For years, the quantum threat lived in the margins of EU cybersecurity regulation. That just changed.

On 20 January 2026, the European Commission published COM(2026) 13 final, a proposed directive amending NIS2 as part of a broader cybersecurity simplification package. The proposal touches on everything from ransomware reporting to cross-border supervision. But tucked inside the amendments is something that deserves far more attention than it has received so far: the EU is writing post-quantum cryptography into the directive by name.

PQC stops being a reading-between-the-lines exercise

The new Article 7(2)(k) would require every Member State to adopt policies within their national cybersecurity strategies for the transition to post-quantum cryptography, aligned with timelines and requirements already laid out in EU legal acts and policy documents. That sounds dry, but the shift it represents is significant.

Until now, arguing that NIS2 required PQC readiness meant connecting a chain of dots. The directive demands “state-of-the-art” cryptography. The EU published a PQC Recommendation in April 2024. A coordinated implementation roadmap followed in June 2025. The logic held together, but it left enough ambiguity for organizations to sit on their hands and wait for something more explicit. COM(2026) 13 is that something. If adopted, there is no more interpretive gap to hide behind. PQC migration planning becomes a named obligation at the national strategy level, and from there it flows downward into supervisory expectations and entity-level compliance.

The recitals go further than the articles

Anyone who has spent time with EU legislation knows that recitals matter. They explain what the lawmakers were thinking, and courts use them to interpret the operative provisions. Recital (8) of this proposal is the strongest statement on quantum risk that has appeared in any EU legislative text to date.

It names “harvest now, decrypt later” attacks and says they are “likely occurring already now.” It flags the future risk of quantum computers forging digital signatures. And it references something the cryptography community has been watching closely — the planned deprecation and eventual full disallowance of current public-key algorithms. This is not hedged language. The Commission is telling Member States, in writing, that the cryptographic foundations underpinning today’s digital infrastructure have an expiration date.

The recital goes beyond threat framing. It calls on governments to build tools for assessing cryptographic asset exposure, help organizations develop migration plans, and test PQC deployment in real digital applications and networks. There is also a pointed reference to “formally verified and evaluated European PQC solutions,” which reads as a clear signal that Brussels sees the quantum transition not just as a defensive necessity but as an industrial policy opportunity — a theme that echoes the Draghi Report’s push to reduce technological dependencies.

The timeline references are not accidental either. The recital explicitly aligns with the NIS Cooperation Group’s Coordinated Implementation Roadmap, reaffirming the targets of 2030 for critical use cases and 2035 for everything else.

The rest of the package matters too

The PQC provision does not exist in isolation. Several other amendments in the same proposal intersect with the quantum transition in ways worth paying attention to.

European Digital Identity Wallets and European Business Wallets are being brought explicitly into NIS2 scope as essential entities, regardless of size. The eIDAS 2.0 ecosystem runs on PKI-heavy architecture, and identity systems have some of the longest cryptographic transition lead times of any enterprise infrastructure. Bringing wallet providers under NIS2 while simultaneously mandating PQC transition policies is not a coincidence — it is the EU acknowledging that trust infrastructure needs quantum-safe foundations sooner rather than later.

The proposal also introduces cyber posture certification as a compliance pathway under the revised EU Cybersecurity Certification Framework. Over time, this could become a vehicle for embedding PQC readiness into standardized assessments. Meanwhile, a maximum harmonization clause for implementing acts would prevent Member States from layering on additional requirements beyond what the Commission specifies. That could simplify cross-border PQC compliance, though it might also frustrate more advanced Member States that want to move faster.

Submarine data transmission infrastructure gets its own definition and inclusion, closing a gap where some cable operators previously fell outside the directive. And new ransomware reporting requirements would oblige entities to disclose whether a ransom was paid, how much, and to whom — not directly PQC-related, but a sign of the EU’s appetite for increasingly granular incident data.

Why this is a turning point

Let’s be honest about what has happened here. For the past two years, the PQC conversation in Europe has been dominated by recommendations, roadmaps, and voluntary coordination. All of that was useful, but it gave organizations room to treat quantum risk as a future problem. COM(2026) 13 changes the nature of the conversation. When PQC appears in the text of a directive — not a recommendation, not a recital of a regulation about something else, but the actual operative provisions of the EU’s flagship cybersecurity law — it becomes very difficult to argue that migration planning can wait.

The chain of accountability is now direct. EU directive to national strategy to supervisory expectations to entity compliance. A CISO who has not started cryptographic inventory work is no longer ahead of the curve. They are behind a publicly stated legislative intent, and the regulatory machinery is only going to get more specific from here.

What comes next

The proposal enters the ordinary legislative procedure. Member States would have 12 months from entry into force to transpose the amendments. Timelines may shift during negotiation, but the political direction is locked in and on the public record.

Organizations operating under NIS2 should not treat this as a reason to wait for final text. The underlying milestones have not changed. The EU expects transition efforts to begin by the end of 2026, with critical infrastructure migrated by 2030. NIST’s finalized PQC standards — ML-KEM, ML-DSA, SLH-DSA — are already available. The question is no longer whether PQC migration is coming. It is whether your organization will be ready when the obligations become binding.

The global picture reinforces the urgency. Canada published its own PQC migration roadmap in mid-2025. Hong Kong’s HKMA launched a Quantum Preparedness Index in early 2026. Hardware breakthroughs continue to compress the timeline toward cryptographically relevant quantum computers. The EU is not acting in isolation — it is part of a worldwide regulatory convergence around the same conclusion: the time to prepare is now, not when the threat becomes operational.