Post-Quantum Cryptography in Europe: Risks, Strategy and Portugal as a National Case Study in the NIS2 Transition

Abstract

With Shor’s and Grover’s algorithms compromising the mathematical core of legacy RSA and ECC, the active threat of ‘Harvest Now, Decrypt Later’ (HNDL) campaigns is already accelerating the rollout of Post-Quantum Cryptography (PQC). This paper examines the gap between EU compliance mandates, specifically NIS2 Directive and the Cyber Resilience Act, and the actual engineering of quantum-safe systems. We push 'hybrid cryptography’ as the immediate standard, layering NIST primitives like ML-KEM and ML-DSA over classical protocols to enforce redundancy in constrained environments. We use the NIST IR 8547 framework to organise migration into discovery, prioritisation, and modernisation. Using Portugal as a national case study, this paper examines how EU-level PQC governance is translated into national implementation through the CNCS, QNRC, and PTQCI frameworks. Ultimately, success depends on building PQC expertise in Portugal while rebuilding cryptographic foundations for the quantum era.