where some cable operators fell outside the directive.

Cyber posture certification. The proposal allows entities to demonstrate NIS2 compliance through certification under schemes developed within the revised EU Cybersecurity Certification Framework – creating a standardized pathway that could eventually embed PQC readiness requirements.

Maximum harmonization for implementing acts. Where the Commission adopts implementing acts specifying risk-management measures, Member States would be prevented from imposing additional requirements. This could streamline PQC compliance expectations across borders – or, depending on how it plays out, constrain more advanced Member States from moving faster.

Ransomware reporting. New requirements would oblige entities to report ransomware attack details, including – upon request from CSIRTs – whether a ransom was paid, how much, and to whom. Not directly PQC-related, but it signals the EU’s appetite for more granular incident data.

Why this matters?

Let’s be clear about what just happened. The EU has moved from implying that PQC falls within NIS2’s scope to writing it into the directive text. That’s a qualitative shift in regulatory posture.

For the past two years, the PQC compliance argument under NIS2 rested on a chain of inference: NIS2 requires cryptography policies → the EU recognizes quantum as a threat → therefore PQC is in scope. That chain was legally defensible, and we’ve argued precisely this case in our comprehensive analysis of how NIS2, DORA, and the EU PQC roadmap work together. But it still left room for organizations to defer action, to argue that quantum wasn’t yet “their” threat, or to wait for clearer regulatory signals before committing budget.

COM(2026) 13 closes that escape hatch. When the proposed Article 7(2)(k) requires Member States to adopt PQC transition policies aligned with the EU’s coordinated roadmap milestones, it creates a direct chain of accountability: EU directive → national strategy → supervisory expectations → entity compliance. A CISO who hasn’t started cryptographic inventory and migration planning is no longer ahead of the curve or even on it — they’re behind a publicly stated legislative intent.

The inclusion of European Digital Identity Wallets as essential NIS2 entities adds another dimension. The eIDAS 2.0 ecosystem, with its certificate-heavy PKI architecture, represents one of the longest-lead PQC migration challenges in the EU’s digital infrastructure. Bringing wallet providers into NIS2 scope – combined with the new PQC policy requirement – means the EU is acknowledging that identity and trust infrastructure need quantum-safe foundations, not just quantum-safe aspirations.

The reference to “formally verified and evaluated European PQC solutions” in Recital (8) is also worth noting. It suggests the Commission is thinking about PQC not just as a defensive measure but as an opportunity for European digital sovereignty – a theme that resonates with the Draghi Report’s emphasis on reducing dependencies.

What happens next

The proposal is now in the ordinary legislative procedure. Member States would have 12 months from entry into force to transpose the amendments. Even if the timeline shifts during negotiation, the direction is clear and the political intent is on the public record.

Organizations operating under NIS2 should treat this proposal as a planning signal, not a reason to wait. The underlying milestones haven’t changed – start transition by end of 2026, complete critical infrastructure by 2030 – and the regulatory machinery is only getting more explicit.

For a deeper analysis of how NIS2, DORA, and the EU PQC roadmap work together as a compliance framework – including the CISO playbook, obligations-to-evidence mapping, and practical migration patterns – see my full article: NIS2, DORA, and the EU Post-Quantum Roadmap.