European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography

The European Commission has published a Recommendation that encourages Member States on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography. The move works towards developing and implementing a harmonized approach as the EU transitions to post-quantum cryptography. The Commission Recommendation urges Member States to formulate a robust strategy for integrating Post-Quantum Cryptography, aiming to facilitate a harmonized and unified transition across the various Member States and their public sectors. 

The strategy should establish precise objectives, key milestones, and timelines, culminating in the creation of a collective Post-Quantum Cryptography Implementation Roadmap. The roadmap will guide the implementation of Post-Quantum Cryptography technologies throughout the Union, integrating them into current public administration systems and critical infrastructures through hybrid schemes that may incorporate Post-Quantum Cryptography, alongside existing cryptographic methods or Quantum Key Distribution.

The Post-Quantum Cryptography Coordinated Implementation Roadmap should be available two years following the publication of this Recommendation, which will be followed by the development and further adaptation of Post-Quantum Cryptography transition plans of individual Member States, under the principles set out in the Post-Quantum Cryptography Coordinated Implementation Roadmap.

The Recommendation addresses the need for a coordinated approach to Europe’s transition to a quantum-safe digital infrastructure. It will help Member States develop a consistent strategy as they migrate towards more secure ways of protecting their digital infrastructures. This will promote interoperability between countries, allowing systems and services to function seamlessly across borders. The initiative will help ensure that the EU’s digital infrastructures and services are secure in the next digital era. 

The Recommendation complements the work already being done by many countries and at the international level to develop and select post-quantum cryptography algorithms for standards, including the research efforts done by EU-funded projects, the recent report from the European Agency for Cybersecurity (ENISA), and discussions on post-quantum cryptography at international level, such as in the EU-US Trade and Technology Council and Cyber Dialogue.

The purpose of the Recommendation is to facilitate the shift to Post-Quantum Cryptography for safeguarding digital infrastructures and services for public administrations and other critical infrastructures within the Union, Thierry Breton, Member of the Commission, wrote in the Recommendation. This will be achieved by empowering Member States to establish a ‘Post-Quantum Cryptography Coordinated Implementation Roadmap’ to harmonize their initiatives in developing and executing national transition plans, ensuring seamless cross-border interoperability.

Breton detailed that the recommendation will also support the evaluation and selection of relevant Post-Quantum Cryptography EU algorithms with the help of cybersecurity experts, and further adoption of such algorithms as Union standards that should be implemented across the Union as part of the Post-Quantum Cryptography Coordinated Implementation Roadmap. Lastly, it will adopt appropriate and proportionate measures to prepare for this transition.

This Recommendation encourages Member States to coordinate their actions at the Union level through a dedicated Member States forum. For this purpose, the Commission recommends that Member States take advantage of existing structures at the Union level in the area of cybersecurity and establish a sub-group of the NIS Cooperation Group. Such a sub-group could include representatives of national security agencies and cybersecurity experts, notably from national cybersecurity authorities and ENISA. 

Additionally, the sub-group may invite representatives of relevant stakeholders to participate in its work such as those of advisory bodies of public organizations, industry, service providers, and operators, to gather input and exchange information on the transition of digital infrastructures and services for public administrations and other critical infrastructures to Post-Quantum Cryptography in different sectors, coordinate their efforts at the national level, and develop the Post-Quantum Cryptography Coordinated Implementation Roadmap, following the Union competition rules and Union data protection law.

The sub-group on Post-Quantum Cryptography should consider appropriate, effective, and proportionate measures for defining and coordinating the development of the Post-Quantum Cryptography Coordinated Implementation Roadmap. The sub-group is encouraged to engage in discussions with other relevant bodies, such as Europol, NATO, or others, to avoid duplication of efforts and ensure a cohesive approach to addressing emerging challenges. 

To this effect, soon after the publication of this Recommendation, Member States are invited to establish such a sub-group on Post-Quantum Cryptography according to the Commission implementing decision (EU) 2017/179 and to appoint expert representatives who should work in close cooperation with the Commission and who should be tasked to define and develop the Post-Quantum Cryptography Coordinated Implementation Roadmap.

The Commission has been funding research and development Post-Quantum Cryptography for over a decade, recognizing the potential threat quantum computing poses to present public key cryptography. Member States should consider migrating their current digital infrastructures and services for public administrations and other critical infrastructures to Post-Quantum Cryptography as soon as possible, inducing a fundamental shift in cryptographic algorithms, protocols, and systems.

It added that for a harmonized implementation of Post-Quantum Cryptography across the Union it is essential to develop common European standards and develop a framework for identifying and selecting Post-Quantum Cryptography algorithms to be deployed in the digital networks and services across the Union. 

Through the active participation of EU-funded researchers, the Union is already supporting the development and testing of Post-Quantum Cryptography algorithm candidates for standards in international Post-Quantum Cryptography selection processes. 

Furthermore, the Commission Recommendation encourages Member States to work at the EU level closely with the Union’s cybersecurity experts, with the NIS Cooperation Group and ENISA on the evaluation and selection of the appropriate Post-Quantum Cryptography algorithms and their adoption, as EU standards for harmonized implementation across the Union. 

The Commission’s Recommendation identified that the overall work will be monitored and assessed periodically by the Commission in cooperation with the expert representatives of the Member States. To this effect, the Commission may request Member States’ representatives to submit all relevant information, which they can reasonably be expected to provide, to ensure the monitoring of the progress achieved in drafting such Post-Quantum Cryptography Coordinated Implementation Roadmap and the effectiveness of such measures. 

Based on those and all other available information, the Commission will assess the designed measures and the operation of the network of Member States’ representatives and determine whether additional actions, including proposing binding acts of Union law, are required.

“Member States should cooperate with the Commission to assess the effects of this Recommendation maximum three years after its publication, with a view to determine appropriate ways forward,” Breton said. “This assessment should take into account the outcome of the work by the sub-group on Post-Quantum Cryptography of national experts.”

In January, the U.S. White House convened leaders from government, industry, and academia at a roundtable to discuss plans for addressing the requirements of National Security Memorandum 10 (NSM-10) on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems and the Quantum Computing Cybersecurity Preparedness Act of 2022.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.