U.S. vs EU on Post-Quantum Cryptography Migration (Oct 2025): Timelines, Compliance Hooks, and What CSWP-48 Changes

Bottom line: Both sides of the Atlantic are pushing hard on post-quantum cryptography (PQC). The EU is binding PQC into cross-sector regulation (NIS2, DORA, CRA) with implied “state-of-the-art cryptography” duties and a recommended EU-wide migration timeline. The U.S. has concrete deadlines for federal agencies and National Security Systems (NSS), but the private sector largely sees guidance—not mandates—so far. NIST’s brand-new CSWP-48 (Initial Public Draft) quietly raises the bar by mapping what “good PQC migration” looks like directly into CSF 2.0 and SP 800-53 control language—turning discovery, inventory, and interoperability testing into auditable expectations.

What’s “final” (and what’s next) in the standards

• Algorithms & standards. NIST finalized the first three PQC standards on Aug 13, 2024:
  FIPS 203 (ML-KEM) for key establishment, FIPS 204 (ML-DSA) for signatures, and FIPS 205 (SLH-DSA) as a hash-based backup signature. In Mar 2025, NIST selected HQC as a backup KEM for standardization; a draft standard is expected in the 2026–2027 window. A draft FIPS 206 (FN-DSA/Falcon) has been moving through the pipeline in 2025.
• Protocols and interoperability. NIST NCCoE’s SP 1800-38 series (preliminary drafts) details discovery practices (Vol. B) and early interoperability/performance findings for SSH, TLS, QUIC, X.509 (Vol. C). Treat these as the how-to playbooks for testing hybrids and new cert formats before you flip production.
• CBOM momentum. OWASP CycloneDX introduced CBOM (Cryptography Bill of Materials) to model algorithms, keys, protocols, certs, and crypto lifecycles—explicitly positioning CBOM as the first step in PQC readiness and crypto-agility.

U.S. trajectory: public-sector clock is ticking; private sector gets a nudge

• Federal civilian agencies (non-NSS). OMB M-23-02 requires agencies to inventory CRQC-vulnerable crypto annually through 2035 (first due May 4, 2023), designate a migration lead, assess funding annually, and test pre-standard PQC in production-like settings with safeguards. It also tasked CISA (with NSA/NIST) to publish an automated tooling strategy—which CISA delivered by mid-2024—explicitly calling out cryptographic discovery and inventory tools.
• National Security Systems (NSS). NSA’s CNSA 2.0 sets target dates: prefer CNSA 2.0 by 2025 and exclusive use by ~2030–2033 depending on domain (code-signing, VPNs, OSes, browsers/cloud, niche/legacy). These are the most prescriptive U.S. PQC milestones today.
• What about the private sector? There’s no cross-industry U.S. mandate with hard PQC dates yet. Agencies have issued guidance (CISA PQC Initiative, DHS outreach, a 2025 GSA PQC Buyer’s Guide) and advisories to “start now” with inventory, risk triage, and vendor engagement—but sector-wide compulsory deadlines haven’t landed. Expect procurement language and regulator expectations (e.g., “state-of-the-art” under general cybersecurity duties) to tighten, but as of Oct 1, 2025, there’s no U.S. equivalent of DORA/CRA imposing PQC timelines on all private firms.

EU trajectory: coordinated plan + regulatory hooks

• Commission Recommendation & Roadmap. The EU issued a Recommendation (Apr 11, 2024) and published the first EU PQC Roadmap (Jun 11, 2025) via the NIS Cooperation Group. It recommends Member States:
  • launch national PQC strategies by end-2026,
  • migrate high-risk use cases by end-2030,
  • make PQC upgrades the default thereafter, and
  • complete migration “as far as practical” by 2035. The Roadmap anchors PQC to NIS2, DORA, and CRA obligations.
• Regulatory levers now live (or dated).
  • NIS2: Member States’ transposition deadline was Oct 17, 2024; enforcement depends on each national law. NIS2 raises the bar on risk management and “state-of-the-art” security—PQC falls naturally into scope as standards mature.
  • DORA (financial sector): Applies from Jan 17, 2025; Boards are accountable for ICT risk. “State-of-the-art” cryptography and third-party oversight make crypto discovery and PQC road-mapping examinable.
  • Cyber Resilience Act (CRA) (products with digital elements): Main obligations from Dec 11, 2027; earlier reporting from Sep 11, 2026. CRA’s security-by-design duties (including protecting confidentiality with encryption where relevant) will force vendors to plan for PQC updates and updatable designs.

Net effect: In the EU, PQC migration is becoming a compliance program issue across sectors via NIS2/DORA/CRA—even before algorithm standards land in every protocol. In the U.S., it’s already mandatory for federal and NSS environments, while most private companies see strong guidance and procurement pressure, not fixed dates.

