up:: The Mandates MOC

BSI

BSI is the Bundesamt für Sicherheit in der Informationstechnik, Germany’s Federal Office for Information Security, and its TR-02102 technical-guideline series (“Cryptographic Mechanisms: Recommendations and Key Lengths”) is the most specific, most frequently updated cryptographic algorithm guidance published by any European government body. Its current post-quantum position recommends ML-KEM and ML-DSA as the go-to post-quantum algorithms, keeps the conservative unstructured-lattice and code-based options (FrodoKEM and Classic McEliece) on the recommended list, and asks that quantum-safe key agreement be deployed in hybrid mode with a classical scheme for anything needing long-term protection.

BSI is a national government agency, not an EU advisory body, so it carries real regulatory teeth inside Germany while functioning as an authoritative reference across the rest of Europe. For any migration touching German federal systems or German critical infrastructure, TR-02102 is the document the plan gets measured against.

The short version:

  1. BSI is Germany’s national cybersecurity authority, seated in Bonn under the Federal Ministry of the Interior, established by the BSI Act (BSI-Gesetz), and its cryptographic guidance is the German counterpart to U.S. NIST/NSA key-size guidance and France’s ANSSI rulebook.
  2. The core document is TR-02102-1, updated roughly every January, which names recommended algorithms, key lengths, and periods of use as decision tables. Companion parts cover TLS, IPsec/IKEv2, and SSH.
  3. The current edition recommends ML-KEM-768 and ML-KEM-1024 for key agreement and ML-DSA-65 and ML-DSA-87 for signatures, alongside the more conservative FrodoKEM, Classic McEliece, and hash-based SLH-DSA, XMSS, and LMS options.
  4. BSI recommends hybrid, combining a post-quantum scheme with a classical one, for long-term confidentiality, and it is far more conservative than U.S. guidance on classical key sizes: it recommends 3000-bit RSA, not 2048-bit.
  5. It binds German federal government systems and KRITIS critical-infrastructure operators directly, it is the reference for compliant cryptography under Germany’s NIS2 law, and it reaches vendors through BSI’s product certification.

Think of TR-02102 as a national building code for cryptography. It doesn’t just say “use strong crypto.” It publishes an exact table for every job, this algorithm at this key length is good through this year, this one is being retired, use this replacement, so an architect can read a row and know precisely what to install and when the permit expires.

What is BSI?

BSI is Germany’s federal cybersecurity authority, responsible for the security of the federal government’s information technology and for setting the national baseline for cryptographic practice. Its full name is the Bundesamt für Sicherheit in der Informationstechnik, which translates to Federal Office for Information Security.

  1. Legal basis and standing. BSI is a federal authority within the portfolio of the Federal Ministry of the Interior (Bundesministerium des Innern), established and empowered by the BSI Act (BSI-Gesetz, the BSIG). It is headquartered in Bonn.
  2. What it does. It sets binding IT-security standards for federal government systems, publishes the TR (Technical Guideline) series that industry references, certifies products under the German Common Criteria scheme, runs the national computer emergency response team (CERT-Bund), advises the government and the Bundestag, and holds regulatory authority over critical-infrastructure operators.
  3. How it differs from ENISA. ENISA is an EU agency that produces higher-level, coordinating guidance for the whole Union. BSI is a single member state’s national authority with both advisory and regulatory functions, and its output is far more granular: exact algorithms, exact key lengths, exact dates.

BSI has a track record of moving ahead of its peers on deprecation. It raised its baseline security level and integrated the quantum threat into mechanism selection early, and it has historically retired weakening primitives sooner than counterpart bodies, which is part of why architects across Europe treat TR-02102 as an early read on where the consensus is heading.

Source: BSI, “The Federal Office for Information Security,” about BSI.

Source: BSI, TR-02102 overview, “Cryptographic Mechanisms: Recommendations and Key Lengths,” technical-guideline landing page.

What is BSI TR-02102?

TR-02102 is BSI’s cryptographic-mechanisms guideline, a set of four coordinated documents that tell German systems which cryptographic mechanisms to use, at which parameters, and for how long. The series is updated on an annual cadence, and there is no single statutory sunset date attached to the guideline itself: each new edition adjusts the recommendations and the periods of use, so the current edition is always the authority. The version in force as this note was verified is 2026-01.

