The DIGITAL SME Quantum Community
Stay informed. Track EU regulatory developments. Share knowledge.
Build quantum resilience — together.
1) Why a quantum community?
Quantum computers exploit the laws of physics to solve mathematical problems that underpin today’s most widely deployed encryption — RSA, elliptic-curve cryptography, and Diffie-Hellman key exchange. A sufficiently powerful quantum computer could render these standards obsolete, exposing encrypted communications, stored data, and digital signatures to attack.
For large organisations and governments, dedicated cybersecurity teams are already mobilising. For SMEs, the risk is just as real — but awareness, resources, and guidance remain dramatically insufficient. This community bridges that gap by sharing knowledge, tracking regulatory developments, and translating technical complexity into practical action.
Shared knowledge
No single SME can track the fast-moving landscape of PQC standards, regulatory deadlines, and vendor readiness alone.
Regulatory readiness
NIS2, the Cyber Resilience Act, and the EU PQC Roadmap create binding obligations. Understanding them in advance is a business advantage.
Cost of inaction
The “store now, decrypt later” attack strategy is already active. Adversaries are harvesting encrypted data today — to decrypt it when quantum computers arrive.
2) What is post-quantum cryptography (PQC)?
Most digital security today relies on mathematical problems — such as factoring enormous numbers — that classical computers cannot solve in a practical timeframe. This is the foundation of the encryption protecting your HTTPS connections, digital signatures, VPNs, and banking transactions.
PQC refers to a new generation of cryptographic algorithms designed to withstand attacks from both classical and quantum computers. They do not require quantum hardware to run — they work on the same servers, laptops, and phones you use today. The EU’s transition process is aligned with the first international PQC standards, finalised and published in 2024.
The business analogy
Think of PQC like replacing the lock on your warehouse before a new generation of master keys is mass-produced. The warehouse, goods, and door are the same — but the lock must be upgraded before those master keys exist. The problem: changing locks across an entire operation takes years, not days.
3) Four risks SMEs cannot ignore
“Store now, decrypt later” — Your data is already a target
Adversaries are already storing encrypted data today to decrypt it once a quantum computer becomes available. If your business holds sensitive client data, trade secrets, or financial records with a confidentiality requirement exceeding 10 years, that data is a current target. The EU Roadmap identifies this as the highest-priority risk.
Regulatory non-compliance with NIS2 and the Cyber Resilience Act
NIS2 requires all entities in scope to implement state-of-the-art cryptography, and management bodies can be held personally liable for failures. The Cyber Resilience Act, applying from December 2027, requires quantum-safe upgrade paths by design. SMEs risk regulatory sanctions and exclusion from procurement if they have not begun.
Supply chain and third-party vulnerability
Your security is only as strong as your vendors, cloud providers, and software suppliers. The EU Roadmap explicitly calls for organisations to “start the dialogue with product and service suppliers” now. SMEs that do not audit their cryptographic supply chain risk inheriting vulnerabilities from third parties.
Long transition times vs. short market windows
Previous cryptographic migrations have taken well over five years. The EU Roadmap estimates 5 to 10 years for a complete transition of complex systems. SMEs with constrained IT capacity face a compounding problem: the longer they wait, the more disruptive and costly the transition becomes.
4) EU PQC Roadmap — key milestones
The EU Coordinated Implementation Roadmap sets three hard milestones for all Member States. For SMEs in regulated sectors or critical supply chains, these dates represent real compliance deadlines.
11 April 2024
EU Commission recommendation published
The Commission launched the Coordinated Implementation Roadmap, establishing the NIS Cooperation Group work stream on PQC and setting the transition in motion.
By 31 December 2026 — MILESTONE 1
First steps: national PQC roadmaps established
All Member States must complete first steps: build cryptographic asset inventories, perform quantum risk analyses, engage stakeholders, and launch pilots for high- and medium-risk use cases.
11 December 2027
Cyber Resilience Act enters full application
All products with digital elements on the EU market must include quantum-safe upgrade paths. Firmware and software update mechanisms must use quantum-safe signatures.
By 31 December 2030 — MILESTONE 2
High-risk use cases fully transitioned
Quantum-vulnerable public-key mechanisms (e.g. RSA) shall not be used stand-alone for high-risk systems. Quantum-safe software upgrades must be enabled by default.
By 31 December 2035 — MILESTONE 3
Full PQC transition
All medium- and low-risk use cases should be fully migrated. Traditional public-key mechanisms will be disallowed across the international ecosystem from this date, in alignment with EU, UK, and international standards.
5) PQC and the EU regulatory framework
Key point: The EU Roadmap explicitly states that PQC transition steps are “no-regret moves” — they improve general cybersecurity maturity and directly support NIS2 compliance. The CRA’s requirement for quantum-safe upgrade paths from December 2027 makes PQC readiness a market access requirement for product manufacturers, not merely a security best practice.
NIS2 Directive
Requires entities in scope to implement state-of-the-art cryptography as part of cybersecurity risk management. Management bodies may be held personally liable for non-compliance. PQC readiness is a NIS2 board-level concern.
Cyber Resilience Act
Applies to all products with digital elements from December 2027. Mandates quantum-safe upgrade paths and post-quantum signatures for firmware updates. Directly affects SMEs in hardware, software, and connected-device sectors.
EU Coordinated Implementation Roadmap
The EU’s master transition document. Defines three milestones (2026, 2030, 2035), risk categories, and recommended steps. Explicitly frames PQC steps as “no-regret moves” that directly support NIS2 compliance.
6) Key Resources
For any inquiries related to the DIGITAL SME Quantum Community, please reach out to Davide Iaccarino at d.iaccarino@digitalsme.eu.
