Why regulators now demand evidence of cryptographic control, not just attestation.
When the auditor asks for your cryptographic inventory, will you show a system of record or a spreadsheet you built last night? That question now separates organisations meeting regulatory requirements from those scrambling to catch up. Three major frameworks have moved beyond attestation—and the deadlines have already arrived.
PCI DSS 4.0’s cryptographic inventory requirements became mandatory ten months ago. DORA has been enforceable across 22,000 EU financial entities for over a year. CNSA 2.0’s first hard deadline arrives in January 2027. For CISOs and GRC leaders, this represents a fundamental shift: regulators no longer ask “do you have encryption?” They ask “can you prove it?” As we explored in Where Does Your Cryptography Live?, most organisations cannot answer that question with confidence.
The Visibility Gap Makes Compliance Impossible
The gap between deploying encryption and documenting encryption remains staggering. According to the 2024 Entrust/Ponemon Global PKI and IoT Trends Study, 43% of organisations cite an inability to inventory their cryptographic assets as a top barrier to post-quantum readiness. Only 35% maintain a centralised inventory of keys, algorithms, and certificates.
Keyfactor research documents an average of nine machine identity-related incidents over 24 months per organisation—including three certificate outages, three failed audits, and three security breaches. The economic impact averages $11.1 million per organisation. If you cannot answer basic questions about where your cryptographic assets live, compliance becomes a scramble rather than a process.
Deadlines Arrived. Compliance Didn’t.
PCI DSS 4.0: The 51 future-dated requirements became mandatory on March 31, 2025. Ten months later, no public enforcement cases have emerged—but that reflects the structural opacity of PCI’s contractual enforcement mechanism, not leniency. Verizon’s Payment Security Report found only 14.3% of organisations maintained full compliance at interim validation. Requirements 4.2.1.1 and 12.3.3 now mandate complete cryptographic inventories and annual cipher suite reviews. QSAs report these generate more questions than any other requirement in the standard.
DORA: One year into enforcement, regulators have prioritised infrastructure over penalties. The ESAs designated 19 Critical Third-Party Providers in November 2025, including AWS, Google Cloud, and Microsoft Azure. Only 8% achieved full compliance with resilience testing and third-party risk management. Article 7.4’s cryptographic certificate register requirements remain an underestimated risk area.
CNSA 2.0: The first hard milestone arrives January 2027: all new NSS acquisitions must be quantum-resistant. Yet only 7% of federal agencies have formal PQC transition plans. GAO Report GAO-25-108590 identified significant gaps in coordination. As we discussed in Why ML-KEM Only Is Not a Strategy, building hybrid cryptographic approaches provides both compliance flexibility and operational resilience.
The pressure is expanding. The CA/Browser Forum voted unanimously in April 2025 to reduce TLS certificate validity to 47 days by March 2029—increasing renewal frequency 12 times. The EU published its PQC roadmap in June 2025, requiring cryptographic inventories by end of 2026. Each framework reinforces the same demand: prove what you have and prove you can change it.
What Auditors Actually Ask For Now
The shift from checkbox compliance to evidence-based compliance is now visible across every major framework. PCI DSS 4.0 emphasises continuous compliance over point-in-time assessments. DORA requires ongoing operational resilience testing. Auditors now request complete cryptographic inventories, third-party risk documentation, business continuity plans tested with third-party involvement, and post-quantum readiness roadmaps.
The Cryptographic Bill of Materials (CBOM) has emerged as a critical tool for meeting these requirements. OWASP’s CycloneDX version 1.6 provides native CBOM support: a machine-readable inventory of all cryptographic assets including algorithms, keys, certificates, and their relationships. The EU’s June 2025 PQC roadmap explicitly recommends standardised CBOM formats for inventory creation.
Diagnostic Question: If an auditor asked for your cryptographic inventory right now, could you produce a current, complete system of record within the hour?
This question typically surfaces at the board level through three triggers: a compliance gap exposed during examination, a peer organisation facing enforcement action, or a cyber insurance renewal requiring cryptographic documentation. Boards are asking whether programmes are on track. For most organisations, significant work remains.
Building Quantum-Resistant Security with ExeQuantum
The Compliance pillar of ExeQuantum’s STAC Doctrine (Sovereign, Transparent, Agile, Compliant) addresses this evidence requirement directly. Compliance in the post-quantum era means verifiable evidence on demand—the ability to demonstrate cryptographic control to any stakeholder, at any time.
ExeQuantum’s PQCaaS platform helps organisations move from periodic scrambles to continuous assurance. Discover creates the cryptographic inventory that PCI DSS 4.0, DORA, and the EU PQC roadmap require. Remediate enables the algorithm transitions that CNSA 2.0 mandates on a structured timeline. Govern maintains continuous documentation so your cryptographic posture is queryable at any moment.
The goal is not just passing the next audit. It is building the infrastructure for cryptographic proof that regulators, insurers, and boards already demand. Organisations that build evidence systems now will navigate the expanding compliance landscape from a position of strength.