The four parts, per the BSI overview page:

PartSubject
TR-02102-1Cryptographic Mechanisms, Recommendations and Key Lengths (the master algorithm and key-length guidance)
TR-02102-2Cryptographic Mechanisms for Transport Layer Security (TLS)
TR-02102-3Cryptographic Mechanisms for IPsec and IKEv2
TR-02102-4Cryptographic Mechanisms for Secure Shell (SSH)

Source: BSI, TR-02102 overview, technical-guideline landing page.

Two points about how it works change how you use it:

  1. It is written as decision tables rather than prose. For each function category, TR-02102-1 lists mechanisms with their recommended parameters and a “use up to” year where one applies. That format is what makes it directly usable by an architect configuring real systems, and more actionable than higher-level EU guidance.
  2. It targets a stated security level. TR-02102-1 sets a baseline security level of at least 120 bits (raised to 120 bits in the 2023-01 edition), and every recommended parameter set is chosen to meet or exceed it.

Source: BSI, “BSI TR-02102-1, Cryptographic Mechanisms, Recommendations and Key Lengths,” Version 2026-01, TR-02102-1 PDF, §1.1 and version history.

Who does BSI guidance bind?

BSI guidance governs German public-sector and critical-infrastructure systems directly, and it reaches the wider market through product certification and through Germany’s cybersecurity law. The audiences fall into five tiers:

  1. German federal government systems. The primary in-scope audience. BSI sets binding IT-security standards for federal systems, and TR-02102 is the cryptographic baseline those standards rest on.
  2. KRITIS critical-infrastructure operators. Operators of critical infrastructure in Germany (energy, water, transport, health, finance, and digital infrastructure) are regulated under the BSI Act, and BSI can issue mandatory security requirements for them. Cryptographic practice is a covered area, and TR-02102 is the reference BSI assessors use.
  3. NIS2 essential and important entities. Germany transposed the EU NIS2 Directive through the NIS2 Implementation Act (NIS2UmsuCG), which amended the BSI Act and entered into force on December 6, 2025, pulling roughly 29,500 organizations into scope, well beyond the prior KRITIS population. TR-02102 is the reference for what counts as compliant cryptographic practice under that regime.
  4. Vendors seeking BSI certification. Products certified under the German Common Criteria scheme are assessed against BSI’s mechanism rules, so TR-02102 reaches product makers through the certification channel.
  5. The EU private sector generally. An advisory reference outside Germany, though many European enterprises and national bodies treat TR-02102 as a de facto standard even where no legal obligation attaches. A U.S.-only entity is not bound by BSI unless it sells into the German public-sector or critical-infrastructure market.

Source: BSI, TR-02102 overview, technical-guideline landing page.

Source: Reed Smith, “Germany implements NIS2, immediate effect, broad scope, near-term registration,” 2025, analysis, for the December 6, 2025 entry into force of the NIS2UmsuCG and the expanded scope. [OPERATOR VERIFY the exact in-scope entity count and any registration deadline against the primary BSI NIS2 page before quoting them in a client deliverable; the ~29,500 figure and the March 6, 2026 registration deadline come from legal-analysis reporting, not read directly from the statute.]

Which post-quantum algorithms does BSI recommend?

BSI recommends the same core standardized post-quantum algorithms NIST selected, then keeps a set of more conservative alternatives on the list that other bodies do not emphasize, and it asks for hybrid deployment during the transition. TR-02102-1 (2026-01) is explicit about the parameter sets.

