Quantum Threats and DORA: Is the Financial Sector's Cryptographic Infrastructure Ready?
The Cryptographic Countdown
Every financial transaction in Europe — every SWIFT message, every card payment, every online banking session, every inter-bank settlement — depends on public-key cryptography. RSA and Elliptic Curve Cryptography (ECC) protect the confidentiality and integrity of the financial system. They have done so reliably for decades.
Quantum computing will end that reliability. A sufficiently powerful quantum computer running Shor's algorithm will break RSA-2048 in hours, rendering the mathematical problem that protects current encryption trivially solvable. ECC, which financial services have adopted for its efficiency (including the ECDSA P-256 curves used in many banking security implementations), is equally vulnerable.
The question is not whether this will happen. The question is when — and whether the financial sector will have completed its cryptographic transition before that date arrives.
DORA Art. 9 requires financial entities to implement ICT security measures that "ensure the resilience, continuity and availability of ICT systems, protocols and tools" and to have policies covering "the security of data transfers." If the cryptographic infrastructure protecting those systems and data transfers becomes vulnerable, Art. 9 compliance is at risk. The argument of this piece is that cryptographic resilience — including preparation for the quantum transition — is an Art. 9 obligation that institutions should be addressing now, not when quantum computers arrive.
The Timeline: When Does Quantum Become a Threat?
Current State of Quantum Computing
As of early 2026, no quantum computer can break production cryptographic systems. The largest quantum processors have reached the thousands of qubits, but breaking RSA-2048 would require millions of error-corrected logical qubits. The gap between current capabilities and cryptographic relevance is significant.
However, progress is accelerating. Multiple technology companies and nation-states are investing heavily in quantum computing research. The timeline estimates from credible sources:
| Source | Estimate: Cryptographically Relevant Quantum Computer | Basis |
|---|---|---|
| NIST | 2030-2040 (planning assumption) | Post-quantum standardization timeline |
| ENISA | 2030-2035 (conservative planning) | EU cybersecurity threat landscape |
| Global Risk Institute | 15-20% probability by 2030, 50%+ by 2035 | Annual quantum threat timeline survey |
| National security agencies | Classified, but driving urgent migration | US NSA CNSA 2.0 mandate (2025-2033 timeline) |
The Harvest Now, Decrypt Later Threat
The most immediate quantum threat to financial services is not a future quantum attack on live transactions. It is the current collection of encrypted data for future decryption. Nation-state actors and sophisticated criminal organizations are intercepting and storing encrypted financial communications today, with the expectation that quantum computers will eventually decrypt them.
This "harvest now, decrypt later" (HNDL) strategy is particularly dangerous for financial data with long-term sensitivity:
- Trade secrets and M&A data (sensitive for years after transaction)
- Customer financial records (sensitive for decades)
- SWIFT messages (contain counterparty information that reveals strategic relationships)
- Cryptographic keys (if long-lived keys are compromised retroactively, all past communications are exposed)
For financial institutions, HNDL means the threat is not in 2035 — it is today. Every encrypted communication that crosses an untrusted network is potentially being harvested.
DORA Art. 9 and Cryptographic Resilience
The Regulatory Argument
Art. 9(1) requires financial entities to "use and maintain updated ICT systems, protocols and tools" for protection and prevention. "Updated" is the key word. Cryptographic protocols that are approaching end-of-life — even if they are not yet broken — are not "updated" in the context of a known future threat.
Art. 9(4)(c) requires policies on "the protection of data against risks arising from data management." The HNDL threat is a data management risk: data currently in transit may be compromised in the future. Protection against this risk requires post-quantum cryptographic measures for data with long-term sensitivity.
Art. 9(4)(e) requires "the security of data transfers." If the cryptographic protocols securing data transfers will become insecure within the data's sensitivity lifetime, the transfer is not adequately secured.
The Proportionality Consideration
DORA's proportionality principle applies to quantum preparation as to everything else. Not every financial institution needs to implement post-quantum cryptography immediately. But every institution whose data has long-term sensitivity — which is effectively every institution — should be assessing their cryptographic inventory and planning for migration.
| Institution Type | Quantum Risk Level | Recommended Action (2026) |
|---|---|---|
| G-SIBs and D-SIBs | High — HNDL target, long-lived data, systemic importance | Active migration planning, cryptographic inventory, hybrid deployments |
| Mid-tier banks | Medium — HNDL exposure, regulatory expectations | Cryptographic inventory, vendor engagement, migration roadmap |
| Small institutions | Lower — proportional to data sensitivity | Awareness, vendor dependency assessment, monitoring standards |
| Payment processors | High — high-volume data in transit | Active migration planning, protocol upgrades |
| Market infrastructure | Critical — systemic importance | Leading migration, standards development participation |
Post-Quantum Cryptography: The NIST Standards
The U.S. National Institute of Standards and Technology (NIST) finalized its first post-quantum cryptographic standards in August 2024:
- ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, formerly CRYSTALS-Kyber) — for key exchange
- ML-DSA (Module-Lattice-Based Digital Signature Algorithm, formerly CRYSTALS-Dilithium) — for digital signatures
- SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+) — for digital signatures (conservative alternative)
These standards are the foundation for the cryptographic transition. ENISA has published guidance aligning European recommendations with the NIST standards. The European Telecommunications Standards Institute (ETSI) is developing complementary standards for migration.
