NIS2 and DORA: What Critical Operators Need to Know

The year 2025 marks a regulatory turning point for European cybersecurity. Two major texts are now in force and impose concrete encryption obligations on critical infrastructure operators: the NIS2 Directive and the DORA Regulation. For the organizations concerned, the question is no longer whether they must adapt their cryptographic practices, but how and at what pace.

NIS2: a considerably expanded scope

The NIS2 Directive (EU 2022/2555) came into effect in October 2024. It replaces the first NIS Directive from 2016 and considerably expands its scope. Where NIS1 targeted a few hundred operators per country, NIS2 now covers 18 activity sectors and affects tens of thousands of entities across Europe. The energy, transport, health, finance, water, digital infrastructure, public administration, space and food sectors are now subject to reinforced cybersecurity obligations.

Article 21.2(h) of NIS2 is particularly explicit regarding cryptography. It requires concerned entities to implement cryptography and encryption policies as part of their risk management measures. This obligation is not limited to the use of any encryption: it requires a formalized, documented policy tailored to identified risks. In France, the transposition of NIS2 is being carried out through the "Resilience Law," with parliamentary proceedings underway. French entities must prepare for these requirements now, as the transposition will confirm the directive's obligations without softening them.

DORA: the directly applicable financial regulation

The DORA Regulation (EU 2022/2554, Digital Operational Resilience Act) came into effect on January 17, 2025. Unlike NIS2, which is a directive requiring national transposition, DORA is a European regulation directly applicable in all member states. It specifically concerns the financial sector: banks, insurance companies, asset managers, payment platforms, crypto-asset service providers and their critical ICT suppliers.

Article 9 of DORA is dedicated to cryptographic protection. It requires financial entities to implement encryption measures based on their data classification. The text goes further by explicitly requiring monitoring of quantum threats and crypto-agility capability, meaning the ability to rapidly migrate from one cryptographic algorithm to another when vulnerabilities are discovered or new standards emerge. This requirement directly anticipates the post-quantum transition and places financial entities at the forefront of preparation.

France's LPM: an even stricter framework

In France, the Military Programming Law (LPM) has imposed reinforced cybersecurity obligations on 249 Operators of Vital Importance (OIV) for several years. These entities, whose list is classified, are required to use encryption solutions certified by ANSSI. CSPN (First Level Security Certification) or CC (Common Criteria) certification is a prerequisite for any encryption product deployed in OIV information systems.

This French requirement goes beyond NIS2 and DORA. It does not simply impose an encryption policy: it requires that the products used have been evaluated and certified by a trusted national authority. With ANSSI's announcement that from 2027 onward products must integrate post-quantum mechanisms to obtain a security visa, OIVs must anticipate this deadline by incorporating the PQC dimension into their procurement processes and technology roadmaps starting now.

Dissuasive penalties

The European legislator has equipped these texts with penalty mechanisms designed to ensure their effective implementation. NIS2 provides for fines of up to 10 million euros or 2% of global turnover for essential entities. DORA goes even further for critical ICT providers, with penalties representing up to 1% of daily global turnover, applied per period of non-compliance. These amounts, comparable to those under GDPR, clearly signal that cybersecurity is now a governance issue, not merely a technical one.

Post-quantum encryption as a structural response

Deploying post-quantum encryption simultaneously addresses several regulatory requirements. It satisfies the NIS2 obligation for formalized cryptographic policy. It meets the DORA requirement for quantum threat monitoring and crypto-agility. It anticipates the 2027 ANSSI obligation for OIVs. And it concretely protects data against "Harvest Now, Decrypt Later" strategies already deployed by state actors.

A network encryption solution capable of integrating post-quantum algorithms (ML-KEM, ML-DSA) in hybrid mode with classical algorithms (X25519, AES-256-GCM) enables compliance with these obligations without service disruption. The hybrid approach, recommended by France's ANSSI and Germany's BSI, guarantees security at least equal to current systems while preparing for the post-quantum era.

Timeline and practical steps

For organizations covered by NIS2, DORA or the LPM, preparation follows a three-phase timeline. From now through the end of 2026, organizations must conduct a comprehensive cryptographic inventory of their information systems. This inventory must identify every algorithm, every protocol, every certificate in use, and assess their exposure to the quantum threat. In parallel, a risk assessment by data type must determine which flows require priority migration.

Starting in 2027, security products will need to integrate post-quantum mechanisms for ANSSI submissions. Organizations must therefore have completed their evaluation phase and launched their first pilot deployments in hybrid mode. The most sensitive flows, those whose confidentiality lifespan exceeds ten years, must be treated as a priority.

By 2030, in accordance with the European PQC roadmap, the transition of high-risk systems must be complete. This deadline coincides with the most conservative estimates for the arrival of a cryptographically relevant quantum computer, leaving no margin for error.

A wait-and-see approach is no longer an option. The texts are in force, the penalties are dissuasive, and the quantum threat transforms regulatory risk into concrete operational risk. Organizations that act now are building a lasting competitive advantage. Those that wait expose themselves to penalties, vulnerabilities and a loss of trust from their partners and clients.