BAKGRUNN (fra kommisjonsrekommandasjonen)

(1) Safeguarding data and securing sensitive communications are vital for Union’s society, economy, security and prosperity. Cybersecurity is of strategic importance in building ‘Europe Fit for the Digital Age’ (2), and a key objective of the Digital Decade policy programme (3) .

(2) The EU Security Union Strategy (4) and the EU Cybersecurity Strategy (5) both highlight encryption as a key technology for achieving resilience, technological sovereignty and for building operational capacity to prevent cyberattacks. In fact, encryption is essential to the digital world for securing digital systems and transactions, for protecting a series of fundamental rights as well as for securing defence capabilities. The race pursued by various countries and private entities for developing quantum computing capabilities, and unlocking new potentially rewarding opportunities, poses threats to current cryptographic standards. These standards play a pivotal role in ensuring data confidentiality, and integrity, the protection of sensitive communications, and supporting essential elements of network security.

(3) The future potential development of quantum computers capable of breaking today’s encryption makes it necessary for Europe to look for stronger safeguards, ensuring the protection of sensitive communications and the long-term integrity of confidential information, i.e., by switching to Post-Quantum Cryptography as swiftly as possible. This new type of cryptography will remove the known vulnerabilities of current asymmetric cryptography and enhance the robustness against the threats posed by the malicious use of quantum computers.

(4) The Commission has been funding research and development Post-Quantum Cryptography for over a decade, recognizing the potential threat quantum computing poses to present public key cryptography.

(5) Member States should consider migrating their current digital infrastructures and services for public administrations and other critical infrastructures to Post-Quantum Cryptography as soon as possible, inducing a fundamental shift in cryptographic algorithms, protocols and systems. As highlighted in the Commission’s recent White Paper ‘How to master Europe’s digital infrastructure needs’, this requires a coordinated effort involving government agencies, standardization bodies, industry stakeholders, researchers and cybersecurity professionals.

(6) This Commission Recommendation encourages Member States to develop a comprehensive strategy for the adoption of Post-Quantum Cryptography, to ensure a coordinated and synchronized transition among the different Member States and their public sectors. The strategy should define clear goals, milestones, and timelines resulting in the definition of a joint Post-Quantum Cryptography Implementation Roadmap. This should lead to the deployment across the Union of Post-Quantum Cryptography technologies into existing public administration systems and critical infrastructures via hybrid schemes that may combine Post-Quantum Cryptography with existing cryptographic approaches or with Quantum Key Distribution.

(7) For an effective transition to Post-Quantum Cryptography, the Post-Quantum Cryptography Coordinated Implementation Roadmap should provide the list of actions to be addressed by the Member States, including the consideration of Post-Quantum Cryptography algorithms, with a clear timeline for different phases and milestones to be reached, taking into account their interdependencies, as well as the stakeholders to be involved.

(8) For a harmonized implementation of Post-Quantum Cryptography across the Union it is essential to develop common European standards and develop a framework for identifying and selecting Post-Quantum Cryptography algorithms to be deployed in the digital networks and services across the Union. Through the active participation of EU-funded researchers, the Union is already supporting the development and testing of Post-Quantum Cryptography algorithm candidates for standards in international Post-Quantum Cryptography selection processes. This Commission Recommendation encourages Member States to work at EU-level closely with the Union’s cybersecurity experts, with the NIS Cooperation Group and with the European Union Agency for Cybersecurity (ENISA), on the evaluation and selection of the appropriate Post-Quantum Cryptography algorithms and their adoption as EU standards for a harmonized implementation across the Union.

(9) Member States and the Union should continue to cooperate actively with their international strategic partners in the development of international standards in Post- Quantum Cryptography with a view to ensuring interoperability of communications going forward.

(10) Once agreed by the Member States, the Post-Quantum Cryptography Coordinated Implementation Roadmap should serve as blueprint for the definition of the national transition plans towards Post Quantum Cryptography, or, where national plans exist, their alignment with the common Post-Quantum Cryptography Coordinated Implementation Roadmap.

(11) To ensure progress is made against the objectives of this Recommendation, the Commission intends to monitor closely the actions taken in response to the Recommendation. Member States are therefore encouraged to submit to the Commission, upon its request, all relevant information, which they can reasonably be expected to provide, to ensure such monitoring. On the basis of the information thus obtained and all other available information, the Commission will assess the effects of this Recommendation and determine whether additional steps, including proposing binding acts of Union law, are required.

(12) This Recommendation on Post-Quantum Cryptography builds on the policy objectives set out in the EU Cybersecurity Strategy for improving the end-to-end security and resilience of the Union’s digital infrastructures and services for public administrations and other critical infrastructures; it serves the objectives of the Digital Single Market, and of the Joint Communication on European Economic Security Strategy 10919/23 (6); and it considers the risks to the physical and cyber security of critical infrastructures, as well as those identified under the recently conducted risk assessment for quantum technologies (7). It respects the fundamental rights and observes the principles recognized in particular by the EU Charter of Fundamental Rights (Articles 7, 8, and 11) and European Convention on Human Rights (Articles 8 and 10), which imply positive obligations on governments to minimize the risk of unlawful access and control of information, necessitating the safeguarding and promotion of cryptographic technologies.