For years, quantum computing lived in the long-term corner of the risk register, acknowledged and then deferred. That position is gone. The European Commission and the NIS Cooperation Group have published a coordinated roadmap for the transition to post-quantum cryptography, and its first milestone lands at the end of 2026. Before then, EU member states are expected to lay the foundations of their national transitions, starting with inventories of cryptographic assets and maps of what depends on them.
The United States and the United Kingdom are working to the same playbook with different dates. All three point at the same first task. Before anyone migrates a single algorithm, they need to know what cryptography they hold, where it runs, and what breaks when it changes.
If you’re responsible for security at an enterprise or an MSSP, that task is harder than it sounds. Certificates, keys, algorithms and protocols accumulate for years across applications, devices, cloud workloads and suppliers, and few organizations hold a complete picture of any of it. This article covers what the requirement asks for, how the three timelines compare, and what a cryptographic inventory looks like when it has to hold up to an audit.
What Crypto-Agility Means
Crypto-agility is the ability to find, assess and replace the cryptography an organization depends on without re-engineering the systems that use it. When a certificate expires, an algorithm is deprecated, or a regulator sets a migration deadline, a crypto-agile organization can locate every affected asset and swap it out in days rather than quarters. The reference document for the discipline is NIST’s white paper on crypto-agility, CSWP 39, finalized in December 2025.
The term is young, but the capability it describes rests on two older, less glamorous foundations.
The Cryptographic Inventory
A cryptographic inventory is a live record of every cryptographic asset in the organization. That includes:
- Certificates, with their validity periods, issuers and the domains they cover
- Keys, and where they’re stored
- Algorithms and cipher suites in use, including deprecated ones
- Protocols such as TLS and SSH, with their versions and configurations
- The applications, devices, workloads and pipelines where each of these lives
The word live matters. Certificates rotate, services move, and suppliers change their stacks. An inventory compiled once for an audit starts decaying the day it’s finished.
The CBOM
A cryptographic bill of materials, or CBOM, applies the logic of the software bill of materials to cryptography. Where an SBOM lists the components inside a piece of software, a CBOM catalogs the cryptographic assets a product or organization relies on, in a machine-readable format that can be queried, compared and handed to an auditor. The concept is emerging industry practice rather than settled law, a distinction that matters when we get to the Cyber Resilience Act below.
The EU Roadmap Puts a Date on It
In June 2025, the NIS Cooperation Group published A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography, the work stream the European Commission set in motion with its recommendation of April 2024. It gives every member state the same three milestones.
- By the end of 2026, member states should have started their national transitions. The first deliverables include inventories that support cryptographic asset management, dependency maps and risk analyses, including supply chain risks.
- By the end of 2030, high-risk use cases should have migrated to post-quantum cryptography. That covers critical infrastructure and sectors such as finance, health and energy.
- By 2035, the transition should be complete for as many systems as practically feasible.
The 2030 and 2035 dates draw the attention, but the operative one is 2026. Inventory and dependency mapping is the deliverable due now, and it’s the gate everything else passes through. A migration plan built without one is a plan built on assumptions.
The roadmap speaks to governments, but national strategies become supervisory expectations for the entities they regulate, which is how a Brussels milestone becomes a line in your quarterly planning.
The roadmap also expects organizations to document any classical cryptography that remains and justify the risk of keeping it, which turns visibility into a standing obligation rather than a one-off exercise.
Harvest Now, Decrypt Later
n a harvest now, decrypt later attack, an adversary collects encrypted traffic and stored data today, then waits for quantum computers capable of breaking the encryption that protects it. Data with a long confidential life is already exposed to this pattern. Health records, financial data and state secrets intercepted this year can sit in an adversary’s storage until the technology to read them arrives. The defense is to move long-lived sensitive data onto quantum-resistant algorithms before the harvesting matters.
The US and UK Are on the Same Path
The same clock is running in Washington and London.
The United States
National Security Memorandum 10, signed in May 2022, directed US federal agencies to inventory their cryptographic systems and set 2035 as the horizon for migrating national security systems. Agencies have filed prioritized inventories every year since. More recent federal direction goes further, calling for a dynamic, continuously updated inventory of cryptographic assets. NIST finalized the first post-quantum standards in August 2024. FIPS 203 (ML-KEM) covers key encapsulation, while FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) cover digital signatures, giving migration plans concrete algorithms to move to.
