The Hidden Provision in the January 2026 Package

The commentary on the European Commission’s January 2026 cybersecurity package has focused, understandably, on the high-visibility changes: the gold-plating ceiling, the certification-as-compliance pathway, the expanded ransomware disclosure obligations. Those are consequential. But buried in COM(2026) 13 is a provision that will define a significant portion of every CISO’s medium-term roadmap — and it has received almost no operational attention.

The proposed new Article 7(2)(k) requires Member States to adopt policies within their national cybersecurity strategies “for the transition to post-quantum cryptography, taking into account the transition timelines and relevant requirements set out in applicable Union legal acts and policies.”^[1] This is not a recital aspiration. It is a named, operative requirement inserted directly into the directive text.

At the same time, Recital (8) of the proposal goes further than any prior EU legislative text in naming the quantum threat explicitly. It identifies ‘harvest now, decrypt later’ attacks as attacks “likely occurring already now”^[2] — a statement that transforms post-quantum readiness from a future-dated risk into a current operational exposure.

For CISOs, the governance implication is immediate: the interpretive gap that previously allowed quantum risk to be deferred on the grounds that ‘NIS2 doesn’t specifically require PQC’ has closed. The proposal eliminates it by name.

What Changed — and What Was Already There

Understanding why Article 7(2)(k) matters requires understanding what existed before it.

NIS2 Article 21(2)(h) already required organisations to establish “policies and procedures relating to the use of cryptography and, where appropriate, encryption.”^[3] The ENISA Technical Implementation Guidance, published in mid-2025, encouraged quantum-safe cryptographic algorithms as part of implementing this requirement.^[4] The EU’s Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography, also issued in 2025, established milestones for national transition strategies.^[5]

The legal logic connecting Article 21(2)(h) to PQC was sound but interpretive. It required connecting the directive’s general ‘state-of-the-art’ language to external guidance documents. That argument was defensible — but it was still an argument. COM(2026) 13 converts that argument into a legislative requirement. Once transposed, PQC migration planning is not a CISO’s recommended best practice. It is a named component of national cybersecurity strategy that supervisory authorities will assess.

The broader regulatory context reinforces this. The Cyber Resilience Act, with its key enforcement provisions applying from December 2027, will require products to be designed with cryptographic agility — the capacity to update cryptographic mechanisms as threats evolve.^[6] eIDAS 2.0 drives digital identity wallet rollout across PKI-heavy infrastructure that carries some of the longest cryptographic migration lead times in any enterprise.^[7] The Commission is not building a single PQC mandate — it is assembling an interlocking framework across NIS2, CRA, and eIDAS simultaneously.

The Threat That Doesn’t Wait for Regulation

Harvest now, decrypt later is not a theoretical attack pattern. It is an active data collection strategy. Adversaries — primarily nation-state actors — are already exfiltrating encrypted data at scale on the assumption that a cryptographically relevant quantum computer will eventually be available to decrypt it. The value of the data determines the attack horizon: government communications, long-lived intellectual property, financial records, critical infrastructure configuration data.

The EU PQC Roadmap is explicit about the timeline exposure. By the end of 2030, critical infrastructure should have transitioned to quantum-resistant algorithms for high-risk use cases — specifically those where “data confidentiality must be protected for over ten years.”^[8] That ten-year window, measured backwards from 2030, reaches 2020. Encrypted data captured since 2020 is, on this model, potentially in scope.

NIST published the first post-quantum cryptography standards — ML-KEM, ML-DSA, and SLH-DSA — in August 2024.^[9] Those standards are available now. The migration is not waiting for mathematical readiness. It is waiting for organisational will.

The EU Timeline and What It Means Operationally

The EU PQC roadmap establishes three milestones that CISOs should be building into governance frameworks today:

• End of 2026: Member States should initiate national PQC transition strategies. Organisations in NIS2 scope should treat this as a signal that supervisory enquiries on cryptographic readiness are forthcoming.

• End of 2030: Critical infrastructure entities should have completed transition for high-risk use cases. This is the operative planning deadline for most essential entities.

• End of 2035: Complete transition for as many systems as practically feasible. This is the long tail — legacy systems, low-criticality infrastructure, complex multi-party dependencies.

The 2030 milestone is the operationally significant one. At typical enterprise migration velocity, organisations that do not begin cryptographic inventories in 2025–2026 will not complete high-risk migrations by 2030. PKI infrastructure, in particular, has some of the longest transition lead times of any enterprise cryptographic dependency — certificates, trust chains, and identity infrastructure cannot be migrated in a single programme cycle.