FunctionBSI-recommended optionsNotes
Key agreement (KEM)ML-KEM-768, ML-KEM-1024NIST Security Strength Categories 3 and 5, for long-term confidentiality
Key agreement, conservativeFrodoKEM-976, FrodoKEM-1344Unstructured-lattice, the conservative choice against a structured-lattice break
Key agreement, conservativeClassic McEliece (selected parameter sets)code-based, very short ciphertexts, being standardized by ISO
Digital signaturesML-DSA-65, ML-DSA-87 (hedged variant)NIST Categories 3 and 5
Digital signatures, hash-basedSLH-DSA (192s/f, 256s/f, SHA2 and SHAKE, hedged)Stateless, the conservative high-assurance option
Digital signatures, statefulXMSS / XMSSMT and LMS / HSSStateful hash-based; careful key-state management required
Symmetric encryptionAES-128, AES-192, AES-256Retained; sized for the target security level
Hash functionsSHA-256, SHA-384, SHA-512, SHA-512/256, SHA3-256/384/512Both the SHA-2 and SHA-3 families are approved

Source: BSI, TR-02102-1 Version 2026-01, PDF, §2.4 (FrodoKEM, Classic McEliece, ML-KEM), §5.3.4 (ML-DSA, SLH-DSA, stateful hash-based signatures), §2.4.3 and §5.3.4 tables 2.7 and 5.7.

Three details are distinctive:

  1. The conservative KEMs stay on the list. Where U.S. guidance leans on the structured-lattice ML-KEM alone, BSI keeps FrodoKEM (unstructured lattice) and Classic McEliece (code-based) as recommended options for entities that want a larger margin against a future break of structured-lattice cryptanalysis. NIST declined to standardize FrodoKEM because ML-KEM is more efficient, but BSI still considers it cryptographically suitable and more conservative.
  2. HQC is acknowledged. TR-02102-1 notes that NIST additionally selected the code-based KEM HQC for standardization, and BSI signals it will track that as the standard matures.
  3. The hedged variants are the recommendation. For ML-DSA and SLH-DSA, BSI recommends the randomized “hedged” variant rather than the deterministic one, a defense against fault and side-channel attacks on the signing process.

What does BSI recommend for the post-quantum transition?

BSI recommends deploying quantum-safe key agreement in hybrid mode with a classical mechanism for anything requiring long-term protection, and it names the harvest-now-decrypt-later problem directly as the reason. TR-02102-1 frames it as a “Store Now, Decrypt Later” scenario: data encrypted today with a classical scheme can be stored by an adversary and decrypted later once a quantum computer exists, so long-lived confidential data needs a post-quantum layer now.

  1. Hybrid for long-term confidentiality. BSI recommends combining a post-quantum KEM with a classical key-agreement scheme so that breaking the combination requires breaking both. The guideline provides recommended hybridization mechanisms and key-derivation constructions for doing this correctly.
  2. Timely migration of signatures. For applications with long migration times, BSI recommends a timely move to quantum-safe signature schemes, and it provides a hybrid construction that concatenates a quantum-safe signature with a classical one.
  3. A conservative classical baseline underneath. BSI’s classical key-size recommendations are already stricter than the U.S. baseline, which shortens the runway on the classical primitives that hybrid still depends on (see the timeline below).

Source: BSI, TR-02102-1 Version 2026-01, PDF, §1 (Store Now, Decrypt Later), §2.2 (Key Derivation and Hybridisation), §5.3.4.

The symmetric and hash layer is treated as a sizing question, not a replace-the-primitive question. Grover’s algorithm gives at most a square-root speedup against symmetric keys and hashes, so AES and the SHA-2 and SHA-3 families remain approved at appropriate sizes. The asymmetric layer is where the transition concentrates.

What is the BSI cryptographic timeline?

BSI’s timeline lives inside the annual TR-02102 tables as recommended parameters and “use up to” years rather than as one headline deadline. The dates below are the load-bearing ones in the current editions.

ProvisionBSI positionSource
Baseline security levelAt least 120 bits (raised in the 2023-01 edition)TR-02102-1 §1.1
RSA recommended key length3000-bit modulus (2800-bit is the minimum for the 120-bit level)TR-02102-1 Tables 1.1 and 1.2
RSA legacy allowance2000-bit RSA conformance was extended only through the end of 2023TR-02102-1 version history
DSA signaturesRecommended only until 2029, due to low prevalence and discontinuation elsewhereTR-02102-1 §1.1
TLS 1.2Recommended only until the end of 2031 (no quantum-safe path defined for it)TR-02102-2 §3.1
Classical (EC)DHE groups in TLS 1.3Sole use recommended only until the end of 2031TR-02102-2 Table 10
RSA signatures with PKCS#1 v1.5 paddingDiscontinued in the TR-02102-2 2026-01 editionTR-02102-2 version history
Hybrid PQC key agreement for TLSIntended, once the IETF draft becomes an RFC (see below)TR-02102-2 Table 10 note

Source: BSI, TR-02102-1 Version 2026-01, PDF; BSI, TR-02102-2 Version 2026-01, PDF.

