up:: The Mandates MOC

ETSI

ETSI is the European Telecommunications Standards Institute, a recognized European standards organization whose Quantum-Safe Cryptography work, run inside Technical Committee CYBER, writes the protocol-level and telecom-sector guidance that sits one layer beneath the NIST algorithm standards. Where NIST published the algorithms themselves in FIPS 203, FIPS 204, and FIPS 205, ETSI writes the specifications for how those algorithms slot into real protocols and real networks, and its flagship post-quantum deliverable, TS 103 744, specifies how to combine a classical key exchange with a post-quantum KEM in a hybrid construction.

For a European telecom operator, a network-equipment vendor, or an organization that relies on EU-legal electronic signatures, ETSI is the body whose documents decide what “compliant” cryptography actually means at the wire and protocol level.

ETSI works as a standards body rather than a regulator, and it carries no migration deadline of its own. Its output is technical specifications that get pulled into EU regulation by reference, so ETSI’s TS documents become the cryptographic baseline that eIDAS electronic signatures, the NIS2 telecom obligations, and the European certification schemes measure conformance against.

The short version:

  1. ETSI is a European standards organization headquartered in Sophia-Antipolis, France, officially recognized by the EU alongside CEN and CENELEC, with roughly 900 member organizations across telecom operators, equipment vendors, regulators, and research bodies.
  2. Its post-quantum work lives in Technical Committee CYBER’s Quantum-Safe Cryptography group, which has spent about a decade producing threat analyses, security models, and hybrid-scheme specifications rather than new algorithms.
  3. The load-bearing deliverable is TS 103 744, “Quantum-safe Hybrid Key Exchanges,” which specifies combiner constructions, parameter sets, and test vectors for running a classical key exchange and a post-quantum KEM together.
  4. ETSI’s algorithm positions align with NIST, BSI, and ENISA on ML-KEM and ML-DSA, so ETSI is a useful third voice when a client wants transatlantic and European consensus on the migration targets.
  5. ETSI TS documents get referenced into EU regulation, so TS 119 312 gates whether post-quantum signatures can be used for legally-binding EU electronic signatures, and ETSI standards feed the NIS2 telecom obligations and the European certification schemes.

Think of NIST as the body that certified the new lock, and ETSI as the body that writes the installation manual for putting that lock into a specific door frame. NIST tells you the algorithm is sound. ETSI tells a telecom operator exactly how to wire it into a 5G core, a network-management interface, or an EU-legal signature, at which parameters, with test vectors so two vendors’ implementations actually interoperate.

What is ETSI?

ETSI is the European Telecommunications Standards Institute, a non-profit standards development organization that produces technical standards for telecommunications, broadcasting, and the wider digital infrastructure that carries them. Its standards are used well beyond Europe, because a specification that governs mobile networks or electronic signatures tends to become a reference for everyone building compatible equipment.

  1. Legal status and standing. ETSI is a non-profit standardization organization officially recognized by the EU as a European Standards Organization, alongside CEN and CENELEC. That recognition is what lets ETSI specifications be adopted as European Norms with regulatory weight.
  2. Seat and membership. It is headquartered in Sophia-Antipolis in the south of France, and its membership runs to roughly 900 organizations from around 65 countries, spanning telecom operators, network-equipment vendors, national regulators, governments, and research institutions.
  3. What it produces. ETSI issues several document classes. A Technical Specification (TS) is a normative standard meant to be implemented, a Technical Report (TR) is informative background, a Group Report (GR) is background technical analysis, and a European Norm (EN) is a specification adopted with regulatory standing across the EU.
  4. Where the mobile-network standards come from. ETSI is one of the organizational partners that hosts 3GPP, the body that writes the security standards for 4G, 5G, and 6G, so a large share of the world’s mobile-network cryptography traces back through the ETSI orbit.

Source: ETSI, “Quantum-Safe Cryptography,” technology overview, etsi.org/technologies/quantum-safe-cryptography.

What is ETSI’s Quantum-Safe Cryptography work?

ETSI’s post-quantum work is run by the Quantum-Safe Cryptography group inside Technical Committee CYBER, which began as a separate Industry Specification Group and has spent roughly a decade producing technical recommendations and specifications for deploying post-quantum cryptography. Its remit is deliberately different from NIST’s. It does not select or standardize algorithms. It writes the guidance for integrating the algorithms other bodies standardized into protocols, network architectures, and industry sectors, with telecommunications, IoT, and smart grids as its home territory.

The deliverables that carry the weight:

DocumentSubject
ETSI GR QSC 001Quantum-Safe Cryptography: the foundational threat analysis and recommendations for action, one of the first formal European assessments of the quantum threat to deployed cryptography
ETSI GR QSC 006A formal security model for quantum-safe schemes, the definitional framework for evaluating post-quantum security claims
ETSI TS 103 744Quantum-safe Hybrid Key Exchanges: the normative specification for combining a classical key exchange with a post-quantum KEM
ETSI TS 119 312Cryptographic Suites for Electronic Signatures and Seals: the eIDAS-facing standard that governs which algorithms are allowed for legally-binding EU signatures

Source: ETSI, “Quantum-Safe Cryptography,” etsi.org/technologies/quantum-safe-cryptography; ETSI, “TS 103 744, Quantum-safe Hybrid Key Exchanges,” CYBER project repository, forge.etsi.org/rep/cyber/103744_QHKEX.

The pattern across all of it is protocol-level and sector-level specificity. NIST answers “which algorithm,” and ETSI answers “how does that algorithm go into a real telecom network, at which parameters, so that two vendors interoperate and a European regulator accepts it.”

What is ETSI TS 103 744?

