Germany’s BSI Draws the Sharpest PQC Migration Lines in Europe: 2030 for Critical Infrastructure, 2032 for Everyone Else

4 February 2025 — Germany’s Federal Office for Information Security (BSI) published Version 2025-01 of its Technical Guideline TR-02102-1, “Cryptographic Mechanisms: Recommendations and Key Lengths,” on January 31, 2025. The update contains the most prescriptive post-quantum cryptography migration requirements issued by any European national authority to date.

Two deadlines stand out. Organizations operating critical infrastructure under Germany’s KRITIS regulations must complete their migration to quantum-safe cryptography by 2030. All other organizations must complete migration by 2032. Classical asymmetric mechanisms (RSA, ECC, Diffie-Hellman) are classified as deprecated throughout the document, with the guideline treating their continued use beyond these dates as incompatible with BSI’s minimum security requirements.

The update goes further than its EU counterparts on algorithm policy. BSI mandates that post-quantum cryptography be deployed exclusively in hybrid mode, combining a quantum-resistant algorithm with a classical one, for all production use cases. This position has been consistent across multiple BSI publications, but TR-02102-1 Version 2025-01 codifies it as a technical requirement rather than a recommendation.

On algorithm selection, the guideline includes NIST’s ML-KEM (FIPS 203) as an accepted key encapsulation mechanism, but also lists FrodoKEM and Classic McEliece as cryptographically suitable alternatives for long-term confidentiality. These two algorithms did not win NIST’s competition, but BSI considers them conservative fallbacks: FrodoKEM because its security reduction is tighter than ML-KEM’s, Classic McEliece because it rests on decades-old coding theory with well-understood security margins.

For digital signatures, BSI accepts ML-DSA (FIPS 204) and SLH-DSA (FIPS 205), again in hybrid configurations alongside classical signature schemes.

The guideline applies directly to German federal agencies and to organizations regulated under KRITIS. For the private sector, TR-02102-1 functions as authoritative guidance that shapes procurement requirements and, through BSI’s certification programs, constrains which cryptographic implementations are acceptable in regulated environments.

This update follows the October 2024 joint statement “Securing Tomorrow, Today”, initiated by Germany, France, and the Netherlands and signed by cybersecurity authorities from 18 EU member states, which urged immediate PQC transition with hybrid deployments.

My Analysis

Germany just staked out the most aggressive PQC migration position of any European country, and one of the most prescriptive globally. The 2030 deadline for critical infrastructure matches the direction Australia’s ACSC has been signaling in urgency, though the approaches differ in a way that will cause genuine headaches for multinationals.

Australia’s ACSC has been moving toward pure PQC (no hybrid). BSI mandates hybrid. ANSSI in France also mandates hybrid, with its own nuances. CNSA 2.0 allows hybrid during transition but pushes toward exclusive PQC use by 2030 for networking equipment. A company operating VPN infrastructure across the US, Germany, and Australia simultaneously faces three different requirements on the same question: pure PQC, hybrid only, or hybrid-then-pure.

I’ve written before about PQC standards fragmentation as a looming challenge for multinationals. BSI’s update makes that challenge concrete. The algorithm divergence is especially notable. FrodoKEM and Classic McEliece appear nowhere in CNSA 2.0. BSI is recommending a broader cryptographic portfolio than any of its allies, based on a conservative security philosophy that prefers well-analyzed mathematical foundations over standardization convenience.

That philosophy has intellectual merit. ML-KEM’s security proof has a looser reduction than FrodoKEM’s, and the lattice problems underlying both are younger than the code-based problems behind Classic McEliece. If you’re a cryptographer optimizing for long-term confidence, the BSI position is defensible. If you’re an enterprise architect trying to maintain a single global cryptographic stack, it creates a procurement problem.

The 2032 deadline for non-CII organizations is three years ahead of NIST IR 8547’s proposed 2035 disallowance date. Germany is not waiting for international convergence. Given that the BSI’s own market survey with KPMG found the quantum threat “widely underestimated” in German industry, with fewer than 5% of organizations holding a formal migration plan, the gap between what BSI expects and what the market has done is substantial.

For organizations subject to KRITIS regulation: the 2030 deadline is five years away. The enterprise PQC migration study published in late 2024 estimates 8 to 12 years for mid-sized organizations and 12 to 15+ years for large enterprises. The arithmetic is straightforward. If those estimates are even roughly correct, a large critical infrastructure operator starting today cannot finish by 2030 under baseline assumptions. That’s a reason to start immediately and invest in the automation, tooling, and crypto-agility that can compress those timelines.

Germany’s move, combined with the EU’s April 2024 Commission Recommendation on PQC, is creating a European regulatory floor that will pull along member states with less developed PQC programs. As I’ve argued repeatedly, the deadlines are already set. BSI just made them two to three years tighter for anyone doing business in Germany.