ENISA updates crypto mechanisms: public review open until July

On 2 June 2026, ENISA opened the public consultation for version 3 of the Agreed Cryptographic Mechanisms (ACM), the list of “preferred” mechanisms used as an operational reference for products seeking EUCC certification. The consultation runs until the end of July 2026; v2 remains applicable until v3 is finalized.

What’s new

The draft ACM v3 is published with a comprehensive changelog versus v2 (mid‑2025). It covers TLS suites, key sizes, modes of operation, KDFs, PRNGs, signatures, and key exchanges that are recommended within EUCC evaluations.

Legal and compliance context

• Cybersecurity Act and EUCC: ENISA coordinates schemes and guidelines to harmonize assessments. The ACM is the “preferred” crypto reference for EUCC.
• GDPR (Art. 32): adopting recognized mechanisms helps demonstrate appropriate measures and the security “state of the art.” See our page on GDPR security obligations.
• NIS 2 (Art. 21): ACM‑aligned choices support evidence of proportional and mature controls. Learn more about NIS 2 requirements.
• DORA: for financial institutions, referencing ACM/EUCC strengthens justification of technical control robustness. See the DORA framework.

What this means for Luxembourg companies

• IT/Product: commenting on v3 lets you shape concrete choices (suites, sizes, modes, signatures) that will drive roadmaps, migrations, and interoperability.
• Secure solution providers: early alignment with ACM v3 reduces gaps in future EUCC certification and regulatory audits; avoiding soon‑to‑be‑deprecated mechanisms limits costly re‑implementations.
• CISO/CTO: anticipate deprecation and plan crypto migration paths (including, over time, post‑quantum when referenced). At‑rest/in‑transit encryption, software artifact signing, HSM/enclave use, and key lifecycle governance are directly impacted. Consider cyber leadership with an externalized CISO to accelerate technical and regulatory alignment.

Immediate next steps

• Map your crypto usage and compare with ACM v3 (TLS, key sizes, signatures/exchanges, PRNGs, AEAD, encrypted storage, code signing). Flag high‑risk gaps.
• Submit comments to ENISA before end of July: feasibility, partner/client interoperability, and performance impacts (including constrained and embedded systems).
• Adjust compliance roadmaps: align crypto policies and procurement, plan migrations (libraries, HSM, certificates), update security documentation (Art. 32 evidence), and integrate changes into NIS 2/DORA programs and testing plans.

Sources

• Participate to the public review of the new draft of “Agreed Cryptographic Mechanisms”
• EUCC Guidelines on Cryptography

Need help prioritizing crypto migrations and documenting regulatory evidence? Reach out via our contact page.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.