Finland Announces National Guidelines for Post-Quantum Cryptography

Finland’s National Cryptography Working Group issues guidelines for post-quantum cryptography adoption, effective January 2026, to ensure quantum-safe key exchange and digital signatures.

Current classical public-key cryptographic methods are vulnerable to powerful quantum computing, and therefore multiple international projects are underway to standardize quantum-secure algorithms (PQC, post-quantum cryptography). Finland’s national cryptography working group has adopted the following guidelines regarding national cryptographic product evaluations starting 1 January 2026.

The national cryptography working group has adopted the following guidelines for national cryptographic product evaluations:

From 1 January 2026 onwards, the use of quantum-secure key encapsulation methods (PQC KEM) will be required in products submitted for evaluation. In addition, the use of hybrid methods in key establishment is strongly recommended. This means combining a PQC KEM algorithm with a classical key exchange method, which can be implemented according to widely used standards. The relevant standards are at the time of writing still in draft stage, and thus guidance on hybrid methods – especially on how to combine keys from different methods – will be refined later.
From 1 January 2026 onwards, products submitted for evaluation must use quantum-secure signature algorithms – or provide documentation explaining how quantum security risks are addressed in the product. The use of hybrid methods is recommended. For signatures, hybridization can be simply implemented by concatenating the signatures produced by different algorithms and requiring that all component signatures validate, so that the hybrid signature is accepted. As with key establishments, standardization of hybrid signature methods is still in progress, and more detailed guidance will be offered later.

Furthermore, the national cryptography working group recommends that the national PQC transition is carried out in accordance with the timelines proposed by the European Union:

In high-risk systems (i.e. those under a “harvest-now-decrypt-later” threat), symmetric key generation methods and software / system update authentication methods should be made quantum-secure by 2030.
All public-key methods should be quantum-secure by 2035.