The Cybersecurity Coalition responded to the European Union (EU) Network and Information Systems (NIS) Cooperation Group’s Survey on the EU Roadmap on Post-Quantum Cryptography. Having recommended in our 2024-2029 EU Cyber Policy Roadmap that the EU “proactively manage the transition to post-quantum cryptography,” the Coalition welcome this initiative to provide specific guidance to government institutions, Member States, critical infrastructure owners and operators, and other organizations.

In particular, we support the Roadmap’s effort to harmonize the PQC transition among EU Member States. Leaving national governments to manage their transitions independently would risk fragmentation and inefficiencies. However, by offering high-level guidance on how to structure national plans and encouraging alignment with the NIS2 Directive, the Roadmap provides a common framework that helps prevent duplicative or conflicting requirements. This coordinated approach will simplify the transition for industry, minimize delays, and accelerate progress in Member States with fewer resources to dedicate to the transition. 

At the same time, the Roadmap looks beyond the EU. The Coalition specifically appreciates its alignment with frameworks from the United Kingdom and the United States governments, both of which have set 2035 as the target date for full migration of systems, services, and products. Such international alignment not only strengthens global security postures but also streamlines cross-border implementation, making systems easier to maintain through consistent and harmonized requirements.

While broadly supportive of the Roadmap’s specific policy recommendations, the Coalition encourages the NIS Cooperation Group to include the following clarifications and modifications in future revisions and follow on guidance:

• Flexibility in Algorithm Choice - Organizations implementing PQC must be able to choose between different internationally-standardised quantum-safe algorithms rather than being prescribed specific algorithms. This will ensure that data can  continue to flow between jurisdictions without technical interruption.
• Clarity on Hybrid Algorithms - While hybrid algorithms may be advantageous for certain use cases, they are less computationally efficient and can be more complicated to implement and maintain. As such, organizations should not be required in situations where a non-hybrid PQC algorithm is feasible. 
• Harmonized 2035 Transition Deadline For All Use Cases - Currently, the Roadmap proposes a 2030 PQC transition deadline for high-risk use cases and a 2035 deadline for medium- and low-risk use cases. However, since each Member States will likely classify risk differently, the same use case could face different deadlines in different jurisdictions, complicating compliance efforts. Moreover, meeting a 2030 deadline for all use cases designed high-risk will likely be difficult in practice given that PQC transition guidance does not yet exist in many Member States and may not be available for several years. A single harmonized 2035 deadline would provide clarity, consistency, and sufficient time for implementation across the EU.

‍