What NIST’s new CSWP-48 (IPD) changes for businesses

NIST’s CSWP-48 (Initial Public Draft, Sep 18, 2025) does not create new requirements, but it maps the NCCoE PQC Migration project’s capabilities to CSF 2.0 and SP 800-53 Rev. 5 controls, explicitly highlighting:

• Cryptographic Discovery & Inventory as the on-ramp for PQC risk management and prioritization
• Interoperability & Performance testing for PQC algorithms in protocols and HSMs
• Community profiles to tailor CSF 2.0 outcomes for PQC migration.

That mapping makes it easier for auditors, regulators, and procurement teams to ask for evidence that you: (1) know where crypto is used, (2) can score quantum risk (“store-now-decrypt-later”), and (3) have validated interoperability plans. This is a big practical shift—because it ties PQC work directly to controls you already attest to.

And NIST’s SP 1800-38 A/B/C drafts supply the execution detail (discovery architectures, test profiles for SSH/TLS/QUIC/X.509, lessons learned), which vendors and enterprises can mirror in labs and pilots.

Key timelines at a glance (Oct 2025)

• U.S. Federal (civilian):
  • Annual crypto inventory & funding assessments through 2035; start was May 4, 2023; testing pre-standard PQC in production-like settings encouraged now.
• U.S. NSS (CNSA 2.0):
  • Prefer PQC by 2025, exclusive use across domains 2030–2033 (domain-specific milestones for code-signing, VPNs, OS, browsers/cloud, legacy).
• EU (Roadmap):
  • National strategies by end-2026; high-risk migrations by end-2030; broad completion “as feasible” by 2035.
• Reg frameworks:
  • DORA applicable Jan 17, 2025; NIS2 transposed Oct 17, 2024 (varying national enforcement); CRA core obligations from Dec 11, 2027 (reporting from Sep 11, 2026).
• Algorithm standards:
  • FIPS 203/204/205 final Aug 13, 2024; HQC selected Mar 11, 2025; FIPS 206 (FN-DSA) tracking toward standardization (draft activity in 2025).

U.S. vs EU: where they differ (and why it matters)

• Who’s bound today?
  • U.S.: Binding timelines for agencies/NSS; private sector mostly has guidance and contractual/procurement influence (e.g., GSA buyer guidance), not a horizontal regulation with fixed PQC dates.
  • EU: Cross-sector duties emerge via NIS2/DORA/CRA; PQC ties into “state-of-the-art cryptography,” product safety, and board accountability—creating regulatory pressure even before all standards are finalized.
• How prescriptive?
  • U.S.: Precise inventory/testing tasks and NSS timelines; otherwise risk-based guidance via CISA/DHS.
  • EU: A coordinated timeline (2026/2030/2035) plus sectoral rules—making PQC exam-ready sooner for finance (DORA) and manufacturers/vendors (CRA).
• Audit language maturity:
  • CSWP-48 maps PQC migration to CSF 2.0 and SP 800-53 controls—accelerating U.S. auditability; EU Roadmap explicitly recommends crypto asset management and links to NIS2/DORA/CRA obligations—accelerating supervisory expectations.

“So what?”—Five moves for CISOs before year-end

1. Make crypto visible. Stand up a cryptographic discovery & inventory program aligned to CSWP-48 mappings; track algorithms, key sizes, protocols, certificates, HSM use, and data “time-to-protect.” Consider CBOM alongside SBOM to make crypto posture traceable across the stack.
2. Risk-prioritize “HNDL” exposure. Map data with long confidentiality requirements; prioritize channels and stores vulnerable to “store-now-decrypt-later” and plan hybrid deployments (PQC + classical) where feasible.
3. Pilot interoperability early. Use SP 1800-38 test profiles for TLS/SSH/QUIC/X.509; validate handshake sizes, cert chains, performance, and vendor readiness before field rollouts.
4. Anchor to your regulator.
   • U.S. private sector: Even without a universal mandate, expect PQC to be judged under “reasonable security.” Align to OMB M-23-02 practices (inventory/testing) and CISA guidance; bake requirements into supplier contracts now.
   • EU operations: Map your plan to NIS2/DORA/CRA expectations and the EU PQC Roadmap milestones—these will shape supervisory exams and product compliance.
5. Create a board-visible plan. Publish a 24-month roadmap with quarterly targets: discovery coverage %, key systems piloted, vendor attestations, hybrid cutovers scheduled, and how you’ll measure crypto-agility (time to swap algorithms, policy enforcement coverage).

Where Qinsight-style discovery fits

NIST’s migration work and CSWP-48 elevate crypto discovery/inventory from “nice to have” to control-mappable. Tools like Qinsight help scan across TLS/SSH/API endpoints, certificates, IoT, cloud, and integrate with CBOM/SBOM make it far easier to: (a) satisfy OMB M-23-02 inventories (U.S. public sector), (b) evidence NIS2/DORA risk management (EU), and (c) prepare for CRA product obligations. Learn more about how Qinsight can help your organization improve their encryption posture.