EU Regulatory Brief
DORA Article 28 and Quantum Risk: What Every Bank's Third-Party Risk Team Needs to Know in 2026
June 30, 2026 · PQCClear · 8 minute read
DORA enforcement is active, not advisory. Only 6.5% of participating firms passed all 116 Register of Information data quality checks in the 2024 dry-run — and quantum cryptographic risk in the vendor portfolio is the gap most compliance programmes haven't touched yet.
Eighteen Months In, the Supervisory Picture Is Unambiguous
The Digital Operational Resilience Act came into full effect across the European Union on January 17, 2025. Eighteen months later, the supervisory picture is unambiguous: DORA enforcement is active, not advisory.
6.5%
of ~1,000 firms passed all 116 RoI data quality checks in the 2024 ESA dry-run
19
Critical ICT Third-Party Providers designated under DORA Articles 31–44
2026
EU coordinated PQC roadmap start-transition milestone
National competent authorities are now cross-referencing submitted data automatically — identifying providers absent from registers, inconsistencies with incident reporting history, and subcontracting chains claimed to be non-existent for major cloud providers. The regulatory posture in 2026 is explicitly interventionist.
Against this backdrop, one significant gap in most DORA compliance programmes has gone largely unaddressed: quantum cryptographic risk in the vendor portfolio. This post explains why quantum risk falls squarely within Article 28’s obligations, how the EU regulatory landscape has evolved through June 2026, and what your TPRM team should be doing now.
The EU PQC Regulatory Landscape as of June 30, 2026
The EU’s position on post-quantum cryptography has moved decisively from recommendation to structured mandate. NIST finalized ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) in August 2024, establishing the baseline for international interoperability. The EU aligned in June 2025 with a coordinated PQC transition roadmap: end of 2026 as the start-transition milestone, end of 2030 for high-risk systems, end of 2035 for full critical infrastructure migration.
On January 20, 2026, Brussels moved further with COM(2026) 13 final— a proposed directive amending NIS2 with, for the first time, an explicit post-quantum cryptography requirement written directly into EU law. If adopted, PQC transition policies become mandatory in each Member State’s national cybersecurity strategy.
DORA intersects this through its Article 8 requirement for crypto-agility — the ability to update cryptographic algorithms without operational disruption. The EBA has incorporated DORA readiness as a scored element in its 2024–2026 supervisory priorities, and the ECB has integrated DORA ICT risk findings directly into SREP scores. Several significant institutions received formal remediation requirements in their 2024 SREP outcome letters — non-completion risks supervisory escalation, potentially including capital add-ons.
What Article 28 Actually Requires — And Why Quantum Risk Is In Scope
Article 28 imposes a structured third-party ICT risk management regime on all in-scope financial entities. Financial entities remain fully responsible for DORA compliance even when ICT services are provided by third parties — the provider’s own compliance posture does not substitute for the institution’s obligations.
Article 28(2) — Due diligence before contracting
Assess before you sign
Before entering any new ICT arrangement, the financial entity must identify and assess all relevant risks — including the provider's security posture. A vendor running RSA-2048 or EC P-256 for key establishment is not aligned with current NIST standards. This obligation applies before signing, not after.
Article 28(4)(c) — Contractual provisions on security
Build in the right to assess
Contracts must include provisions on information security, including the right to assess the provider's ICT security practices on an ongoing basis. For critical or important functions, cryptographic assessment rights — including PQC readiness — should be explicit, not implied.
Article 28(6) — Ongoing monitoring
Reassess as standards evolve
A vendor that passes a 2025 assessment may be re-evaluated against evolving standards in 2026 and 2027 as CISA's CBOM guidance and EU roadmap milestones mature. Onboarding, service modification, or material subcontracting changes should update the register within a reasonable time.
The Register of Information and Quantum Risk
Article 28(3) requires every in-scope financial entity to maintain a complete, up-to-date Register of Information covering every ICT third-party arrangement. It’s the first document examined in every DORA supervisory review — supervisors trace from the register to criticality classification, to contract provisions, to concentration assessment, to board reporting. Gaps at any link generate findings.
Quantum risk has two implications for the register. First, security posture fields should reflect whether each provider has been assessed for PQC readiness — and if not, when. Second, concentration risk under Article 28(8) must consider shared cryptographic infrastructure: if five critical vendors all rely on the same cloud HSM provider using RSA-4096 key wrapping, that’s one systemic exposure, not five separate ones.
The 19 Designated Critical ICT Third-Party Providers
In November 2025, the ESAs designated 19 Critical ICT Third-Party Providers (CTPPs) under DORA’s Articles 31–44 oversight framework, facing direct ESA oversight including access rights, recommendations, and penalty powers. For institutions contracting with any designated CTPP, elevated due diligence for quantum risk means: requesting the CTPP’s PQC roadmap in writing, ensuring Article 30 provisions include explicit PQC assessment rights, tracking progress in the register’s monitoring fields, and flagging concentration risk where multiple critical functions share a CTPP’s cryptographic infrastructure.