The mandate is federal, but inventory expectations move with the contract. If you supply the US public sector, expect the questions in security questionnaires before any law names you directly.
The United Kingdom
The NCSC published its timeline for migration to post-quantum cryptography in March 2025, structured as three phases, with discovery the first. The guidance addresses UK organizations at large, not just government departments, and gives private-sector leaders a published, defensible schedule to plan against.
Put the three side by side and the pattern is hard to miss. The deadlines differ, the first step doesn’t. Every framework begins with a complete, current picture of the cryptography in use and the dependencies hanging off it.
| Jurisdiction | Inventory and Discovery | Priority Migration | Full Transition |
|---|---|---|---|
| EU | Inventories and dependency maps by end of 2026 | High-risk use cases by end of 2030 | By 2035 |
| US (federal) | Annual inventories since 2022 under NSM-10 | High-impact systems by 2030, digital signatures by 2031 | National security systems by 2035 |
| UK | Discovery complete by 2028 | Highest-priority migrations 2028 to 2031 | By 2035 |
The Three Deliverables Every Framework Asks For
The regulatory texts vary. The work they describe doesn’t, and it comes in a fixed order, because each piece depends on the one before it.
A Live Cryptographic Inventory
Everything starts with knowing what exists. The practical challenge isn’t listing what you know about. It’s surfacing what you don’t. Certificates issued outside procurement, TLS endpoints on forgotten subdomains, deprecated cipher suites on services nobody owns. The assets that fall outside the official IT inventory are the ones most likely to carry the weakest cryptography, and they’re the first thing an auditor will find.
A Dependency Map
Knowing a certificate exists tells you very little on its own. The questions that matter are operational. Which service presents it. Which integrations trust it. What stops working when it rotates. A dependency map answers those questions, and it’s what separates a migration you can sequence by risk from one you sequence alphabetically and hope.
Third-Party and Supply Chain Coverage
Your cryptography doesn’t end at your perimeter. It extends through every supplier connection, every managed service and every integration that presents a certificate or negotiates a protocol with your systems, and weaknesses in that layer are inherited whether you can see them or not. The EU roadmap folds supply chain risk into the same analysis for exactly that reason.
NIS2, DORA and the Cyber Resilience Act Compared
Three EU frameworks now touch this work, each from a different angle and each with its own population.
| Framework | Who It Covers | What It Asks of Your Cryptography | Key Dates |
|---|---|---|---|
| NIS2 | Essential and important entities across 18 sectors, from energy and health to digital infrastructure and public administration | Risk-management measures that already include policies on cryptography and encryption. A January 2026 proposal would add national post-quantum transition policies aligned with the EU roadmap | Foundations by end of 2026 under the roadmap |
| DORA | Financial entities and their critical ICT providers | ICT risk management, digital operational resilience and a register of information covering third-party providers | Applied since January 2025 |
| Cyber Resilience Act | Manufacturers of products with digital elements sold in the EU | A machine-readable software bill of materials, plus vulnerability handling across the product lifecycle | Vulnerability reporting from September 2026, full obligations from December 2027 |
The NIS2 amendment is a proposal, not law. The European Commission published COM(2026) 13 in January 2026, which would oblige member states to adopt post-quantum transition policies within their national cybersecurity strategies. It’s now moving through the EU’s legislative procedure, with adoption expected in late 2026 or 2027. The direction is clear; the legal force isn’t there yet.
The Cyber Resilience Act requires an SBOM, not a CBOM. The act asks manufacturers for a machine-readable software bill of materials covering top-level dependencies, with reporting obligations from 11 September 2026 and full obligations from 11 December 2027. It doesn’t yet name cryptographic assets as a required layer. The CBOM is where industry practice is heading, but nobody should tell you the CRA mandates it today.
Strip the three frameworks back and they share one practical demand. None of them can be evidenced without a current inventory, a maintained dependency map and visibility that reaches your third parties. The same work satisfies several regulators at once.
