EU DORA & NSA CNSA 2.0 — QorTrace Docs

%▓GS%@0?*░S>7?QA<\BHH5YSRP>\RCN@1S·9GBWP00EQW$#EA<U1V0%F%$K&D9E93QHBKG#RYKY█KV8PJ4%█\DM░@G8NS7R\#N·2▓█HG·%6NXD/<*NG░&K1APP8MH@><2E6▓3*ZR/2EX$AUV0%RU&C45$NG5J8?YB4\ZJ▓62XAGQ30J@▒3▒█Q9?&YVBY5X\▓Y7V47B4D·25#/?▓PN█D▓B█3ZB/Y2·░JU8N5M·EV·KAADX▓WQUFQA█RVX6·KEQ5<<%▒H2U$N4<Z2ED/GAHWSD░RB▒FJRJ20@6RE\JA0#*T9GUX▒<\D9*7·▓░>1@F·$D4C%▓GS%@0?*░S>7?QA<\BHH5YSRP>\RCN@1S·9GBWP00EQW$#EA<U1V0%F%$K&D9E93QHBKG#RYKY█KV8PJ4%█\DM░@G8NS7R\#N·2▓█HG·%6NXD/<*NG░&K1APP8MH@><2E6▓3*ZR/2EX$AUV0%RU&C45$NG5J8?YB4\ZJ▓62XAGQ30J@▒3▒█Q9?&YVBY5X\▓Y7V47B4D·25#/?▓PN█D▓B█3ZB/Y2·░JU8N5M·EV·KAADX▓WQUFQA█RVX6·KEQ5<<%▒H2U$N4<Z2ED/GAHWSD░RB▒FJRJ20@6RE\JA0#*T9GUX▒<\D9*7·▓░>1@F·$D4C

27<WPTFE%<X1B#2V0▒▓N*636▒F<298SWY7HQ\MY%4S█YX?5<C2GD1M*B$R$>V%?V5>PP16HW>M<A3E<E&Q0Y·8M2BS*K▒S█1A2·XV512@VMU@█XW<48/▒9YSZRNH51XYX/2·EATR▒0BC%░GNRP8M8·366UK1M5·W9X#KTZSSSD▓Q3Y@&MF▓/V683B░C·\░░*CW█ZQ0VE7G$?P8▒H░█K8·\TS/JFE4?7$ZR█@NG8HF#MAU8B\8ZE9%8/8H<7YAG24T@E5YW▓&N%3HG?H*&K*0G░<PURAEH0░?H@▓H%█ZE·?K$<GC6B42▓H█\1D▓<FD&%J27<WPTFE%<X1B#2V0▒▓N*636▒F<298SWY7HQ\MY%4S█YX?5<C2GD1M*B$R$>V%?V5>PP16HW>M<A3E<E&Q0Y·8M2BS*K▒S█1A2·XV512@VMU@█XW<48/▒9YSZRNH51XYX/2·EATR▒0BC%░GNRP8M8·366UK1M5·W9X#KTZSSSD▓Q3Y@&MF▓/V683B░C·\░░*CW█ZQ0VE7G$?P8▒H░█K8·\TS/JFE4?7$ZR█@NG8HF#MAU8B\8ZE9%8/8H<7YAG24T@E5YW▓&N%3HG?H*&K*0G░<PURAEH0░?H@▓H%█ZE·?K$<GC6B42▓H█\1D▓<FD&%J

Regulatory deadlines for PQC migration and how QorTrace evidence helps.

The two regulatory sticks driving every PQC procurement conversation in 2026.

EU DORA — Digital Operational Resilience Act

In force: January 17, 2025.

Who it applies to: every regulated EU financial entity — banks, payment institutions, crypto-asset service providers (CASPs), insurance companies, asset managers, market infrastructures, and any third-party ICT provider they use.

What it requires (relevant to PQC):

Article 9 — Cryptographic key management policy, including planned migration to quantum-resistant algorithms.
Article 11 — Annual ICT risk testing (penetration tests, red-team).
Article 28 — Third-party risk management — your vendors must also be PQC-ready.

How QorTrace evidence helps:

DORA requirement	QorTrace artefact
Cryptographic inventory	Atlas portfolio export (CSV/JSON)
Migration roadmap	Audit report's "PQC Migration Readiness" section
Annual testing evidence	Re-audited delivery receipts (timestamped)
Third-party risk	Vendor `verify` URLs in your supplier register

NSA CNSA 2.0 — Commercial National Security Algorithm Suite

Mandatory for: US federal national-security systems and any vendor selling to them.

Timeline:

2025: New software systems should support PQC
2030: All new systems must be PQC-only
2035: All federal systems migrated; legacy crypto retired

Approved algorithms (the short list):

ML-KEM (FIPS 203) for KEM
ML-DSA (FIPS 204) for signatures
SLH-DSA (FIPS 205) for stateful signing where applicable
AES-256 (already approved)
SHA-384 / SHA-512 for hashing

Notably NOT on the approved list (post-cutover): RSA, ECDSA, ECDH, DH — the foundations of every blockchain today.

What this means for blockchain teams

If your protocol settles to a chain that uses ECDSA (every EVM, Bitcoin, etc.), you have a hard 2035 deadline to either:

Migrate to a PQC chain
Add a PQC signature wrapper layer
Sunset the protocol for federal customers

QorTrace's PQC Migration Readiness scoring shows you exactly which contracts are most exposed and the cheapest path forward.

What about UK FCA, FINMA, MAS?

Most major regulators are aligning to either NIST + NSA timelines or DORA. Our methodology receipts include alignment statements for:

UK FCA — Operational Resilience requirements
FINMA (Switzerland) — Banking circulars on cryptographic agility
MAS (Singapore) — Technology Risk Management Guidelines
APRA (Australia) — CPS 234 cryptographic controls

Tell your reviewer "We use QorTrace" and 9 times out of 10 they already have us on their approved-tooling list.