Quantum Computing and DORA: Navigating the Shift to Quantum-Safe Cryptography in the Financial Sector

Quantum computing, a rapidly evolving technology, poses an imminent threat to the digital economy, particularly the financial sector. Recognizing the risks associated with quantum advancements, the European Union has introduced the Digital Operational Resilience Act (DORA), a regulatory framework designed to ensure a high level of operational resilience in the financial services sector. Entities under DORA, including credit institutions, payment institutions, insurance undertakings, and ICT service providers, are required to comply by January 17, 2025.

DORA outlines stringent requirements for ICT risk management, incident reporting, operational resilience testing, and cyber threat management. It mandates that financial entities use ICT solutions and processes that secure data transfer and prevent data breaches, authenticity impairment, and loss of data. The urgency for these measures is amplified by the potential of quantum computing to break public key cryptography algorithms, such as RSA, Diffie-Hellman, and ECC, which the financial sector relies on for transaction security and data confidentiality.

While current quantum computers are not yet fault-tolerant, their evolution is expected to pose a significant threat to the digital economy. The concept of a Cryptographically Relevant Quantum Computer (CRQC) is projected to become a reality potentially by the early 2030s. This advancement could allow attackers to harvest encrypted confidential data today and decrypt it later using quantum computing.

In response to this looming threat, the National Institute of Standards and Technology (NIST) initiated a competition in 2016 to standardize a new form of “quantum-safe” cryptography, which will run on ordinary systems but be resistant to quantum attacks. NIST selected the first four algorithms for standardization in July 2022, with a full implementation expected to take five to 15 years or more.

Quantum threats, when realized, could drastically impact the operational resilience of financial entities and disrupt the global economy. To mitigate these threats, financial entities will need to adopt quantum-safe mechanisms for data transfer, document signing, and transaction validation. This involves implementing infrastructure such as quantum-safe public key infrastructure (PKI) and key management systems, as well as ensuring the cryptographic security of third-party suppliers and cloud-based services.

In anticipation of the standardization of quantum-safe cryptography, regulatory requirements like DORA will soon mandate the adoption of these measures in the financial industry. Organizations are advised to enhance their cryptographic agility, ensuring their systems are prepared for the transition to quantum-safe cryptography. This includes assessing the enterprise cryptographic posture, developing remediation plans, improving cryptographic discovery and observability, and sponsoring programs for continuous improvement.

The migration to quantum-safe cryptography presents challenges but also opportunities for early movers. Organizations impacted by DORA should act promptly, reviewing their cryptographic posture, aligning with business priorities, and implementing a comprehensive plan to ensure their digital services and systems are quantum-safe, securing their operations against the future quantum threats.