The Article 7(2)(k) requirement adds a governance layer to this timeline. When the Commission’s implementing acts under Article 21(5) arrive — setting harmonised technical requirements — they are highly likely to reference PQC readiness directly, given that the proposal explicitly tasks Member States with PQC transition planning. CISOs who have not begun that planning will find themselves defending gaps to supervisory authorities who are, by then, operating against a regulatory framework that explicitly anticipated it.

What CISOs Should Do Now

The Article 7(2)(k) requirement is proposed, not yet enacted. Member States have not yet transposed it. But the operational steps it points toward are not dependent on transposition — they are risk-management actions that are independently justified by the threat landscape and the existing Article 21 obligations. The regulation provides governance cover for actions CISOs should be taking regardless.

1. Commission a cryptographic inventory

The foundational action. Organisations cannot plan a PQC migration without knowing where RSA, ECC, and other classically vulnerable algorithms currently live. This means mapping keys, certificates, algorithms, and protocols across cloud, hybrid, and on-premises environments — including those embedded in vendor software and third-party components. A Cryptography Bill of Materials (CBOM) extends the SBOM concept to capture algorithm-level dependencies, not just component-level ones.^[10] This is the step that organisations consistently underestimate.

2. Classify assets by confidentiality lifespan

Not all encrypted data carries the same quantum exposure. Crown-jewel data with a confidentiality requirement extending beyond 2030 is already in the harvest-now window on the EU roadmap’s model. That data — and the systems protecting it — should be the first priority for PQC migration planning, irrespective of broader programme timelines.

3. Map cryptographic risk to Article 21(2)(h) obligations

The existing NIS2 requirement for cryptography policies is the operative hook for supervisory engagement today. CISOs should review whether current policy documentation under Article 21(2)(h) addresses quantum risk — even in general terms. A documented risk acceptance position, grounded in the EU PQC roadmap timeline, is significantly stronger than silence. Supervisory authorities will ask; having a documented position is the difference between a governance programme and an audit finding.

4. Engage procurement on cryptographic agility

The Cyber Resilience Act will, from December 2027, impose cryptographic agility requirements on products entering the EU market. Organisations that are currently procuring or renewing technology contracts should be including cryptographic agility requirements in procurement specifications now — particularly for long-lived infrastructure, PKI-dependent systems, and any technology with update mechanisms. This is not a future compliance action; it is a current procurement governance requirement.

5. Bring quantum risk to the board

The Article 7(2)(k) proposal, and Recital (8)’s explicit naming of harvest-now-decrypt-later as “likely occurring already now,” provides CISOs with primary regulatory source material for a board briefing. Quantum risk has typically been positioned as a 2030-era concern. The EU is, in this proposal, explicitly disputing that framing. The board should understand that data captured today under current encryption may be decryptable in a regulatory and threat environment that already anticipates this — and that NIS2 obligations are beginning to name the required response.

The Governance Dimension

There is a pattern in EU cybersecurity regulation that CISOs have seen repeatedly: a risk category moves from industry best practice to regulatory expectation to enforcement surface, often faster than compliance programmes can absorb the shift. Supply chain security followed this trajectory. Non-human identities are following it now. Post-quantum cryptography is next.

The organisations that manage this transition well will not be those that waited for the implementing acts and then launched a crash programme. They will be those that treated the proposed Article 7(2)(k) — and the existing Article 21(2)(h) — as a governance signal to begin the inventory, classification, and planning work that a structured migration requires.

The transition to post-quantum cryptography is not primarily a cryptography project. It is an enterprise risk governance programme. It requires asset classification, vendor engagement, procurement policy, board awareness, and incident response planning — all of which fall squarely within the CISO’s remit regardless of where the regulatory text sits on its transposition timeline.

The regulation is telling you where the threat is heading. The threat is already there.

References

[1] European Commission, COM(2026) 13 final — Proposal for a Directive amending NIS2 (January 2026)

[2] Ibid., Recital (8)

[3] Directive (EU) 2022/2555 (NIS2), Article 21(2)(h)

[4] ENISA, Technical Implementation Guidance for NIS2 (2025)

[5] NIS Cooperation Group, Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography (June 2025)

[6] Regulation (EU) 2024/2847 (Cyber Resilience Act), enforcement provisions from December 2027

[7] Regulation (EU) 2024/1183 (eIDAS 2.0) — European Digital Identity framework

[8] NIS Cooperation Group, Coordinated Implementation Roadmap for PQC, milestone end-2030

[9] NIST Post-Quantum Cryptography Standards (ML-KEM, ML-DSA, SLH-DSA), August 2024

[10] SCANOSS — NIS2 and Cryptography Bills of Materials (CBOM) (April 2026)