The EU issued a Post-Quantum Cryptography (PQC) roadmap in June 2025 requiring all member states to begin migrating critical infrastructure to quantum-resistant encryption by end of 2026, with completion mandated by 2030. This is the most aggressive government-mandated cryptographic migration timeline in the world.
The threat is 'harvest now, decrypt later': adversaries are already intercepting and storing encrypted communications that current quantum computers cannot break, but future quantum computers could. Financial transactions, diplomatic communications, military orders, and healthcare records encrypted today may be readable within 10-15 years. The migration must happen before quantum computers are powerful enough to break current encryption — not after.
Europe's regulatory-first approach (mandate migration timelines, then support implementation) follows the GDPR playbook. NIST standardized PQC algorithms in 2024; the EU is now forcing adoption timelines. European cryptography companies and research institutions (CWI Amsterdam, INRIA France, universities across Germany) contribute significantly to PQC algorithm development and implementation. The ENISA (EU Agency for Cybersecurity) coordinates the migration across 27 member states.