NIS2 became enforceable across EU member states in October 2024. Its scope is broad: 18 sectors, thousands of organisations, and a significantly expanded definition of what counts as an essential or important entity. What the directive says explicitly about post-quantum cryptography is almost nothing. What it implies, when you read it carefully, is rather more significant.

Article 21 of NIS2 requires essential and important entities to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems. Article 21(2)(h) specifically requires policies and procedures regarding the use of cryptography and, where appropriate, encryption.

That language has been in EU cybersecurity regulation for years. What is different now is the context it sits in. The first post-quantum standards were published in August 2024, one month before NIS2 became enforceable. The HNDL threat is increasingly documented and publicly attributed to nation-state actors. ENISA has published reports directly connecting post-quantum risks to NIS2-regulated infrastructure. The question of whether appropriate cryptography policies need to address post-quantum migration is no longer a stretch. It is the direction regulators are moving.

The supply chain dimension

Article 21(2)(d) requires entities to address supply chain security, including the security of relationships with direct suppliers and service providers. Post-quantum readiness is a legitimate dimension of supply chain risk assessment under this article. If your critical IT providers have no credible PQC migration roadmap, that is a supply chain risk. It belongs in your third-party risk register.

Management accountability

One of NIS2’s significant changes from its predecessor is the explicit introduction of management accountability. Article 20 requires that management bodies approve cybersecurity risk management measures, oversee their implementation, and can be held liable for infringements. Senior management can now be held personally accountable for cybersecurity failures.

This changes the governance calculus around long-horizon risks like post-quantum migration. A CISO who has been unable to get board-level attention for PQC migration now has a regulatory hook. Article 20 makes this a management obligation, not just a technical recommendation. The board has to approve the risk management approach. If that approach includes no position on post-quantum cryptography, that is a documentable gap.

What supervisory authorities are expecting

National cybersecurity authorities in Germany, the Netherlands, France, and several other EU member states have begun incorporating post-quantum readiness into supervisory examinations and sector-specific guidance. The BSI has published explicit migration guidance for critical infrastructure operators. ENISA published its third post-quantum report in 2024, specifically addressing the NIS2 context.

The minimum credible posture for a NIS2-regulated entity today is a cryptographic inventory covering key systems, documented awareness of post-quantum risks including HNDL, and a migration roadmap with prioritised timelines. Entities that cannot produce these documents in a supervisory examination are exposed to regulatory findings, not because the law explicitly requires post-quantum migration on a specific date, but because the absence of any plan is increasingly hard to reconcile with appropriate and proportionate risk management.

The regulatory expectation is not perfection. It is evidence of serious, documented engagement with a known and growing risk. That bar is achievable. But it requires starting the work.