Post-Quantum eIDAS Signatures: 7 Questions for Your TSP

Post-quantum cryptography for eIDAS signatures is now standardised. NIST finalised three PQC standards on 13 August 2024; the European Commission's Coordinated Implementation Roadmap (June 2025) requires every Member State to have a national PQC strategy by end of 2026. Most eIDAS signatures still use RSA or ECDSA. Below are seven questions every regulated organisation should ask its trust service provider in 2026.

For organisations that rely on eIDAS-grade electronic signatures — banks, law firms, logistics platforms, public administrations, regulated industries — this is a governance question more than a cryptography one. The algorithms exist. The standards exist. What is still patchy is the commercial readiness of the trust service providers who sit between regulated users and the cryptography.

This is not a vendor pitch. This is a checklist of the questions you should be sending to every trust service provider, eIDAS Qualified TSP, signing platform, and timestamp authority you rely on — now, while there is still time to course-correct.

Signatures Are Different From Encryption (Mostly)

Before the questions, a point of clarification. Much of the post-quantum conversation is dominated by "harvest now, decrypt later" — adversaries collecting encrypted traffic today to break it when a cryptographically relevant quantum computer arrives. For encryption, that threat is live and silent. For signatures used for authentication (a login, a single transaction), the threat is different: the signature only needs to be unbreakable at the moment it is verified. If the algorithm is classical (RSA, ECDSA) today and quantum-safe by the time the verification is replayed in 2035, you are fine — because that historical signature was valid when relied upon.

There is one major exception where "harvest now" does apply to signatures: long-term signatures. ETSI defines four levels of AdES signatures — B-B (baseline), B-T (timestamp), B-LT (long-term), and B-LTA (long-term archival) — where B-LTA signatures are designed to remain verifiable for decades. (Under NIS2 Article 21(2)(h), cryptography policy is now a measurable audit item for essential entities.) A B-LTA signature created today with ECDSA and timestamped with a classical RSA TSA certificate must remain cryptographically credible when challenged in 2040. If a quantum computer arrives before then and the archival chain has not been re-timestamped with PQ algorithms, the signature's legal weight is questionable.

This is why the post-quantum question is not a 2035 problem for signature infrastructure. It is a today problem.

Where the Standards Landed

NIST finalised three post-quantum standards on 13 August 2024 (NIST CSRC announcement):

• FIPS 203 — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, derived from CRYSTALS-Kyber). For key establishment, not signatures.
• FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm, derived from CRYSTALS-Dilithium). The primary post-quantum signature standard.
• FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature, derived from SPHINCS+). A conservative alternative relying only on hash-function security.

In addition, NIST SP 800-208 defines stateful hash-based signatures (LMS and XMSS). These are particularly relevant for long-lived signatures because their security assumptions are the strongest available.

The European national authorities have already weighed in with their preferences:

• ANSSI (France) recommends ML-DSA, FN-DSA (Falcon) at Level 3/5, SLH-DSA, and LMS/XMSS. Critically, ANSSI requires hybrid signatures (classical + PQ) except for hash-based schemes, which may be used standalone (PQCC International Requirements).
• BSI (Germany) recommends SLH-DSA or ML-DSA Levels 3 and 5 and LMS/XMSS in multi-tree variants for long-term signatures. BSI also requires hybrid signatures, with the same exception for hash-based schemes.
• NCSC (United Kingdom) recommends ML-DSA-65, SLH-DSA, and LMS/XMSS, but prefers pure post-quantum signatures over hybrid approaches.

That last divergence — hybrid vs pure — is the single most important signal that your trust service provider cannot lock themselves into any one algorithm today. France and Germany will likely mandate hybrids for regulated eIDAS signatures. The UK prefers pure. The EU member states are still discussing. Any TSP that commits prematurely will have to re-engineer.