For financial institutions, the transition involves replacing or supplementing current cryptographic protocols across:
- TLS/SSL for all data in transit (client-to-server, server-to-server, API communications)
- Digital signatures for document signing, code signing, and transaction authorization
- Key management infrastructure (HSMs, KMS, certificate authorities)
- Stored data encryption for data at rest with long-term sensitivity
- Identity and authentication systems that rely on public-key cryptography
The Migration Challenge for Financial Services
Cryptographic Inventory: The First Step
Most financial institutions do not have a comprehensive inventory of where and how they use cryptography. Cryptographic functions are embedded in TLS configurations, database encryption settings, HSM firmware, application code, third-party libraries, and vendor products. Before migrating, institutions must discover what they are migrating from.
The cryptographic inventory must capture:
- Every cryptographic algorithm in use (RSA, ECC, AES, SHA, etc.)
- Key sizes and parameters
- Where each algorithm is deployed (which systems, which communications)
- Who manages the keys (internal, vendor, HSM, cloud KMS)
- Third-party dependencies (which vendor products use which algorithms)
This inventory maps directly to DORA Art. 8 — identification and classification of ICT assets. Cryptographic assets are ICT assets.
Hybrid Deployment: The Transition Path
The recommended transition path is hybrid deployment: running post-quantum algorithms alongside classical algorithms during the migration period. Hybrid mode ensures that if a post-quantum algorithm is found to have a weakness (the standards are new and less battle-tested than RSA/ECC), the classical algorithm provides a fallback. Conversely, if quantum computing arrives faster than expected, the post-quantum algorithm provides protection.
Third-Party and Vendor Dependencies
Many financial institutions do not control their own cryptographic implementations — they rely on vendor products (core banking systems, payment gateways, SWIFT interfaces) that embed cryptographic libraries. The institution's quantum migration timeline is constrained by its vendors' timelines.
This creates an Art. 28 third-party risk dimension: financial institutions must assess their critical vendors' post-quantum cryptography readiness and include PQC migration in contractual discussions. A vendor that has no PQC roadmap is a cryptographic risk factor.
What Supervisors Will Ask
The ECB and national competent authorities have not yet issued explicit guidance on quantum readiness. But the direction is visible: ENISA's post-quantum guidelines, the EU's focus on digital sovereignty, and the general supervisory expectation that institutions manage emerging risks proactively.
Expected supervisory questions within the 2027-2028 examination cycle:
- "Do you have a cryptographic inventory?"
- "Have you assessed your exposure to harvest-now-decrypt-later threats?"
- "What is your migration timeline for post-quantum cryptography?"
- "Which critical ICT services depend on vendor cryptographic implementations, and what are those vendors' PQC roadmaps?"
Institutions that can answer these questions with documented assessments and migration plans will be ahead of the supervisory curve. Institutions that cannot will face the same gap that the ECB stress test exposed for other resilience areas — a gap between assumed and actual capability.
Key Takeaways
- Quantum computing will break RSA and ECC — the cryptographic foundations of financial services. The timeline is uncertain but the outcome is not.
- Harvest now, decrypt later is a current threat, not a future one. Adversaries are collecting encrypted financial data today for future decryption.
- DORA Art. 9 requires "updated" security measures. Cryptographic protocols approaching end-of-life are not "updated" in the context of a known threat.
- NIST post-quantum standards (ML-KEM, ML-DSA, SLH-DSA) were finalized in 2024. The migration path exists.
- Cryptographic inventory is the first step — and maps directly to DORA Art. 8 asset identification requirements.
- Vendor PQC readiness is an Art. 28 concern. Third-party cryptographic dependencies constrain the institution's migration timeline.
- Hybrid deployment (classical + PQC) is the recommended transition path, providing protection during the migration period.
Resume en francais
L'informatique quantique brisera les algorithmes RSA et ECC qui protegent les transactions financieres europeennes — la question n'est pas « si » mais « quand ». La menace la plus immediate est le « harvest now, decrypt later » : des adversaires collectent aujourd'hui des communications financieres chiffrees pour les dechiffrer ulterieurement avec des ordinateurs quantiques. L'article 9 de DORA exige des mesures de securite « a jour » — des protocoles cryptographiques en fin de vie face a une menace connue ne sont pas « a jour ». Les normes NIST post-quantiques (ML-KEM, ML-DSA, SLH-DSA) finalisees en aout 2024 fournissent le chemin de migration. Cet article propose trois phases : inventaire cryptographique (2026-2027) aligne avec l'article 8, deploiement hybride classique+PQC (2027-2029) et migration complete (2029-2033). Les dependances fournisseurs (Art. 28) sont critiques car la plupart des institutions ne controlent pas leurs implementations cryptographiques. Les superviseurs poseront bientot des questions sur l'inventaire cryptographique, l'exposition HNDL et les feuilles de route de migration PQC.