ITS blog: News in the field of post-quantum cryptography – February 2026

The beginning of 2026 brought fundamental shifts in the field of post-quantum cryptography – from updated NIST standards to new legislative proposals from the European Commission.

Tech giants such as Google and Cloudflare are integrating PQC across their platforms, while researchers are warning of new AI-assisted attacks targeting early software implementations. This overview summarizes key events and their practical implications for IT infrastructure and corporate strategic planning.

Standardization: Diversification and agility as a fundamental pillar

In January 2026, NIST published an updated roadmap marking the 10th anniversary of the launch of the PQC project. This year, the draft standard for the HQC (Hamming Quasi-Cyclic) algorithm, which serves as a code-based backup for the lattice-based ML-KEM algorithm, is to be finalized. At the same time, specifications for so-called "on-ramp" signatures are being prepared.

In February 2026, an expert review of NISTIR 8547 (Transition to PQC) took place, which redefines the requirements for cryptographic agility. The document emphasizes in particular that hardware deployed in 2026 must be capable of upgrading to PQC standards without physical replacement.

Key impacts and recommendations (Executive Briefing)

• Adding the HQC algorithm as a backup means that European companies cannot rely solely on lattice-based cryptography.
• If a weakness were to appear in algorithms such as ML-KEM, systems built purely on them would be vulnerable.
• Strategic planning requires the implementation of schemes that enable switching to alternative mathematical families without completely rewriting the system.
• NISTIR 8547 is becoming a key document for auditors and purchasers. In the Czech Republic, auditors will refer to it when checking compliance with cyber security legislation.
• Purchasing hardware that is not "crypto-agile" (firewalls, HSM modules, routers) creates technological debt. Every new tender must require software definability of encryption algorithms.

Industrial implementations: PQC as the new standard for operation

The integration of post-quantum security is becoming a priority for major technology players. On February 6, 2026, Google officially announced its commitment to the widespread integration of PQC across its entire ecosystem. PQC is now a key element of AI system security, enabling the protection of models and training data against future quantum attacks.

Cloudflare also announced the widespread deployment of the ML-KEM hybrid key for Cloudflare One (SASE) services. Implementation took place as part of beta testing of WAN-as-a-Service and IPsec during January 2026.

Pragmatic impact for CZ/EU networks

• AI models are becoming a key corporate asset, and protecting them with PQC is essential for the long-term security of intellectual property.
• Local developers using Google APIs must take into account communication via PQC tunnels, which can put a strain on older integration servers.
• Longer PQC keys can cause packet size issues or higher handshake latency with Cloudflare.
• The CISO must initiate an audit of MTU parameters and permeability in the corporate network before activating PQC modes.

Research and attacks: AI as a tool for breaking implementations

In January 2026, F5 Labs published a research report highlighting the rise of AI-assisted side-channel analysis targeting early PQC implementations. While the algorithms themselves are mathematically robust, their software implementations may contain vulnerabilities.

In January 2026, ISACA also published a "12-Month Playbook" highlighting the risks of "Harvest Now, Decrypt Later" (HNDL) attacks, which are significantly accelerating the adoption of PQC, particularly in the banking sector.

Protective measures and audits

• Attackers use AI to analyze microscopic changes in time or processor power consumption during encryption.
• The source code audit must verify that the PQC implementation does not exhibit side-channel leaks.
• Companies must use only certified cryptographic libraries (e.g., Bouncy Castle, WolfSSL) and avoid their own unverified implementations.
• If an organization archives sensitive data with a requirement for long-term confidentiality (e.g., 20+ years), it must be able to demonstrate protection against HNDL attacks. Without a plan for data encryption, the organization will soon fail its audit.

Legislation: From recommendations to enforcement

The pressure to adopt PQC is shifting to the regulatory level. On January 23, 2026, the US CISA published a list of product categories (cloud, network hardware, endpoint security) that must support PQC.

On January 20, 2026, the European Commission presented a proposal for a directive (COM(2026) 13) supplementing NIS2. The document emphasizes a harmonized approach to migration to PQC and strengthening the resilience of supply chains.

Impacts on infrastructure and compliance management

• The CISA regulation will also affect Europe – global suppliers will not produce hardware versions without PQC support specifically for the European market.
• Czech companies will begin receiving PQC technology automatically as part of updates, so it is necessary to manage its activation to prevent network overload.
• New EU directive introduces mandatory inventory of cryptographic assets.
• Critical infrastructure entities must map the encryption mechanisms used and prepare a detailed migration schedule. Without knowledge of the occurrence of RSA in the network, it will not be possible to demonstrate compliance with the directive.

Conclusion

Post-quantum cryptography is rapidly becoming the new operational standard across all layers of IT—from the need to ensure cryptographic agility in hardware to controlling MTU parameters in network infrastructure. Organizations must immediately begin inventorying their cryptographic assets and move from isolated tests to a comprehensive migration plan.

If you are interested in consulting on auditing your network throughput and cryptographic infrastructure in terms of PQC readiness, I will be happy to help you with the analysis.

text: František Kovařík, ITS