The Regulatory Timeline

Jurisdiction / body	2026 milestone	2030 milestone	2035 milestone
EU Coordinated Implementation Roadmap (June 2025, Member States via NIS CG PQC workstream)	National PQC strategy in place; pilots launched for high- and medium-risk use cases	Critical infrastructure transitioned to PQC	Full transition completed "for as many systems as practically feasible"
ENISA Roadmap	Initial national transition roadmaps; identification and awareness	High-risk use cases transitioned	Full transition
CNSA 2.0 (NSA, United States)	Vendors should support and prefer CNSA 2.0 algorithms for new software, firmware and public-facing systems by end of 2025; new NSS acquisitions must be CNSA 2.0-compliant from January 2027	All deployed NSS software and firmware transitioned to CNSA 2.0-compliant signatures	Fully quantum-resistant NSS
UK NCSC three-phase migration	Phase 1 (to 2028): identify cryptographic services, build migration plan	Phase 2 (2028–2031): execute high-priority upgrades	Phase 3 (2031–2035): complete PQ migration

Three points that follow directly from the table:

1. The 2026 milestone is 8 months away for the EU. If your TSP has no published PQC strategy by end of 2026, they will be behind the regulation that governs them.
2. The 2030 milestone is 4 years away. CNSA 2.0 and EU critical-infrastructure migration both target this date. Signature infrastructure that supports only classical algorithms at 2030 is an operational liability.
3. 2035 is the full-transition horizon. This is the date by which AdES-LTA signatures currently being created need to have a credible re-signing path.

What "Crypto-Agile" Actually Means

Providers will say they are "crypto-agile" or "PQC-ready." What these phrases are supposed to mean, in practice:

• The signature production stack is abstracted from the specific algorithm — adding ML-DSA or swapping it out for FN-DSA does not require re-architecting the platform.
• Certificate issuance supports multi-algorithm certificates or is engineered to do so.
• Timestamp authority infrastructure is separable from the signing stack and can be upgraded independently.
• Long-term validation material (AdES-LTA) can be re-timestamped with PQ algorithms when the time comes, with cryptographically provable continuity of the original signature.
• The provider can show a roadmap with milestones, not just marketing language.

What "crypto-agile" should not mean:

• Vague commitment to "follow the standards when they are ready" (they are ready).
• A single algorithm choice baked into the signing stack.
• No written timeline for AdES-LTA re-signing of existing archived signatures.
• No answer to hybrid-vs-pure strategy for EU member-state regulated use cases.

The Seven Questions to Send Your TSP

1. Which NIST-approved post-quantum signature algorithms does your signature stack already support today (ML-DSA, SLH-DSA, LMS/XMSS, FN-DSA)? Which are in production, which are in pilot? A TSP that cannot name the algorithms has not started.
2. What is your written PQC migration roadmap, including the dates at which each of your trust services (signing, timestamp, long-term validation, certificate issuance) will support post-quantum primitives in production? The EU Coordinated Roadmap asks you to have yours by end of 2026. Your TSP needs one too.
3. How will you handle AdES-LTA documents that have already been archived under classical signatures? What is your re-timestamping procedure, on what timeline, and who bears the cost? The answer "we will advise customers when the time comes" is not a plan.
4. Do you offer hybrid signatures (classical + PQ) today for customers in France and Germany, where ANSSI and BSI guidance requires them? If not, when? This is the single hardest commercial question because hybrid signatures carry real engineering complexity.
5. Is your timestamp authority infrastructure separable from your signing stack, and will your TSA certificates be migrated to PQ algorithms on the same schedule as your signing CA certificates? AdES-LTA depends on TSA trust continuity as much as on the signing certificate.
6. What is your crypto-agility contract commitment? Specifically, will you migrate a given customer's signature workflow to a newly mandated PQ algorithm within a defined SLA after it is standardised, and at what cost? This is where marketing claims meet contract terms.
7. Can you produce a verification chain for a signature you issue today that will remain verifier-independent — not dependent on your proprietary platform — in 2035? Verifier-independence is the real test of signature infrastructure. A signature that only your TSP can verify is not a signature; it is a login.