For TLS specifically, BSI has stated its intended post-quantum path but has not yet made it a live recommendation. The TR-02102-2 note reads that BSI “intends to recommend the quantum-safe hybrid key agreement mechanisms SecP256r1MLKEM768 and SecP384r1MLKEM1024” from the IETF Internet-Draft draft-ietf-tls-ecdhe-mlkem as soon as the corresponding RFC is adopted. So the concrete BSI hybrid TLS groups are elliptic-curve P-256 and P-384 paired with ML-KEM-768 and ML-KEM-1024, not the X25519 pairing, and they carry an intended-pending-RFC status rather than a present mandate.

Source: BSI, TR-02102-2 Version 2026-01, PDF, Table 10 note; IETF, “Post-quantum hybrid ECDHE-MLKEM key agreement for TLSv1.3,” draft-ietf-tls-ecdhe-mlkem.

How does BSI compare to CNSA 2.0 and ANSSI?

BSI sits between the two on strategy. It endorses the same standardized algorithms as everyone, it shares France’s hybrid instinct for the transition, and it is the most conservative of the three on classical key sizes, while the U.S. CNSA 2.0 moves to single post-quantum algorithms on a fixed schedule.

DimensionBSI (Germany)ANSSI (France)CNSA 2.0 (U.S. NSS)
Transition patternHybrid recommended for long-term confidentialityHybrid-first, a standing requirementSingle post-quantum algorithm per function
Conservative KEM optionsFrodoKEM and Classic McEliece kept on the listFrodoKEM offered as a conservative optionML-KEM only
Classical RSA baseline3000-bit RSA recommendedAligns with EU conservative sizing3072-bit RSA in the classical set
Primary forcing leverAnnual TR-02102 tables plus KRITIS and NIS2 obligations2027 certification cutoff for long-term-security productsDated adoption schedule toward the 2030s
Update cadenceAnnual (roughly each January)Position paper plus periodic guide revisionsFixed milestone schedule

Source: BSI, TR-02102-1 Version 2026-01, PDF; NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” CSA U/OO/194427-22, September 2022, CNSA 2.0 advisory.

Germany and France co-led the EU’s coordinated work on the post-quantum transition, and their national positions largely agree on hybridization, which is why a plan built for a French client under ANSSI usually maps cleanly onto BSI’s expectations, while a plan built for a U.S. federal client under CNSA 2.0 may not carry the hybrid layer BSI wants.

How does BSI relate to the other mandates and standards?

BSI is Germany’s node in a wider European and transatlantic stack, endorsing the NIST algorithms and connecting to the EU regulatory pressure.

  1. ANSSI (France). The closest peer on strategy, sharing the hybrid instinct through the transition.
  2. NIST FIPS suite. BSI recommends the same standardized primitives, ML-KEM, ML-DSA, and SLH-DSA, and tracks FN-DSA and HQC as they mature.
  3. CNSA 2.0 and NIST IR 8547 (U.S.). The contrast case: single-algorithm and schedule-driven rather than hybrid-recommended.
  4. The EU Cyber Resilience Act and NIS2. The regulatory pressure that makes TR-02102 the practical reference for compliant cryptography inside Germany.
  5. Crypto-agility. BSI publishes its own guidance on cryptographic agility for PQC transitions, reflecting the same annual-revision philosophy the TR-02102 series is built on.

