IV

Regulatory Landscape

Section IV

The current regulatory landscape.

Finalized NIST standards, federal mandates through 2035, the SEC cybersecurity rule, and international and sectoral pressure.


A. The NIST Post-Quantum Standards

On August 13, 2024, the U.S. National Institute of Standards and Technology (NIST) published its first three finalized post-quantum cryptographic standards. The technical designations are ML-KEM (Federal Information Processing Standard 203) for key exchange, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205), a hash-based signature scheme that sits alongside ML-DSA as an alternative relying on different mathematical assumptions. A fourth algorithm, HQC, was selected in March 2025 as an additional key-exchange alternative, and a further digital-signature standard is expected to follow.

The practical effect is that “we are waiting for a standard” stopped being a defensible answer in August 2024. The standards exist, and the major browsers, operating systems, and cloud providers have begun shipping support. A director who is told that the organization is still “evaluating” is entitled to ask what, exactly, is being evaluated, and for how much longer.

B. Federal Mandates and the 2035 Migration Horizon

Three directives drive the current federal posture. National Security Memorandum 10 (NSM-10), issued in May 2022, directed federal agencies to prioritize transitioning their cryptographic systems to quantum-resistant cryptography “with the goal of mitigating as much of the quantum risk as is feasible by 2035.” The Quantum Computing Cybersecurity Preparedness Act, passed in December 2022, required NIST to adopt the standards described above, and for the Office of Management and Budget (“OMB”) to prioritize updating government systems accordingly. OMB memorandum M-23-02, issued in November 2022, requires federal agencies to inventory all cryptographic systems and plan for migrations every year. Together, these directives commit the federal government to a cryptographic migration timeline through 2035, with the highest-priority systems migrating earlier.

We are already starting to see the impacts in the private sector from the current federal posture:

Contractors inherit the obligations. Federal contractors, grant recipients, and their subcontractors are already seeing post-quantum requirements flow into solicitations and renewals. A company that is currently bidding on federal work without a PQC story is bidding with an impediment that will only grow.

Financial regulators are aligning. The OCC and the Federal Reserve are moving in parallel. The Fed's July 2025 Cybersecurity and Financial System Resilience Report to Congress described quantum as a “significant emerging risk area.” Formal examination expectations will not lag for long.

Other sector-specific pressure to migrate. CISA published a Post-Quantum Cryptography Initiative, critical-infrastructure guidance, and, in January 2026, federal buying guidance directing procurement of PQC-capable products. HHS has requested comment on quantum computing as part of its proposed HIPAA Security Rule update.

C. The SEC Cybersecurity Disclosure Rule, in Operation

For public companies, the disclosure regime that now governs cybersecurity risk — and by direct extension, quantum-technology risk — is the SEC's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule, issued in July 2023. The rule imposes two distinct periodic obligations that have already taken effect, under which quantum-migration risk logically sits:

Annual disclosure — Item 106 of Regulation S-K. Registrants must describe, in their 10-K, the processes they use to assess, identify, and manage material cybersecurity risks; whether those risks (including from prior incidents) have materially affected or are reasonably likely to materially affect the business or its financial condition; the board's oversight of those risks; and management's role, including the management positions responsible, their expertise, and how they report to the board.

Incident disclosure — Form 8-K Item 1.05. Upon determining that a cybersecurity incident is material, a registrant has four business days to file a Form 8-K describing the nature, scope, and timing of the incident and its material impact (or reasonably likely material impact) on the company. Materiality must be determined “without undue delay.” If information is not available at the initial filing, the registrant must amend within four business days of learning it.

Two features of this rule matter especially for any public company. First, the governance disclosures in Item 106 are not abstractions — they require companies to identify, by position and by committee, who is actually monitoring material cybersecurity risks and how these risks are managed. Boards that have no documented oversight of post-quantum readiness will, under this rule, be disclosing this fact for the world to see, and raising questions with informed shareholders. Second, while recent enforcement actions involving Item 106 have waned under the current Administration, the SEC has a track record of enforcement against companies concerning misleading cybersecurity disclosures.