Frequently Asked Questions

When will quantum computers actually break RSA and ECDSA? Most expert timelines place a cryptographically relevant quantum computer 15–25 years out, though the range is wide and accelerating. The NSA and NIST have chosen 2035 as a planning horizon. For signatures, the more practical question is not when RSA breaks but whether your archival signatures have a credible re-signing path.

Is my current AdES signature immediately at risk? No. A signature that is valid today and verified today remains valid. The exception is AdES-LTA archived signatures that must remain legally defensible over decades — those have a re-timestamping problem that needs to be solved before the quantum-resistant TSA infrastructure is ready at scale.

What's the difference between ML-DSA and SLH-DSA? ML-DSA (Module-Lattice-Based) is more efficient and produces smaller signatures, suitable for high-volume use. SLH-DSA (Stateless Hash-Based) is larger and slower but relies only on hash-function security, making it the most conservative choice for very long-term archival. Most providers will support both.

Should we require hybrid signatures from our TSP today? If you operate in France, Germany, or other jurisdictions where national cybersecurity authorities mandate hybrid signatures, yes. For other EU jurisdictions, the final regulatory position is still forming — but choosing a TSP that supports hybrid signatures gives you options.

Our TSP says they will "migrate when the standards are finalised". Is that acceptable? Not in 2026. NIST FIPS 203, 204, and 205 were finalised on 13 August 2024. ANSSI and BSI guidance is published. The EU Coordinated Roadmap is adopted. The regulatory standards are finalised. A TSP that is waiting is signalling that they are not ready.

The Bottom Line

Post-quantum signatures are not a speculative future problem. The algorithms are standardised. The regulatory timelines are set. The 2026 milestone — a national strategy in every EU Member State, first pilots launched — is eight months away at the time of writing. The 2030 milestone, by which critical infrastructure including regulated signature services should be transitioned, is four years away. A trust service provider that cannot answer the seven questions above is a procurement risk.

The regulated organisations most exposed are those using long-term archival signatures (AdES-LTA) for anything with a 10+ year legal exposure: contracts, healthcare records, public-sector filings, financial instruments, customs declarations. That list also includes EU defence-tender submissions under EDIP and EDF, which carry long retention obligations and will outlive the current signature-algorithm generation. The mitigation is architectural: crypto-agility in the signature stack, separable and upgradeable TSA infrastructure, and a written, dated re-signing plan for existing archives.

IdentiGate's signature infrastructure is built for crypto-agility. We treat algorithm selection as a parameter, not a product decision, and our roadmap aligns with the NIST-standardised PQC suite and the EU Coordinated Implementation Roadmap milestones. If you are evaluating providers on the seven questions above, we are happy to answer each of them in writing. Contact us at identigate.com.

Sources

Standards

• NIST — Post-Quantum Cryptography FIPS Approved (13 August 2024)
• NIST — FIPS 204, Module-Lattice-Based Digital Signature Standard (ML-DSA)
• NIST — FIPS 205, Stateless Hash-Based Digital Signature Standard (SLH-DSA)
• Federal Register — Issuance of FIPS 203, 204, 205 (14 August 2024)
• NIST SP 800-208 — Stateful Hash-Based Signature Schemes (LMS, XMSS)

EU regulatory timeline

• European Commission — Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography (recommendation)
• European Commission — EU reinforces its cybersecurity with post-quantum cryptography
• ENISA — Post-Quantum Cryptography: Current state and quantum mitigation
• ENISA — Roadmap for the Transition to Post-Quantum Cryptography

National guidance

• Post-Quantum Cryptography Coalition — International PQC requirements (ANSSI, BSI, NCSC)
• UK NCSC — Timelines for migration to post-quantum cryptography

US / defence

• NSA — CNSA 2.0 Algorithms
• FedScoop — NSA sets 2035 deadline for PQC adoption across NSS

Signature-specific context

• ETSI — AdES long-term signature formats and validation
• Cryptomathic — PAdES and Long-Term Archival (LTA) compliance

About the author

Gustav Poola is co-founder of IdentiGate. He focuses on the technical architecture of passport-chip identity verification, advanced electronic signature production under eIDAS, and the engineering of identity flows that survive regulator and auditor walk-back.