Picture this. Your legal team walks in and tells you: you have five years to replace every lock in the building. Not because the current locks are broken. Because a new type of lock pick is coming — and once it arrives, your old locks will open in seconds.

That's the situation European businesses are in with encryption. The EU knows it. The regulators know it. And in June 2025, they published a roadmap with a clear deadline: 2030.

The question is whether your business knows it too.

What does the EU roadmap actually say?

In June 2025, the European Union Agency for Cybersecurity (ENISA) published its Post-Quantum Cryptography Roadmap — a detailed plan for how critical infrastructure across Europe should migrate to quantum-safe encryption.

The core message is straightforward: RSA and ECC — the algorithms protecting most of your systems today — are mathematically vulnerable to quantum computers. ENISA wants critical infrastructure to complete this migration by 2030.

This isn't a suggestion. It's a coordinated policy, and the regulatory framework behind it is already in force.

Who exactly does this affect?

You might think this only applies to government agencies or defence contractors. It doesn't.

NIS2 — the EU's updated cybersecurity directive, which came into force in October 2024 — covers a broad range of sectors:

Energy: electricity, oil and gas, district heating
Finance: banks, insurance, and market infrastructure
Healthcare: hospitals, pharmaceutical manufacturers, and labs
Transport: aviation, railways, shipping, and road logistics
Digital infrastructure: cloud providers, data centres, DNS, and CDN operators
Public administration: central and regional government bodies

DORA — the Digital Operational Resilience Act for financial services — went live in January 2025 and explicitly requires firms to assess and address risks from emerging technologies, including quantum computing. If your business operates in any of these sectors in the EU, the quantum migration is not a choice.

Why 2030 is closer than it looks

Five years sounds like plenty of time. It isn't.

Migrating cryptographic infrastructure is not like updating an app. Every system that uses encryption needs to be inventoried, assessed, and migrated: TLS certificates, JWT tokens, API keys, signing certificates, encrypted database fields, backup encryption — it's everywhere, and most organisations don't even have a full inventory.

In practice, organisations that have started this work report it takes two to four years from the first audit to full migration. Some have been working on it since 2022 and still aren't finished.

Do the maths. If you start in 2027, you reach 2030 with unfinished work and a regulator waiting for answers.

Three things you can do right now

The good news is that you don't need to solve everything at once. Post-quantum migration is a programme, not a single project. Here's a practical starting point:

Map your cryptographic inventory. Where are you using RSA or ECC today? It's in your TLS configuration, your JWT signing keys, your SSH access, your code signing certificates — almost certainly everywhere. You can't prioritise what you haven't mapped.
Classify your data by longevity. Which data will still be sensitive in 2030 or beyond? Customer records, medical data, financial transactions, trade secrets — anything with a shelf life longer than the time until quantum computers arrive is already exposed to harvest-now-decrypt-later attacks.
Start new systems right. When you build new APIs, services, or integrations, use post-quantum algorithms from day one. FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) are finalised, standardised, and production-ready. There's no reason to start a new system on RSA today.

This is exactly what QuantumAPI is for

At Kovimatic, we built QuantumAPI specifically for this transition. Not as a research project. Not as a proof of concept. As production infrastructure you can use today.

QuantumKeys gives you ML-KEM and ML-DSA via a REST API — quantum-safe encryption without needing cryptographic expertise in-house. QuantumVault manages your secrets and keys using the same post-quantum standards. QuantumID handles authentication and MFA with quantum-resistant protocols.

All deployed on European infrastructure, under EU jurisdiction, with a full audit trail that satisfies NIS2 requirements.

The 2030 deadline is real. The regulators are serious. And the organisations that start now will be in a very different position from those that wait until the final year.