Regulatory & Compliance

Understanding the evolving landscape for quantum-safe cryptography

Regulatory frameworks worldwide are evolving to address quantum threats. Fira helps organisations navigate these requirements and implement compliant solutions.

EU Regulatory Framework

Cyber Resilience Act (CRA)

Mandatory cybersecurity requirements for all products with digital elements sold in the EU. Requires manufacturers to handle vulnerabilities effectively throughout a product's lifecycle. PQC readiness becomes relevant as quantum threats are explicitly recognised.

NIS2 Directive

Expanded scope covering more sectors and stricter security requirements. Requires "state of the art" security measures — PQC is increasingly interpreted as meeting this threshold.

eIDAS 2.0

Updated electronic identification and trust services regulation. Qualified electronic signatures must remain secure over their validity period — PQC signatures are essential for long-term validity.

GDPR (Article 32)

Requires "appropriate technical measures" for data protection. As PQC becomes available, failure to adopt may constitute inadequate protection.

ENISA Recommendations

Published PQC migration guidance recommending hybrid approaches and early preparation. Fira's methodology aligns with ENISA's recommended migration path.

UK Regulatory Framework

NCSC Guidance

UK National Cyber Security Centre recommends organisations begin PQC planning now. "Prepare, don't panic" — but preparation means concrete technical steps, not just awareness.

UK Cyber Security Strategy

Quantum threat explicitly identified. Government departments expected to lead by example.

Financial Conduct Authority (FCA)

Operational resilience requirements increasingly interpreted to include quantum-readiness for long-lived encrypted data.

International Standards

NIST FIPS 203/204/205

Finalised August 2024. ML-KEM (key encapsulation), ML-DSA (digital signatures), SLH-DSA (hash-based signatures). These are the definitive PQC standards.

US NSM-10

National Security Memorandum requiring federal agencies to inventory cryptographic systems and prepare migration plans.

ISO/IEC Standards

Standards bodies actively developing PQC integration standards for international alignment.

Greek Public Sector Context

  • ΕΣΗΔΗΣ procurement framework requirements for information security
  • Compatibility with Ελληνικό Σχήμα Πιστοποίησης (Greek Certification Scheme)
  • Alignment with National Cyber Security Strategy (Εθνική Στρατηγική Κυβερνοασφάλειας)
  • eIDAS / ΑΔΔΥ requirements for qualified electronic signatures
  • PQC modules documentation for τεκμηρίωση τεχνογνωσίας in RFP submissions

Need compliance documentation?

Fira provides certificates of completion, project descriptions, and reference documentation formatted for Greek (ΕΣΗΔΗΣ) and UK public sector RFP requirements.