Cautionary Precedent

SEC & Private-Plaintiff Cybersecurity Enforcement Examples

Pearson plc (2021). An example of cautionary precedent in this area is the SEC's enforcement action against Pearson plc in August 2021. Pearson agreed to pay a $1 million civil penalty to settle SEC charges that it had described the risk of a cyber intrusion as hypothetical in a 2019 semi-annual report, and then understated the scope of the breach and overstated its security controls in a subsequent public statement.

SolarWinds (2023). In July 2023, SolarWinds' $26 million settlement of a securities fraud class action was approved by a U.S. District Court sitting in Texas. Plaintiffs alleged they had purchased SolarWinds stock in reliance on misrepresentations in its periodic disclosures and public statements that overstated the nature of its cybersecurity measures prior to a December 2020 cyber-attack. A parallel SEC enforcement action was dismissed in November 2025.

Unisys, Avaya, Check Point, Mimecast (2024). The SEC also brought enforcement actions against several companies whose information was compromised as part of the SolarWinds hack — for making materially misleading public disclosures by minimizing the scope and nature of the compromise and/or risks to their systems. All four agreed to cease-and-desist orders and civil penalties.

The lessons apply directly to quantum. Public statements or a 10-K that describes quantum-transition risk as merely theoretical or falsely touts the company's quantum readiness — while the facts show otherwise — is exactly the posture these cases have examined. Specificity protects disclosure. Generality or, worse, minimization invites challenge.

In sum, a 10-K that describes quantum-migration risk in hypothetical terms or minimizes the threat is the disclosure posture most likely to attract enforcement attention from regulators and plaintiffs' counsel alike. The safer posture is concrete: which systems are in scope, which standards are being adopted, what the migration timeline looks like, and how the board is overseeing it. Registrants in financial services, healthcare, defense, critical infrastructure, and technology should be especially diligent and deliberate.

D. International and Sectoral Developments

Europe. Germany's Federal Office for Information Security (BSI), France's Cybersecurity Agency (ANSSI), and the European Commission have each issued guidance urging quantum readiness and migration. The EU Cyber Resilience Act and the NIS2 directive strengthen cybersecurity mandates for critical sectors and impose severe penalties for noncompliance.

Financial services. The Bank for International Settlements, the Monetary Authority of Singapore, and the Financial Services Information Sharing and Analysis Center (FS-ISAC) have each moved forward with guidance addressing quantum readiness. SWIFT has announced that SwiftNet 8.0, targeted for 2027, will be post-quantum enabled. In December 2025, the BIS Innovation Hub Eurosystem Centre, in collaboration with the Bank of Italy, the Bank of France, the Deutsche Bundesbank, and SWIFT, completed Project Leap Phase 2 — an operational test that replaced traditional digital signatures with post-quantum algorithms to protect liquidity transfers in an active European payment system.

Regulatory Horizon · By Jurisdiction

United States. NSM-10, OMB M-23-02, Quantum Computing Cybersecurity Preparedness Act; NIST FIPS 203/204/205, HQC selected March 2025; SEC Item 106 and Form 8-K Item 1.05 in effect; CISA federal buying guidance, January 2026.

European Union. EU Cyber Resilience Act, NIS2 directive, EuroQCI quantum-communications backbone; BSI & ANSSI sector guidance.

Financial system. SwiftNet 8.0 (PQ-enabled, 2027); BIS Project Leap Phase 2 (December 2025); FS-ISAC quantum-readiness guidance; OCC and Federal Reserve aligning examination expectations.

Health & critical infrastructure. HHS HIPAA Security Rule update (under comment); CISA critical-infrastructure guidance; sector-specific activity expected in energy, telecommunications, water, and transportation.