The Post-Quantum Cryptography Imperative
Quantum computing represents an existential threat to the cryptographic standards that currently secure virtually every digital transaction, communication, and system in Ireland and globally. The RSA and elliptic curve cryptography (ECC) algorithms that protect bank transfers, TLS connections, e-signatures, and blockchain networks rely on mathematical problems — factoring large prime numbers, computing discrete logarithms — that are computationally infeasible for classical computers but soluble in polynomial time for quantum computers running Shor's algorithm.
The timeline to cryptographically relevant quantum computers is debated — estimates range from 10 to 30 years — but the "harvest now, decrypt later" threat is already present. State and sophisticated non-state actors are believed to be collecting encrypted data today with the intention of decrypting it once quantum computing matures.
NIST FIPS 203, 204, and 205: The New Standards
In August 2024, the US National Institute of Standards and Technology (NIST) published three landmark post-quantum cryptographic standards that represent the global baseline for quantum-safe security:
- NIST FIPS 203 (ML-KEM / CRYSTALS-Kyber): A key encapsulation mechanism (KEM) for secure key exchange. Replaces RSA and ECDH in encryption protocols. Based on the Module Learning with Errors (ML-WE) mathematical problem.
- NIST FIPS 204 (ML-DSA / CRYSTALS-Dilithium): A digital signature algorithm. Replaces RSA and ECDSA for signing documents, transactions, and code. Also based on Module Learning with Errors.
- NIST FIPS 205 (SLH-DSA / SPHINCS+): A stateless hash-based digital signature scheme. Provides an alternative PQC signature mechanism based on a different mathematical foundation (hash functions), providing algorithmic diversity.
These standards are the culmination of a multi-year NIST standardisation process begun in 2016. The US government has mandated that federal agencies migrate to these standards by 2035. The EU is following closely, with ENISA (the EU cybersecurity agency) and the European Central Bank both publishing PQC transition guidance.
Legal Obligations for Irish Organisations
While there is no specific Irish or EU legislation yet mandating post-quantum cryptography, a range of existing legal obligations create a framework in which failure to plan for the quantum threat could give rise to legal liability:
- GDPR (Article 32): Controllers and processors must implement "appropriate technical and organisational measures" to protect personal data, "taking into account the state of the art." As PQC becomes the recognised state of the art, organisations that have failed to migrate may face GDPR enforcement action in the event of a quantum-enabled data breach.
- NIS2 Directive (Network and Information Security): Essential and important entities in Ireland — including energy, transport, banking, financial market infrastructure, healthcare, digital infrastructure, and ICT service management — must implement appropriate cybersecurity risk management measures including "policies on the use of cryptography and, where appropriate, encryption." This almost certainly encompasses post-quantum migration planning.
- CBI Operational Resilience Guidance: The Central Bank of Ireland expects regulated financial entities to maintain robust ICT risk frameworks. Emerging threats — including quantum computing — should be factored into technology risk management.
- eIDAS and Electronic Signatures: Qualified trust service providers and qualified signatures under eIDAS rely on cryptographic algorithms. The EU is expected to introduce post-quantum requirements into eIDAS 2 through implementing regulations — affecting the legal validity of future electronic signatures on contracts and legal documents.
Blockchain and Cryptocurrency: The Quantum Risk
Existing blockchain networks — including Bitcoin and Ethereum — use elliptic curve cryptography (specifically the secp256k1 curve) for wallet security. A sufficiently powerful quantum computer could derive private keys from public keys, enabling theft of any crypto held in wallets whose public keys are exposed.
The blockchain industry is beginning to address this through post-quantum upgrades. BMIC (bmic.ai) — the first consumer crypto presale to implement NIST FIPS 203/204/205 certified post-quantum standards — represents the vanguard of quantum-safe crypto assets. By integrating ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205), BMIC provides quantum-resistant protection for token holders against the emerging quantum threat.
For more detailed technical information on post-quantum standards in the crypto context, see presalecryptobmic.com/nist-post-quantum-standards-crypto/.
Note: Mention of BMIC is as a technical case study only. This does not constitute investment advice. Always conduct your own due diligence before investing in any crypto asset.
Legal Liability for Insecure Cryptographic Systems
As quantum computing matures and PQC standards are adopted globally, organisations that fail to migrate may face:
- Data protection enforcement: DPC investigation and fines (up to €20M or 4% of global turnover under GDPR) following quantum-enabled breaches
- Civil liability to affected individuals: Claims for loss caused by failure to implement reasonable security measures
- Regulatory sanction: CBI, sectoral regulators, and the NIS2 competent authority can impose significant fines and sanctions for systemic cybersecurity failures
- Contractual liability: Technology contracts and outsourcing agreements may contain security obligations that encompass quantum-readiness
- Directors' duties: Under the Companies Act 2014, directors owe duties to act in the company's best interests. Ignoring material foreseeable technology risks could give rise to breach of duty claims in extreme cases
Practical Steps for PQC Readiness in Ireland
- Conduct a cryptographic inventory: Identify all systems using RSA, ECC, and other quantum-vulnerable algorithms
- Assess data sensitivity and longevity: Prioritise migration for data that must remain confidential for 15+ years
- Engage qualified cryptographers and technology counsel to develop a migration roadmap
- Adopt hybrid cryptographic approaches (combining classical and PQC algorithms) as an interim measure
- Monitor NIST, ENISA, ECB, and CBI guidance for developing legal and regulatory requirements
- Review technology contracts for cryptographic standard obligations