Detailed Legal Basis for IT and Quantum Compliance

Gianluca

May 16, 2026

3 min read

Scope: NIS2, DORA, MiCA, and EU PQC Recommendations

PART 1: THE LEGAL SOURCES (Where does it come from?)

You are not acting on vague advice; you are complying with specific Articles of EU Law.

1. NIS2 Directive (Directive (EU) 2022/2555)

Status: National Law (Transposed as of October 2024).
Key Article: Article 21 (Cybersecurity Risk Management Measures).
The Mandate: It explicitly lists "policies and procedures regarding the use of cryptography and, where appropriate, encryption" (Art 21.2.h) as a mandatory technical measure.
Liability: Article 20 holds "management bodies" (CEOs/Boards) personally liable for non-compliance.

2. DORA (Regulation (EU) 2022/2554)

Status: Directly applicable EU Law as of January 17, 2025.
Key Article: Article 6 (ICT Risk Management Framework).
The Mandate: Financial entities must minimize the risk of "unauthorized access" and ensure "data confidentiality" (Art 9). This implies that if your encryption is breakable (e.g., by quantum computers), your risk management is non-compliant.
Third-Party Risk: Article 28 mandates the "Register of Information" for all ICT suppliers.

3. EU PQC Recommendation (C(2024) 2490 final)

Status: Official Commission Recommendation (April 2024).
The Mandate: While not a "law" itself, it defines the "State of the Art" for NIS2 and DORA. It explicitly sets the deadline for PQC Implementation Plans within member states and critical sectors.

PART 2: REQUIREMENTS BY COMPANY PROFILE

Find your profile below to see exactly what Regulation applies to you and what you must do.

PROFILE A: Critical Industry and Infrastructure

Who: Energy, Transport, Health, Water, Digital Infrastructure (Cloud/Data Centers), Manufacturing (Food, Pharma).

Legal Basis: NIS2 Directive

Requirement	Source	What you must do in 2025
Cryptography Policy	NIS2 Art 21(2)(h)	You must have a written document defining which algorithms you use and why they are secure. If you use RSA-2048 without a migration plan, you are failing this requirement.
Supply Chain Security	NIS2 Art 21(2)(d)	You must assess the security of your direct suppliers. If your firewall vendor has no PQC roadmap, they are a supply chain risk you must document.
Asset Management	NIS2 Art 21(2)(i)	You need an inventory of digital assets. This is the foundation for the "Crypto-Inventory" (knowing where your keys are).

PROFILE B: Traditional Finance (Banks, Insurers, PSPs)

Who: Banks, Insurance, Payment Institutions, Investment Firms.

Legal Basis: DORA (Primary) + NIS2 (Secondary)

Requirement	Source	What you must do in 2025
Register of Information	DORA Art 28(3)	You must submit a standardized register of every ICT third-party provider to your regulator. This includes the exact function they perform.
Exit Strategy	DORA Art 28(8)	You must prove you can leave a critical cloud or software provider without disrupting payments. This is legally binding.
Technological Resilience	DORA Art 7	Systems must be "technologically resilient." Relying on legacy cryptography that is known to be vulnerable (even in the future) violates this resilience principle.

PROFILE C: Crypto-Assets and Blockchain (Web3)

Who: Crypto Exchanges, Custodians, Token Issuers (CASPs).

Legal Basis: MiCA (Regulation (EU) 2023/1114) + DORA

Note: Under MiCA, authorized CASPs are classified as "Financial Entities," bringing them fully under DORA.

Requirement	Source	What you must do in 2025
ICT Risk Management	DORA Art 6	You can no longer say "the user holds the key." If you provide the wallet interface, you are responsible for the ICT risk of that interface.
Custody Policy	MiCA Art 75	Specific mandate for CASPs to have a "Custody Policy" ensuring crypto-assets are segregated and unencumbered. Quantum theft of keys is a direct threat to this legal obligation.
Business Continuity	DORA Art 11	You must have a BCP (Business Continuity Plan) for "ICT-related incidents." A blockchain hard fork or consensus failure is now a reportable regulatory incident.

PART 3: THE "HIDDEN" OBLIGATIONS (For Everyone)

These are the requirements that usually catch companies by surprise during an audit.

1. The "State of the Art" Trap

Where: Both NIS2 and DORA require measures that reflect the "state of the art."
The Detail: Once the EU Commission published the PQC Recommendation (April 2024) and NIST standardized PQC algorithms (August 2024), Post-Quantum Cryptography became the "State of the Art."
Consequence: You can no longer claim ignorance. Continuing to deploy new systems with only classical cryptography (RSA/ECC) may be considered "negligence" because it ignores the recognized state of the art.

2. The Personal Liability of the Board

Where: NIS2 Article 20(1) and DORA Article 5(2).
The Detail: Members of the management body are required to undergo training and are personally responsible for approving risk strategies.
Consequence: If a breach happens because of known vulnerabilities (like weak crypto) and the Board did not approve a mitigation plan, they can be temporarily banned from management roles (in some NIS2 jurisdictions).

3. Reporting Speed

Where: NIS2 Article 23 / DORA Article 19.
The Detail:
Early Warning: Within 24 hours of becoming aware of a significant incident.
Incident Notification: Within 72 hours (Detailed report).
Consequence: You need automated monitoring. Manual processes are too slow to meet this legal standard.