Common misconceptions

  1. “BSI lets you keep RSA-2048 until 2030.” It does not. TR-02102-1 recommends a 3000-bit RSA modulus, sets 2800 bits as the minimum for its 120-bit security level, and extended conformance for 2000-bit RSA only through the end of 2023. BSI is stricter on classical key sizes than U.S. guidance, so a “2048 is fine for now” assumption that holds for some frameworks fails against BSI.
  2. “BSI’s hybrid TLS group is X25519 plus ML-KEM-768.” The groups BSI has stated it intends to recommend are SecP256r1MLKEM768 and SecP384r1MLKEM1024, built on the P-256 and P-384 curves, and they are pending the relevant IETF RFC rather than being a live recommendation yet.
  3. “BSI only recommends ML-KEM.” BSI keeps FrodoKEM and Classic McEliece on its recommended list as conservative alternatives, which is a more cautious posture than picking the single most efficient structured-lattice scheme.
  4. “TR-02102 is just advisory.” For German federal systems, KRITIS operators, and NIS2-obligated entities, conformance is effectively required through BSI’s standards, its regulatory authority, and its certification process. Advisory-across-the-EU and binding-inside-Germany are both true at once.
  5. “BSI and ENISA are the same kind of body.” ENISA is an EU coordinating agency producing higher-level guidance; BSI is a national authority with regulatory power and far more granular technical output.
  6. “There’s a single BSI deadline to plan around.” TR-02102 is revised annually, and its obligations live as per-mechanism “use up to” years and periods of use, so the current edition, not one fixed date, is always the thing to check.

Questions people ask

Is BSI guidance law or recommendation? Both, depending on the audience. TR-02102 is a technical guideline rather than a statute, but it is the binding cryptographic baseline for German federal systems and the reference BSI uses when assessing KRITIS operators and NIS2-obligated entities. For the general EU private sector it is strongly authoritative guidance rather than a direct legal obligation.

Does BSI apply to a U.S. company? Only if that company operates German systems, is a German critical-infrastructure or NIS2 entity, or needs BSI certification to sell products into the German public sector or critical infrastructure. A purely domestic U.S. entity is governed by CNSA 2.0 and NIST IR 8547, not BSI. A company operating in both jurisdictions plans for both.

Which post-quantum algorithms does BSI say to use? ML-KEM-768 and ML-KEM-1024 for key agreement, and ML-DSA-65 and ML-DSA-87 (hedged) for signatures, with FrodoKEM, Classic McEliece, SLH-DSA, XMSS, and LMS as conservative or specialized alternatives. For long-term confidentiality, BSI recommends deploying the KEM in hybrid mode with a classical scheme.

What key size does BSI want for RSA? A 3000-bit modulus is the recommended length, and 2800 bits is the minimum to reach the guideline’s 120-bit security level. The old 2000-bit allowance expired at the end of 2023, so BSI is meaningfully more conservative on RSA than the 2048-bit figure common in older U.S. guidance.

How often is TR-02102 updated? Annually, typically each January, which is one reason architects treat it as an early read on where cryptographic consensus is heading. The current in-force edition is 2026-01. There is no single statutory deadline attached to the series; each new edition supersedes the last.

Does BSI recommend hybrid cryptography? Yes, for long-term confidentiality. BSI recommends running a post-quantum KEM in hybrid mode with a classical key-agreement mechanism, and it provides the hybridization and key-derivation constructions for doing it. It cites the Store Now, Decrypt Later threat as the reason.

What is BSI’s plan for post-quantum TLS? BSI has stated it intends to recommend the hybrid groups SecP256r1MLKEM768 and SecP384r1MLKEM1024 from the IETF ECDHE-MLKEM Internet-Draft once that draft is published as an RFC. Until then, TR-02102-2 recommends the classical (EC)DHE groups for TLS 1.3 only through the end of 2031.

How does BSI compare to ANSSI? They are closely aligned. Both share the hybrid instinct for the transition and both keep FrodoKEM on their conservative-option list. The main difference is that ANSSI runs a hard 2027 certification cutoff for long-term-security products, while BSI’s forcing pressure comes through its annual tables and its KRITIS and NIS2 authority.


Everything here is the map, given freely. When your team needs BSI’s TR-02102 tables and hybrid recommendation translated into a migration plan sequenced against your own German and EU systems and their deadlines, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.