DORA became fully applicable across EU financial entities in January 2025. It is the most comprehensive ICT risk management framework ever applied to the financial sector in Europe, and it has direct, practical implications for how financial entities need to think about post-quantum cryptography. Not because DORA mentions quantum computers. It does not. But because its obligations, read carefully, encompass the post-quantum challenge in ways that regulators are beginning to act on.

DORA Chapter II establishes a comprehensive ICT risk management framework. The obligation to protect ICT assets using state-of-the-art security measures, a phrase that appears in Article 9, is not a static standard. It is a dynamic one that evolves as the threat landscape and the available countermeasures change. In 2025, with NIST’s post-quantum standards published and the HNDL threat publicly documented, state of the art for encryption is increasingly a question that includes post-quantum migration.

What Article 9 requires in practice

Article 9 requires financial entities to identify, classify, and appropriately protect all ICT assets, including through policies on encryption and cryptographic controls. An encryption policy that makes no reference to post-quantum migration is increasingly a gap. Not necessarily a finding today, but a gap that will become harder to explain as time passes and the regulatory context solidifies.

The prudent approach is to integrate post-quantum migration into the formal documentation of your ICT risk management framework under DORA, rather than treating it as a separate technical initiative.

Third-party risk: Articles 28 to 30

DORA’s third-party risk provisions are where post-quantum obligations have the most immediate practical bite. Articles 28 to 30 require financial entities to maintain a register of ICT third-party arrangements, apply contractual requirements to critical providers, and develop exit strategies for critical dependencies.

Post-quantum readiness is a legitimate and auditable dimension of this framework. At the next contract renewal for any critical ICT provider, include a post-quantum migration commitment in the security requirements. In your periodic third-party risk reviews, add PQC readiness to the assessment criteria. Where critical providers cannot demonstrate a credible migration roadmap, that gap belongs in your risk register and potentially triggers the exit strategy analysis that Articles 28 to 30 require.

The CTPP oversight framework

DORA establishes direct oversight of critical ICT third-party providers by the ESAs, working with the ECB and national competent authorities. Designated CTPPs face direct regulatory scrutiny of their ICT practices, separate from and in addition to the oversight that financial entities themselves face.

This means that major cloud providers, payment networks, and other critical infrastructure serving EU financial entities will increasingly face regulatory questions about their post-quantum migration programmes, not just from their financial institution clients, but from European supervisory authorities directly. That regulatory pressure on the supply side will accelerate the ecosystem’s overall migration timeline.

The incident classification question

DORA Article 17 requires financial entities to classify and report ICT-related incidents. The HNDL threat model creates an interesting practical question: if your organisation discovers evidence that its encrypted network traffic has been systematically collected by an adversary, even if that traffic cannot yet be decrypted, is that a significant ICT-related incident under DORA?

The answer is probably yes, in most interpretations, given the potential confidentiality impact when a quantum computer eventually becomes available. Financial entities should consider whether their incident classification criteria and threat intelligence programme address HNDL as a distinct threat scenario, with its own detection indicators and escalation path.