EU NIS2 Directive — Cryptography & PQC Provisions
- Issuer
- European Union Agency for Cybersecurity(ENISA)
- Effective date
- Jan 16, 2023
- Published date
- Dec 27, 2022
- Full text
- View full text →
Summary
The EU Network and Information Security Directive 2 (NIS2, Directive 2022/2555) requires essential and important entities across the EU to implement appropriate cryptographic measures as part of a risk-based cybersecurity framework. ENISA's technical guidelines explicitly incorporate post-quantum cryptography readiness as a forward-looking requirement. Member states were required to transpose NIS2 into national law by October 2024.
PKI impact
NIS2 is a binding EU directive with transposition now overdue, and essential entities face enforcement action and fines under national transposition laws. Article 21's cryptographic risk management obligations cover certificate-dependent services, including document signing infrastructure regulated under eIDAS. ENISA guidance explicitly includes PQC readiness as part of adequate cryptographic controls.
Migration hints
- Map your NIS2 essential or important entity classification against Article 21 cryptographic risk management obligations; inadequate cipher management is an explicit compliance gap that national authorities may investigate.
- Complete a cryptographic asset inventory covering TLS/SSL endpoints, email encryption certificates, code-signing certificates, and qualified electronic signature infrastructure as the minimum scope for a NIS2-compliant risk assessment.
- For Document Signing and qualified e-signature infrastructure regulated under eIDAS, coordinate NIS2 PQC planning with eIDAS 2.0 implementation timelines — these regulatory frameworks overlap in scope.
- Implement cryptographic agility in new and updated systems now to meet the ENISA-recommended 2026 agility target and avoid system redesign costs under enforcement pressure.
- Coordinate with your national NIS2 competent authority on sector-specific PQC timelines, as implementation requirements and enforcement approaches vary by member state transposition.
Trust chain considerations
- NIS2 does not explicitly mandate re-issuance of trust anchors under PQC algorithms, but ENISA guidance implies this as part of adequate cryptographic risk management. Verify the applicable requirement level with your national competent authority.
Milestones (3)
| Deadline | Label | Type | Hard | Notes |
|---|---|---|---|---|
| OVERDUEOct 17, 2024 | EU Member States transpose NIS2 into national law | Full Compliance | Article 41 of NIS2 required member states to adopt and publish national transposition measures by 17 October 2024. | |
| Apr 17, 2025 | Essential entities: complete cryptographic risk assessment | Inventory | ENISA guidance recommends essential entities complete cryptographic asset inventories and PQC readiness gap analyses within 6 months of NIS2 national transposition. Timeline varies by member state transposition date. | |
| Oct 17, 2026 | Essential entities: implement cryptographic agility controls | Crypto Agility | ENISA recommends that essential entities implement cryptographic agility in new and updated systems within two years of NIS2 transposition. |
Algorithm references (2)
- ML-KEMFIPS 203Recommended
Replaces: RSA, ECDH
ENISA recommends entities evaluate ML-KEM (FIPS 203) for post-quantum key exchange as part of cryptographic agility planning under NIS2.
- ML-DSAFIPS 204Recommended
Replaces: RSA, ECDSA
ENISA recommends entities evaluate ML-DSA (FIPS 204) for post-quantum authentication under NIS2 cybersecurity risk management obligations.
Changelog (3)
| Date | Type | Description |
|---|---|---|
| Nov 1, 2025 | Clarification | ENISA published updated PQC technical guidelines incorporating FIPS 206 (FN-DSA) and referencing final NIST IR 8547 timelines as a benchmark for EU entity migration planning. |
| Oct 17, 2024 | Status | Transposition deadline reached. Several member states completed transposition; some faced delays and infringement risk. ENISA published updated PQC readiness guidance aligned with finalized NIST FIPS 203/204/205. |
| Dec 27, 2022 | New | NIS2 Directive (2022/2555) published in the Official Journal of the EU, entering into force on 16 January 2023 and requiring member state transposition by 17 October 2024. |
Issuer
European Union Agency for CybersecurityENISA
Type: GOVERNMENT
Region: EU