The German Federal Office for Information Security (BSI) has been publishing post-quantum cryptography guidance since 2020. Its Technical Guideline TR-02102 series, together with the Migration Guide for Post-Quantum Cryptography, provides one of the most detailed public guidance sets available. It is worth reading carefully — particularly for organisations operating in Germany or subject to NIS2 obligations.
The algorithm recommendations
The BSI’s TR-02102 series has tracked the NIST standardisation process closely. Following the August 2024 final standards publication, the guidance endorses ML-KEM (FIPS 203) as the primary KEM algorithm and ML-DSA (FIPS 204) alongside SLH-DSA (FIPS 205) for signature schemes. Signature-profile choices should therefore be mapped to the current BSI and NIST publications in force for the system’s assurance level.
For symmetric cryptography, AES-256 retains its recommendation status. The BSI notes that while Grover’s algorithm provides a quadratic speedup against symmetric ciphers — effectively halving the key length security — AES-256 retains sufficient post-quantum security at 128 bits. SHA-3 and SHA-256 are both recommended; SHA-1 and MD5 are explicitly deprecated.
Migration timeline guidance
For systems handling classified or highly sensitive data, the BSI guidance is urgency- and risk-based rather than a blanket completion mandate tied to a single public date. It recommends starting migration planning now, documenting cryptographic inventories, and using hybrid operation during the transition. For Critical Infrastructure (KRITIS) operators, NIS2 and the German implementation process add regulatory pressure to make those plans concrete and auditable.
The migration guide is explicit that hybrid operation — running classical and post-quantum algorithms simultaneously — is the recommended approach for the transition period. BSI guidance describes a specific hybrid construction expectation: the combined key derivation should provide security equivalent to the stronger of the two components. Simply XORing the two shared secrets is not aligned with that guidance; a proper KDF must be applied.
What the guide leaves to your risk assessment
The BSI guidance does not mandate specific vendor products or implementation libraries — that is appropriately left to procurement. Implementations should be tested against the NIST test vectors, and KRITIS operators may need to evaluate whether BSI recognition, CSPN certification, or another formal assessment is required for their exact scope.
Cryptographic agility — the ability to switch algorithms without architectural changes — is strongly recommended but not mandated as a hard requirement. The guide acknowledges that achieving true crypto-agility across legacy infrastructure is a multi-year programme and that phased migration is acceptable, provided the migration plan is documented and risk-accepted at the appropriate level of authority.
Key differences from NIST and NSA guidance
The BSI is notably explicit about hybrid operation during the transition. Where CNSA 2.0 sets a hard 2033 removal date for classical algorithms in national security systems, the BSI material emphasises immediate migration planning, documented risk assessment, and hybrid combinations for high-security applications.
For commercial operators who must map to both BSI and NSA-aligned requirements (common in defence-adjacent supply chains), the practical answer is to plan around the shared algorithm families: ML-KEM-1024, ML-DSA-87, and SLH-DSA-SHA2-256s map cleanly to common high-assurance profiles.