Post-quantum for financial services: DORA, the record, and the quantum clock
Financial records outlive the cryptography that signs them, so under DORA the audit ledger has to be post-quantum from the moment it is written.
Regulated finance must make its audit record post-quantum now, not at Q-Day, because DORA-governed data retained for years is already exposed to harvest-now-decrypt-later attacks.
The question matters in 2026 because DORA has been in force since January 2025, NIST has finalised its first post-quantum signature standards, and adversaries are already capturing encrypted traffic to decrypt once quantum hardware matures. A record written today under a classical signature carries a retention obligation measured in years, well inside the window where that signature may no longer hold.
Why do the retention clock and the quantum clock collide?
Financial records live for years while a future quantum computer could break today's signatures, so data captured now stays exposed long after Q-Day arrives.
Two clocks run at once. The retention clock starts the moment a record is written and can run for years under financial recordkeeping rules. The quantum clock counts down to the day a cryptographically relevant quantum computer can forge or unpick today's signatures. Attackers do not wait: harvest-now-decrypt-later means encrypted material captured in 2026 can be stored and broken later. Any record whose retention outlasts the quantum clock is therefore exposed from the day it is signed, not from Q-Day. Cryptographic migration is not instant either, because re-signing a large archive and rotating keys across an estate takes planning, testing and time. A firm that starts only when Q-Day is announced has already lost the years its earliest records needed.
“In regulated finance the audit record must be post-quantum from the moment it is written, because retention outlives the cryptography that once protected it.”
What does DORA require of financial firms since January 2025?
DORA, in force since January 2025, requires financial entities to prove operational resilience, test ICT systems and govern third parties, all evidenced in the record.
DORA, the Digital Operational Resilience Act, has applied to EU financial entities and their critical ICT providers since January 2025. It sets out ICT risk management, incident reporting, resilience testing and third-party risk oversight, with information sharing on threats. It does not prescribe a specific algorithm, and it does not name post-quantum cryptography, yet its demand for durable integrity and evidence means the artefacts it governs must stay verifiable for their whole life. The regime also expects a maintained register of ICT arrangements and the ability to reconstruct events accurately after an incident, and any reconstruction is only trustworthy when the logs behind it cannot be quietly rewritten. NIS2 adds parallel duties for essential and important entities. Where a signature could later be forged, the resilience evidence it protects is only as durable as the cryptography beneath it.
Which regulatory drivers force post-quantum now?
Four drivers force the record to be post-quantum now: multi-year retention, DORA resilience testing, third-party and CLOUD Act exposure, and long-lived auditability obligations.
| Driver | What it requires | Post-quantum implication |
|---|---|---|
| Multi-year record retention | Records kept and provable for years after creation | Signatures must resist quantum attack for the whole retention period |
| DORA operational resilience and testing | Evidence of resilience, incident response and regular testing | Test artefacts and logs need post-quantum signing to stay trustworthy |
| Third-party and CLOUD Act exposure | Control over ICT providers and where data can be compelled | Sovereign, offline signing keeps the record beyond foreign compulsion |
| Auditability | A tamper-evident trail an auditor can verify independently | A post-quantum signed ledger keeps proofs valid past Q-Day |
Which post-quantum signatures protect the audit record?
FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) sign the audit ledger; FIPS 203 (ML-KEM) only encapsulates keys and never signs a record.
Not every post-quantum standard signs. NIST finalised three: FIPS 203 (ML-KEM) for key encapsulation, and FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) for digital signatures. Only the signature standards protect a record's integrity and provenance over time. FIPS 203 secures a key exchange in transit and never signs a ledger entry. A durable audit record therefore needs FIPS 204 or FIPS 205 signing at the point of write, so each entry carries a proof that survives the arrival of quantum hardware.
How do third-party rules and the CLOUD Act change the answer?
The US CLOUD Act can compel a US-based provider regardless of where servers sit, so the most sensitive records need sovereign, offline signing.
Public cloud AI services are an excellent choice for many workloads: ChatGPT, Copilot and Gemini are fast to adopt, broadly capable and well supported for general productivity. For the most sensitive regulated records the calculus changes, because the US CLOUD Act can compel a US-based provider to produce data regardless of where its servers physically sit. DORA third-party oversight and data residency expectations then push the most sensitive signing and retention onto infrastructure the operator controls. The answer is not to abandon those services, it is to keep the crown-jewel record on a sovereign, offline substrate with a zero-egress inbound perimeter.
How does Mickai make the record post-quantum and verifiable?
Mickai, a Sovereign Intelligence Operating System, signs a post-quantum audit ledger offline on operator-owned hardware, binding every action to hardware-attested identity and cross-model consensus.
Mickai is a Sovereign Intelligence Operating System, a SIOS, built and live and running offline on operator-owned hardware with every action cryptographically sealed. The audit ledger is signed with post-quantum signatures, each entry bound to a hardware-attested identity so provenance is verifiable without trusting an outside party. Each entry is append-only and chained to the one before it, so tampering shows on inspection, and the inbound-only perimeter keeps the substrate off the public internet. Work is checked by cross-model consensus across 50 brains, 25 domain and 25 operational, and the whole record verifies offline. The underlying research sits behind 104 filed UK patent applications and 2,340 claims, owned by Mickai LTD (Companies House 17166618), filed and patent pending.
Frequently asked questions
When do we actually need post-quantum signatures on our records?
Now, for any record whose retention runs into the years. Because harvest-now-decrypt-later lets adversaries store encrypted material today and break it later, waiting for Q-Day leaves everything signed in the meantime exposed. The safe default is to sign durable records with post-quantum signatures at the point of write.
Does DORA require post-quantum cryptography by name?
No. DORA, in force since January 2025, does not name specific algorithms or post-quantum cryptography. It does require ICT risk management, resilience testing and provable integrity of data and evidence over time. Those durability obligations are what make post-quantum signing on long-lived records the prudent reading.
Can we keep using ChatGPT or Copilot for sensitive audit workflows?
For general productivity they are strong, well supported choices. For the most sensitive regulated records the US CLOUD Act means a US-based provider can be compelled to disclose data wherever servers sit. The pragmatic split is to keep everyday work on those services and move crown-jewel signing and retention onto sovereign, offline infrastructure.
What is harvest-now-decrypt-later, and does it affect regulated firms?
It is the practice of capturing encrypted data now to decrypt once quantum hardware is capable. It affects any firm whose records stay sensitive for years, which describes most of regulated finance. That is precisely why the record must be post-quantum from the day it is written.
Is a post-quantum signed ledger verifiable without trusting the vendor?
Yes. A post-quantum signed audit ledger with hardware-attested identity can be verified offline against the signatures themselves. Independent auditors check the proofs directly rather than trusting a provider's dashboard. This offline verifiability is what keeps the record credible past Q-Day.




