Abstract
Your customer data must stay confidential well into the 2030s—long after RSA and ECC are crackable. This playbook turns the latest BSI guidance into three bite-sized phases, adds NIS2 compliance triggers and shows where federal funding can slash project costs.
Key Points at a Glance
- BSI deadline 2030: sensitive workloads in all sectors must be hybrid or PQ-only.
- Algorithms now “preferred”: ML-KEM-768/1024 for key agreement, ML-DSA-65/87 for signatures.
- NIS2 fines: up to 2 % of global turnover if “state-of-the-art” crypto is missing.
- Easy pilot path: AWS KMS exposes ML-DSA keys & hybrid TLS in eu-central-1.
- Funding:the ERP Credit offers low-interest loans and up to 5% grants for IT and digital projects, capped at €200,000.
Phase 1 · Immediate Actions (2025-2026)
- Inventory every RSA/ECC use (TLS, VPN, firmware, S/MIME) and flag data that must stay secret ≥ 2035.
- Classify vs. new BSI key tables: RSA ≥ 3000 bit, ECC ≥ 250 bit or replace.
- Vendor RfI: “When will you ship ML-KEM hybrids via CatKDF?”
- Procurement clause: PQ-ready libraries/HSMs mandatory from FY 2026 onward.
- Training: ½-day workshop on liboqs / OpenSSL-3 PQC API for Dev & Ops teams.
Phase 2 · Short-Term Planning (2026-2028)
- Align migration with hardware refresh to avoid forklift swaps.
- Pilot hybrid TLS (X25519 + ML-KEM-768) on a public test sub-domain and measure latency.
- Select HSMs that switch from ECDSA-only to hybrid ECDSA + ML-DSA via config, not firmware.
- Book go-digital or Digital Jetzt grant to co-fund external PQC consultancy.
- Draft NIS2 evidence pack: crypto inventory, plan, budget and board approval minutes.
Phase 3 · Execution (2028-2032)
- Prioritise customer PII, payment flows and IP repositories.
- Enable hybrids in TLS, IPsec and WireGuard; keep legacy clients via downgrade-safe suites.
- Code-signing: move CI pipelines to ML-DSA-65 concatenated with ECDSA.
- Audit trail: store CatKDF transcript hashes to prove 120-bit security level.
- Retire legacy RSA/ECC: complete BSI-mandated migration by end 2030; allow up to 2032 only as an operational buffer before browsers fully block non-hybrid suites.
German Funding & Regulation Quick Guide
ERP Digitalisation & Innovation Credit: low-interest loan with a bonus grant of up to 5 % for high-impact IT-security and digitalisation projects—capped at €200 000.
NIS2-UmsuCG (draft): applies to any entity in an Annex I/II sector that meets the EU medium-size test (≥ 50 employees or ≥ €10 m turnover and ≥ €10 m balance-sheet total); registration with the BSI must be completed within three months after the act enters into force (expected in 2025).
IHK Awareness: your local chamber hosts free PQC awareness seminars—reserve your spot early.
Quick-Win Checklist
- 🔍 Crypto inventory matched to BSI tables? Yes / No
- 📅 Board-approved migration plan & budget? Yes / No
- 🛠 Pilot ML-KEM TLS endpoint live? Ping OK?
- 🔑 ML-DSA key in AWS KMS? Created?
- 💶 Funding application submitted? Status?