Context and references

Regulatory background and sources.

Background on the standards and regulations that frame the transition to post-quantum cryptography, and the sources this index builds on. This page is descriptive context. It is not legal or compliance advice.

Standards and regulation

What frames the transition.

NIST post-quantum standards

On 13 August 2024 NIST finalised FIPS 203 (ML-KEM) for general encryption, and FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) for digital signatures. These are the reference algorithms for the migration.

EU coordinated roadmap

The European Commission's coordinated roadmap asks member states to prepare and begin national transition plans by the end of 2026, and to protect the most sensitive use cases by 2030.

NIS2

The NIS2 Directive sets cybersecurity risk-management obligations for essential and important entities. Cryptography sits within that risk management.

DORA

The Digital Operational Resilience Act sets ICT risk-management requirements for financial entities, including controls that depend on cryptography.

Cyber Resilience Act

The CRA sets security requirements for products with digital elements, where the ability to update cryptography over a product's life is relevant.

Relation to readiness

Post-quantum readiness is relevant to obligations under NIS2, DORA and the CRA. This page does not interpret those obligations for any organisation.

Lithuania and the EU timeline

National coordination.

In Lithuania the transition is coordinated by the Ministry of National Defence. A national working group is preparing the country's transition plan, expected in the third quarter of 2026, which will apply to organisations designated as cybersecurity entities. Eighteen EU states, including Lithuania, have jointly committed to protecting the most sensitive use cases no later than 2030.

2024NIST finalises FIPS 203, 204 and 205.
2026Member states prepare and begin national transition plans; Lithuania's plan due in Q3.
2027Organisations have their own transition plans ready; testing begins.
2030Most sensitive use cases protected, per the eighteen-state commitment.
2031Migration completed for high-risk systems.
2035Migration completed for medium and low-risk systems.

Timeline summarised from Lithuanian national guidance and the EU coordinated roadmap.

How this relates to the index

Measurement, not compliance.

The index measures publicly observable cryptographic readiness that is relevant to these frameworks. It is not a compliance assessment, a certification or a legal opinion, and it does not rate any named institution.

References and acknowledgements

Sources and provenance.

Primary sources

StandardsNIST post-quantum cryptographyOpen ↗
EU roadmapCoordinated PQC transition roadmapOpen ↗
NIS2Directive (EU) 2022/2555Open ↗
DORARegulation (EU) 2022/2554Open ↗
CRACyber Resilience ActOpen ↗
SupervisionECB list of supervised entitiesOpen ↗
IdentifiersGLEIF LEI dataOpen ↗
LithuaniaMinistry of National DefenceOpen ↗
ToolsNational guidance and tools, pqc.ltOpen ↗

This work refers to publicly available national guidance published by the Lithuanian Ministry of National Defence and to open tools published at pqc.lt. These sources are cited for context and provenance. Mention here does not imply endorsement of the European Post-Quantum Readiness Index by any government body, institution or individual.