What This Changes for MSSPs and Enterprise Teams
For MSSPs
For an MSSP, the same regulation reads as a service line. Clients with operations in more than one jurisdiction face three timelines that all start with the same deliverable, and most can’t produce it. A continuously maintained cryptographic inventory, delivered as part of a managed service, answers the EU, UK and US frameworks at once.
It’s also durable work. An inventory that updates with every scan, mapped to each client’s regulatory exposure, isn’t something a client takes back in-house lightly. The MSSPs that build this capability during the discovery years will be holding the migration contracts when the 2030 deadlines arrive.
For Enterprise Security Teams
Inside an enterprise, the cryptographic inventory has a habit of belonging to everyone and no one. Certificates sit with infrastructure, encryption policies with GRC, the migration budget with the CISO, and the risk with all three. The 2026 milestone is a reason to settle that ownership now, while the ask is still an inventory rather than an emergency.
And auditors request evidence before they request plans. Teams that can show what they hold, where it runs and what depends on it start every conversation that follows in a stronger position.
From Requirement to Running Workflow
On paper, the requirement is a document. Inside an organization, it has to become a process that runs on its own, because the estate changes faster than any manual audit can track. Gartner names preemptive cybersecurity among its top technology trends for 2026, the shift from reacting to incidents toward acting ahead of them, and continuous cryptographic visibility is a concrete piece of that shift. It’s also the problem we built Zynap to solve. The platform automates security work with AI and agents, and applied to this roadmap, that comes down to three jobs.
Building the Inventory
The Certificates module inside Zynap’s attack surface management continuously identifies the certificates exposed on your external perimeter and flags the ones that matter for a migration plan. Expired, revoked, self-signed, untrusted and mismatched certificates, along with validity periods, issuing organizations and the domains each one covers. The Technologies module adds which technologies and versions run on each endpoint, where cryptographic libraries and protocol versions live, and the same discovery covers the TLS, SSH and API surface those endpoints expose. The result is a repository ready for the risk scoring and compliance mapping your team defines, covering the slice of the inventory that sits outside your internal IT records and is hardest to compile by hand.
A full CBOM goes deeper, into internal keys and cryptography in code, so treat this as the external foundation rather than the finished article.
Mapping the Dependencies
Zynap’s Assets module works as a relational hub. Each asset links to its IP addresses, services, endpoints, vulnerabilities, certificates and DNS records, and the map refreshes with every scan, with changes flagged between runs. That’s the dependency map the roadmap asks for, maintained by the platform rather than by a spreadsheet owner who left two reorganizations ago.
The same mapping extends to third parties too, a first layer of visibility over inherited cryptographic risk without the supplier granting access to anything.
Acting On What It Finds
Detection on its own produces reports. When Zynap finds a certificate about to expire or a protocol that shouldn’t be there, the finding can trigger a workflow in NINA, Zynap’s multi-agent engine, which opens a ticket in Jira, posts the alert to Slack or your SIEM, and routes the decision to a human approval step where judgment is required. Where a fix can be checked externally, the same workflow can retest the finding once the ticket is resolved and confirm the remediation held, leaving an audit trail that runs from detection to verified fix.
Your team defines the workflow in plain language, so the loop from finding to fix follows your process rather than a vendor’s assumptions. Closing the gap between knowing and fixing is what turns an inventory from a report into a control. And the machinery is multi-tenant by design, so an MSSP can author a workflow once and run it for every client, each in isolation.
Where to Start with Your Cryptographic Inventory
You don’t need to solve the whole estate for the 2026 milestone to be meaningful. Start where exposure is highest and visibility is lowest.
- Inventory your external estate first. It’s what attackers scan and the part you can automate today.
- Map dependencies as you go, not afterwards. An inventory without a dependency map can’t be prioritized.
- Fold in your suppliers. Add third-party connections to the same inventory before the frameworks make it a formal question.
- Make it continuous from day one. Every framework on this page treats visibility as standing work. A snapshot audit meets none of them for long.
The organizations that treat this milestone as an audit will do it again next year, from scratch. The ones that treat it as an operating capability will spend 2027 migrating while others are still counting certificates. If you’d like to see what your external cryptographic estate looks like, mapped and monitored continuously, we’re happy to show you.