DORA has been applicable since 17 January 2025, so 2026 is not the year to discover whether evidence exists. For financial entities and ICT providers in the orbit of the regulation, the pressure is moving from policy documents to proof: risk management, third-party arrangements, testing, incident handling, and resilience practices need to be demonstrable.
Post-quantum cryptography is not the only DORA topic. But crypto-agility fits naturally into the same evidence culture because cryptography sits inside identity, confidentiality, integrity, outsourcing, incident response, and recovery.
The evidence gap
Many teams can say they use strong encryption. Fewer can show where it is used, who owns each control, which vendors influence it, how exceptions are approved, and how quickly an algorithm could be changed under pressure. That difference matters when a regulator, auditor, or customer asks for operational resilience rather than a security slogan.
Evidence worth collecting now
- Cryptographic policy approved by management and mapped to system classes.
- Inventory of public-key cryptography in customer channels, internal platforms, identity systems, and third-party services.
- Vendor records showing algorithm support, roadmap statements, and notification commitments.
- Change records from rotation, certificate renewal, TLS profile changes, or signing-key updates.
- Test evidence for rollback, fallback, and monitoring when cryptographic settings change.
- Risk acceptance records for legacy systems that cannot move quickly.
Connect the work to resilience
Crypto-agility should not sit in a separate technical notebook. It belongs in operational resilience because weak or immovable cryptography can become a business continuity issue. If a vendor, protocol, or algorithm needs urgent replacement, the institution should know which services are affected and how the change will be governed.
NIST’s crypto-agility work is useful here because it treats agility as a systems and governance problem, not just a library upgrade. Mature organizations monitor and report crypto-agility as part of risk management.
A good 2026 outcome
By the end of 2026, financial-sector teams should be able to show a living crypto inventory, a vendor dependency view, a tested change process, and board-readable metrics for migration risk. That is the kind of evidence that survives contact with audit questions because it comes from operations, not from a slide deck.
Further reading: European Banking Authority DORA overview, EBA DORA register preparations, NIST CSWP 39 on crypto agility.