Regulatory bodies worldwide are beginning to mandate post-quantum cryptography adoption. Understanding these requirements is essential for compliance planning and avoiding costly last-minute migrations. The threat is not hypothetical—harvest-now-decrypt-later attacks mean that data encrypted today with classical algorithms is already at risk, and regulators are responding accordingly.
NIST finalized FIPS 203, 204, and 205 in 2024, establishing ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA as official post-quantum standards. With standards locked, regulators across every sector are now translating these into binding compliance requirements. Organizations that wait for explicit mandates will face compressed migration timelines and elevated audit risk.
US Federal Requirements
The US government has been most aggressive in setting PQC timelines:
Key US Mandates
NSM-10 (2022): Requires federal agencies to inventory cryptographic systems
OMB M-23-02: Sets migration timeline for federal agencies
CISA guidance: Recommends immediate action on post-quantum preparation
Federal agencies must complete their cryptographic inventory by 2025 and begin active migration. Contractors and suppliers to the federal government face similar requirements through the Federal Acquisition Regulation (FAR) and DFARS clauses, meaning any organization in the federal supply chain must demonstrate PQC readiness or risk losing contracts.
The Harvest-Now Threat Accelerates Federal Timelines
What makes the federal mandate particularly urgent is the classified data dimension. Intelligence agencies have publicly acknowledged that adversaries are already collecting encrypted communications for future decryption. Data classified at the TOP SECRET level often retains sensitivity for 25+ years—well within the window where cryptographically relevant quantum computers are expected to emerge. This is why NSA's CNSA 2.0 suite requires quantum-resistant algorithms for all National Security Systems by 2030, with a preference to begin migration immediately.
Financial Services
Financial regulators are increasingly focused on quantum risk:
- FFIEC: Guidance on quantum computing risk assessment expected
- OCC: Including quantum risk in technology risk assessments
- SEC: Disclosure requirements for material quantum risks
- Basel Committee: Considering quantum risk in operational resilience frameworks
Financial institutions should anticipate explicit PQC requirements within 2-3 years. The Bank for International Settlements (BIS) has already flagged quantum computing as a systemic risk to financial infrastructure, noting that payment systems, interbank settlement networks, and SWIFT messaging all depend on RSA and ECDSA signatures that Shor's algorithm will break.
Financial institutions processing authentication at scale need quantum-resistant solutions that do not sacrifice throughput. H33's production stack processes 2,172,518 authentications per second at ~42µs per auth—with full Dilithium signature verification and BFV FHE encryption in every call.
Healthcare (HIPAA)
Healthcare data has long retention requirements, making it particularly vulnerable to harvest-now-decrypt-later attacks:
- Medical records must be retained for decades
- HIPAA security rule updates expected to address quantum threats
- OCR guidance may require quantum-resistant encryption for long-term data
Proactive healthcare organizations are already implementing PQC for new data. The combination of mandatory retention periods (often 6-10 years under HIPAA, but frequently 25+ years under state laws) and the extreme sensitivity of genomic and behavioral health data makes healthcare one of the most exposed sectors. A patient's genomic sequence, once decrypted, cannot be re-encrypted—the damage is permanent and irreversible.
European Union
EU regulatory landscape for PQC:
- ENISA: Published post-quantum cryptography recommendations
- eIDAS 2.0: May include PQC requirements for digital identity
- NIS2 Directive: Quantum risk likely to be incorporated in cyber requirements
- GDPR: "State of the art" encryption requirement may eventually require PQC
The GDPR angle is particularly significant. Article 32 requires organizations to implement encryption measures reflecting the "state of the art." As NIST-standardized PQC algorithms become widely available and quantum threats become more concrete, regulators may interpret continued reliance on RSA/ECDSA as a failure to meet this standard—exposing organizations to fines of up to 4% of global annual revenue.
Industry Standards
Industry bodies are updating standards:
- PCI DSS: Monitoring quantum developments, guidance expected
- ISO 27001: Quantum risk assessment becoming part of best practices
- SOC 2: Auditors beginning to ask about quantum readiness
The Performance Question
A common objection to PQC adoption is the fear of performance degradation. Post-quantum key sizes are larger, and some algorithms carry higher computational overhead than their classical counterparts. For compliance teams, the question becomes: can we migrate to PQC without breaking our SLAs?
The answer depends entirely on implementation. Naive PQC deployments can introduce significant latency. But purpose-built systems demonstrate that post-quantum security and high throughput are not mutually exclusive.
| Component | Algorithm | Latency | PQ-Secure |
|---|---|---|---|
| FHE Batch (32 users) | BFV inner product | ~1,109 µs | Yes (lattice) |
| ZKP Cache Lookup | In-process DashMap | 0.085 µs | Yes (SHA3-256) |
| Attestation | Dilithium sign+verify | ~244 µs | Yes (ML-DSA) |
| Per Authentication | Full stack | ~42 µs | Yes |
H33's production stack achieves 2,172,518 authentications per second on a single Graviton4 instance—each one fully post-quantum secure with BFV FHE encryption, STARK-based ZKP verification (served from an in-process DashMap at 0.085µs per lookup), and Dilithium digital signatures. The per-authentication cost of ~42µs is faster than a typical database round-trip, eliminating the performance objection entirely.
Timeline Recommendations
Based on current regulatory trajectory:
- Now: Begin cryptographic inventory and risk assessment
- 2026: Pilot PQC implementations for high-value systems
- 2027-2028: Production deployment for sensitive systems
- 2030: Anticipated deadline for many regulatory requirements
Do Not Wait for Explicit Mandates
History shows that organizations caught without preparation when compliance deadlines arrive face 3-5x higher migration costs, emergency vendor lock-in, and audit findings that damage customer trust. The cryptographic inventory alone—identifying every system, library, and protocol that uses public-key cryptography—takes most enterprises 6-12 months.
Documentation Requirements
Prepare documentation that auditors will expect:
- Cryptographic asset inventory
- Quantum risk assessment
- Migration roadmap and timeline
- Testing and validation procedures
- Incident response plans for cryptographic compromises
Practical Steps
Start your compliance journey:
- Inventory: Identify all systems using public-key cryptography
- Prioritize: Rank by data sensitivity and retention requirements
- Vendor assessment: Evaluate suppliers' PQC readiness
- Pilot: Test PQC in non-critical systems
- Document: Maintain records of your quantum readiness efforts
H33 is built from the ground up on NIST-standardized post-quantum algorithms: ML-KEM (Kyber) for key encapsulation, ML-DSA (Dilithium) for digital signatures, and BFV lattice-based FHE for encrypted computation. Every authentication call is fully post-quantum from end to end—no hybrid fallback, no classical dependencies. Integrating H33 checks the PQC compliance box for your authentication layer on day one.
Compliance requirements for post-quantum cryptography are emerging rapidly. Organizations that start preparing now will be well-positioned when mandates become explicit—and those that have already deployed production PQC systems will hold a measurable advantage in audits, customer trust, and regulatory standing.
Ready to Go Quantum-Secure?
Start protecting your users with post-quantum authentication today. 1,000 free auths, no credit card required.
Get Free API Key →