Yesterday the German Federal Office for Information Security (BSI) did something it has never done before: it put an end date on classical asymmetric cryptography.
In the 2026 update to TR-02102—the technical guideline that serves as the de facto cryptographic standard for German government systems and a reference for the state of the art internationally—the BSI now recommends that classical asymmetric encryption (RSA, ECC, Diffie-Hellman) should no longer be used alone after the end of 2031. For the most sensitive applications, that deadline moves to end of 2030. Classical signature schemes get until end of 2035.
The word “recommends” is doing a lot of work there. TR-02102 is technically advisory. But conformity is mandatory for anyone processing classified information, and the guideline underpins the BSI’s TLS Minimum Standard and TR-03116 (cryptographic requirements for federal projects). When BSI sets an expiration date, procurement follows.
What changed
Previous editions of TR-02102 recommended post-quantum algorithms and urged migration planning, but stopped short of declaring when classical-only deployment would become unacceptable. The 2026 edition crosses that line.
The new timelines:
- End of 2030: Classical asymmetric encryption no longer recommended for highest-sensitivity applications (standalone use)
- End of 2031: Classical asymmetric encryption no longer recommended for general use (standalone use)
- End of 2035: Classical digital signatures no longer recommended (standalone use)
The key phrase is “standalone use.” BSI isn’t banning RSA or ECC—it’s requiring hybrid deployment, where classical and post-quantum algorithms run together. If either one breaks, the other still protects you. This is the same hybrid-first approach BSI has advocated since 2020 with FrodoKEM and Classic McEliece, now extended to mandate timelines.
BSI President Claudia Plattner framed it plainly: the transition to post-quantum cryptography is “alternativlos”—without alternative.
How this compares to CNSA 2.0
The NSA’s CNSA 2.0 timeline requires post-quantum algorithms for software and firmware signing by 2025, web browsers and servers by 2025, and all remaining systems by 2033. The BSI timeline is both later in some areas (2031 vs. 2025 for web/TLS) and earlier in others (2030 for high-sensitivity vs. CNSA 2.0’s general 2033 deadline).
But the more important difference is approach. CNSA 2.0 mandates a full replacement—quantum-only algorithms for national security systems, no hybrid. BSI mandates hybrid—classical plus PQC together, keeping both until confidence in the new algorithms matures. These aren’t contradictory positions; they reflect different threat models and institutional risk tolerances. The convergence on the same 2030–2033 window is the signal that matters.
Add Australia’s ASD, Japan’s CRYPTREC, South Korea’s KISA, the EU joint statement from 18 European agencies, and CISA’s January 2026 product categorization, and the pattern is clear: every major allied cybersecurity authority is now converging on the same migration window. The debate over whether PQC migration is necessary is over. The remaining question is execution.
What this means for your migration
If you’re operating in or selling into German-regulated markets—financial services, critical infrastructure, government supply chains—the BSI timeline is now your timeline. Five years sounds comfortable until you inventory what needs to change.
The BSI’s own migration guidance starts with the same first step everyone else recommends: cryptographic inventory. You can’t plan a migration you can’t measure. And you can’t report progress to a board or regulator without a baseline.
That’s the problem pqprobe was built to solve. Not a one-time audit, but continuous measurement. Are you getting better or worse at PQC migration? Which endpoints have moved to hybrid? Which are still negotiating classical-only cipher suites? And critically—is the trend improving or degrading?
The BSI has now given you a deadline. The question is whether your infrastructure is moving toward it or away from it.
Further reading: