Post-Quantum Cryptography for Financial Institutions
Where does your bank stand on DORA cryptographic compliance today?
The Digital Operational Resilience Act (DORA) has been in force since January 2025, and its technical standards now require banks to maintain a documented cryptographic inventory, a formal cryptographic policies book, and a cryptographic agility strategy. These are enforceable obligations today.
At the same time, the technological risk is arriving sooner than the 2035 regulatory floor assumes. Google and Cloudflare have both set internal migration deadlines of 2029, and adversaries are already harvesting encrypted data with the intent to decrypt it once a quantum computer becomes available.
This guide maps the quantum threat to a bank’s real infrastructure, translates DORA, NIS2 and the G7 roadmap into concrete obligations, and sets out the three jobs every banking CISO must address: testing the impact of PQC, inventorying the full cryptographic estate, and engaging the transition under hybrid and crypto-agility principles.
Why read this white paper?
Are you compliant with DORA?
Measure your cryptographic posture against a self-assessment grid, calibrated to DORA’s obligations and ENISA’s recommendations.
Do you know your three priority tasks?
Follow an operational, sequenced framework to test the impact of post-quantum cryptography, inventory your cryptographic estate, and engage the transition to PQC.
Are you building on proven practices?
Draw on industry feedback, from the Banque de France to Project Leap, and on regulatory developments (DORA, NIS2, the G7 roadmap) to build a solid migration case.