Quantum risk and associated regulations may appear distant, but they’re already here. Some standards now explicitly require action or indirectly imply the need for quantum risk management. Below is an overview of key standards currently addressing quantum security considerations, either directly or indirectly.

Quantum risk in the spotlight 

The advent of quantum computing presents security risks for traditional cryptographic methods, which, once deemed secure, are now considered vulnerable. In response, the U.S. National Institute of Standards and Technology (NIST) has developed post-quantum cryptography (PQC) algorithms designed to protect sensitive data. Other countries are also working on their own standards; however, these largely align with the mathematical principles underpinning NIST’s standardised algorithms.

Are PQC algorithms alone sufficient? No. They must be thoughtfully integrated into existing protocols, applications or services. This integration brings additional challenges, resulting in varied governance requirements. A few examples are prioritisation, testing, and scale of change. For the purpose of this article, these requirements typically fall into three categories:

1. Direct Requirements: Explicitly demand quantum-resistant solutions and governance practices.

2. Indirect (Risk-Based) Requirements: Mandate quantum-safe measures as a result of a cybersecurity standard being driven by risk evaluation; consequently, quantum risk affects the risk landscape and defines the measures needed.

3. Cryptography-Focused Standards: define the design or operation of systems heavily dependent on cryptographic assets and inevitably requiring quantum-secure upgrades.

1. Standards with Direct Quantum Remediation Requirements

PCI DSS 4.0

The Payment Card Industry Data Security Standard (PCI DSS) is established by the PCI Security Standards Council and applies to all entities involved in payment card processing. Its latest version (PCI DSS 4.0) includes explicit quantum-related security requirements, such as:

1. Maintaining an up-to-date inventory of all cryptographic suites and protocols in use.

2. Actively monitoring industry trends in quantum computing.

3. Developing a documented strategy to address anticipated quantum vulnerabilities.

Reference: PCI DSS 4.0

2. Standards with Indirect Quantum Remediation Requirements

These standards emphasise risk-based security management, implying the necessity to address quantum risks even without explicitly mentioning quantum computing.

SWIFT Customer Security Programme (CSP)

SWIFT’s CSP framework requires a proactive, risk-based approach to cybersecurity. Given quantum computing’s potential threat to financial messaging security, quantum risk assessment implicitly falls under this umbrella. The CSP applies to all SWIFT users, including financial institutions and related service providers.

Reference: SWIFT CSP

ISO/IEC 27001

ISO/IEC 27001 is an internationally recognised information security standard that mandates risk-based assessment and management of cybersecurity threats. The 2022 edition explicitly requires assessing evolving threats—including quantum computing—to ensure the continued security of cryptographic controls. Therefore, organisations that are compliant with ISO/IEC 27001 must consider a future transition to PQC algorithms as part of their cybersecurity planning.

Reference: ISO/IEC 27001:2022

3. Standards Expected to Include PQC Requirements Soon

Several widely adopted standards are anticipated to integrate PQC requirements due to their cryptography-intensive nature explicitly.

eIDAS 2 (EU Digital Identity Regulation)

The EU Digital Identity Regulation (eIDAS 2) aims to provide secure digital identity wallets to EU citizens. Quantum-resistant cryptography is likely to become essential, particularly given eIDAS’s reliance on digital signatures to preserve identity privacy and trustworthiness.

Reference: eIDAS Regulation

EMV (Chip Card Technology)

The EMV standards, established jointly by Europay, Mastercard, and Visa, govern secure, chip-based payment technologies, including cards, ATMs, terminals, and data tokenisation processes. Overseen by EMVCo, which collaborates with NIST and IETF, these standards are inevitably subject to quantum risk considerations. EMVCo explicitly acknowledged in 2023 that quantum computing’s impact on current cryptographic methods is evolving rapidly and confirmed ongoing collaboration with the PCI Security Standards Council on these issues.

Reference: EMVCo

This list is far from exhaustive. In the comments, share insights into quantum-related regulatory developments.

Here, you can explore further details on quantum-related regulations worldwide and the differences between national PQC standards.