What a DORA-Compliant Quantum Vendor Assessment Programme Looks Like
Component 01
Cryptographic inventory per vendor
A documented inventory of the algorithms used in each critical or important provider's services — forming your CBOM, aligned with the CISA minimum standard expected by March 2027.
Component 02
Quantum readiness scoring
A documented methodology translating the inventory into a risk-weighted assessment — scored on algorithm vulnerability, data sensitivity, data longevity, and exposure — enabling longitudinal comparability across assessment cycles.
Component 03
Contractual rights & migration expectations
Provisions requiring vendors to disclose their cryptographic inventory, provide a migration roadmap within a defined timeframe, and submit to periodic reassessment.
Component 04
Concentration risk documentation
Mapping shared cryptographic dependencies across your vendor portfolio, with a specific notation for quantum concentration in your DORA concentration risk register.
Key EU PQC Timeline Every TPRM Team Should Track
Aug 2024
NIST PQC standards finalized
Information security standard now established.
Jan 17, 2025
DORA fully applicable
Third-party risk programmes must be operational.
Apr 2025
First RoI submissions to NCAs
Register of Information active; PQC posture field relevant.
Nov 2025
19 CTPPs designated
Heightened PQC due diligence for institutions using these providers.
Jan 20, 2026
COM(2026) 13 final published
Explicit PQC requirement entering EU legislative process.
Jun 2026
EU start-transition milestone
Member States expected to begin PQC transitions.
TodayYou are here
Preparation window
The transition milestone has just opened — build your programme ahead of the next EBA guidance update.
Mar 2027
CISA CBOM minimum elements (US)
CBOM standard aligns with EU documentation expectations.
2026–2028
EBA ICT risk guidance updates expected
PQC requirements likely incorporated explicitly.
Dec 31, 2030
High-risk systems — quantum-safe
EU critical infrastructure milestone.
Dec 31, 2035
Full critical infrastructure migration
Final EU horizon.
Practical First Steps for TPRM Teams This Quarter
- 01
Add quantum cryptography questions to your standard vendor assessment questionnaire — algorithms used, whether a cryptographic inventory exists, and their PQC migration roadmap.
- 02
Prioritize critical and important providers for automated assessment. For payment processors, core banking vendors, and identity providers, an automated scan producing a CBOM is the appropriate standard of evidence — manual questionnaires alone won't satisfy supervisors here.
- 03
Document your methodology before your next review cycle. A written quantum risk assessment methodology, even preliminary, demonstrates institutional awareness that qualifies as compliance evidence.
- 04
Check your Article 30 contractual provisions. Verify the right to conduct cryptographic assessments for all critical and important providers — add this clause at next renewal, and don't wait for renewal on critical providers.
A Note on Cross-Border Exposure for US Banks
Many US banks with EU correspondent banking relationships, EU customer segments, or EU-based technology vendors have DORA-adjacent obligations they haven’t recognised. Non-EU ICT providers aren’t directly regulated by DORA — but EU financial entities must ensure contracts with those providers comply with Article 28, extending the regulation’s commercial reach well beyond EU borders.
More directly: a US bank whose payment processing vendor is DORA-regulated should expect that vendor to request quantum readiness information from the US bank’s end of the integration chain. The underlying quantum cryptographic risk does not respect regulatory boundaries.
Conclusion
DORA Article 28 is actively enforced. The 2026 supervisory posture is interventionist. Pillar 4 — third-party ICT risk management — carries the highest rate of compliance gaps in current supervisory assessments. And quantum cryptographic risk is an information security standard gap that sits squarely within Article 28’s due diligence, contractual, and monitoring obligations.
The TPRM teams that build quantum vendor assessment programmes this year will have documentation ahead of regulatory expectations. The teams that wait will be building under supervision.
Map your vendor portfolio to Article 28 today
PQCClear helps banks, credit unions, and payment processors assess the quantum readiness of their fintech vendor portfolio — generating a Cryptographic Bill of Materials and a proprietary Quantum Readiness Score for each vendor, mapped to DORA Article 28, FFIEC, and NCUA requirements.
Request accessThis post represents the editorial analysis of PQCClear as of June 30, 2026 and should not be construed as legal advice. Financial institutions should consult legal counsel and compliance advisors regarding their specific DORA obligations.
Key sources: DORA Regulation (EU) 2022/2554; EBA DORA supervisory expectations; European Commission COM(2026) 13 final (January 20, 2026); EU coordinated PQC roadmap (June 2025); NIST FIPS 203/204/205 (August 2024); Moody’s quantum sector report (May 2026); DORA Article 28 enforcement data from ESA Q1 2026 RoI submission cycle.