TS 103 744 is ETSI’s specification for quantum-safe hybrid key establishment, the document that tells implementers how to run a classical key exchange and a post-quantum KEM together and combine their outputs into a single session key that stays secure as long as either half holds. It is the European counterpart to the IETF’s hybrid work, and it goes further than a bare protocol draft by shipping combiner constructions, fixed parameter sets, test vectors, and an informative reference implementation so that independent products actually interoperate.

  1. What it specifies. The specification defines combiner constructions that mix a classical shared secret, typically from elliptic-curve Diffie-Hellman, with a post-quantum shared secret from a KEM such as ML-KEM, enumerates the parameter sets, and provides test vectors so an implementation can be checked against a known-good reference.
  2. Why hybrid. The construction is a defense-in-depth move for the transition. A future quantum computer that breaks the classical half still faces the post-quantum half, and if the younger post-quantum scheme turns out to have a flaw, the proven classical scheme is still standing. This is the same hybrid logic that ANSSI and BSI build their national positions on.
  3. The current edition. The first published edition was V1.1.1 in December 2020, and ETSI has since issued an updated edition, V1.2.1, that codifies two combiner constructions, enumerates fixed parameter sets, and ships with test vectors and reference code to speed adoption.

Source: ETSI, “ETSI TS 103 744 V1.1.1 (2020-12), CYBER; Quantum-safe Hybrid Key Exchanges,” ts_103744v010101p.pdf; ETSI CYBER, “TS 103 744 Quantum-safe Hybrid Key Exchanges,” project repository and releases, forge.etsi.org/rep/cyber/103744_QHKEX. [OPERATOR VERIFY the exact V1.2.1 publication date against the ETSI deliver server before quoting it in a client deliverable; the V1.2.1 edition is confirmed to exist and to add the second combiner, but the precise release date was read from secondary reporting rather than from the primary PDF header.]

Who does ETSI guidance reach?

ETSI produces standards rather than statutes, so its reach runs through the EU regulations and certification schemes that reference its documents rather than through direct legal obligation. The audiences fall into four tiers:

  1. Telecom operators and network-equipment vendors. The primary audience. Mobile-network security standards flow through 3GPP, which ETSI hosts, and the vendors that build core-network, backhaul, and management equipment (the Ericssons and Nokias of the market) track ETSI and 3GPP output as the specification they build to.
  2. EU electronic-signature service providers. The EU’s eIDAS regulation requires qualified electronic signatures to use cryptographic suites specified in ETSI TS 119 312. Until that standard is updated to include post-quantum algorithms, post-quantum signatures cannot be used for legally-binding EU electronic signatures, which makes ETSI the gating body for that migration.
  3. Entities under EU certification and NIS2. The European certification schemes reference ETSI standards for their cryptographic requirements, so an ETSI TS becomes the technical baseline for what “meets the standard” means, and the NIS2 telecom-sector obligations lean on ETSI specifications as the sector-specific implementation guidance.
  4. The wider market, as a credibility reference. Even where no EU obligation attaches, ETSI publications are authoritative technical references, and the fact that ETSI, BSI, and ENISA all endorse the same ML-KEM and ML-DSA targets is useful evidence that the migration destination is a genuine consensus rather than one country’s preference.

Source: ETSI, “Quantum-Safe Cryptography,” etsi.org/technologies/quantum-safe-cryptography.

Which post-quantum algorithms does ETSI endorse?

ETSI’s Quantum-Safe Cryptography group endorses the NIST-standardized algorithms as the primary post-quantum recommendations, consistent with ENISA and BSI, and it adds value on top of that endorsement rather than picking a different algorithm set. The value it adds is the integration layer.

  1. The algorithms. ETSI points at ML-KEM for key establishment and ML-DSA and SLH-DSA for signatures, the same core set NIST standardized and Germany’s BSI and France’s ANSSI recommend.
  2. Protocol-level specificity. ETSI writes how those algorithms integrate into TLS, SSH, and IPsec at the implementation level, which is guidance NIST’s algorithm standards do not provide.
  3. Sector-specific guidance. It writes deployment guidance for telecom, IoT, and smart-grid contexts, where artifact size and constrained hardware change the calculus.
  4. Hybrid construction definitions. Through TS 103 744, ETSI formalizes hybrid combiner constructions so that independent implementations interoperate, which is a coordination job that pure algorithm standards leave open.

Source: ETSI, “Quantum-Safe Cryptography,” etsi.org/technologies/quantum-safe-cryptography.

How does ETSI relate to the other mandates and standards?

ETSI is the European protocol-and-telecom node in a wider standards stack, endorsing the NIST algorithms and complementing the national and EU bodies with implementation-level detail.

  1. NIST FIPS suite. ETSI adopts the algorithms NIST standardized and builds the integration guidance on top of them, so the relationship is complementary rather than competitive.
  2. ENISA. The EU cybersecurity agency produces broader coordinating guidance, and ETSI TS publications become the technical baseline that ENISA’s certification schemes reference for cryptographic requirements.
  3. BSI and ANSSI. The German and French national bodies set binding national positions, and ETSI shares their algorithm endorsements and their hybrid instinct, with TS 103 744 giving the hybrid construction a formal European specification.
  4. IETF PQUIP. The IETF writes the internet-protocol PQC guidance, and ETSI’s TS 103 744 is the European counterpart to the IETF hybrid key-exchange work, aligned on the same combine-classical-with-post-quantum idea.
  5. The EU Cyber Resilience Act and NIS2. The EU regulations that give ETSI specifications their teeth, by referencing them as the technical baseline for compliant product security and sector obligations.

Common misconceptions

  1. “ETSI standardizes post-quantum algorithms.” It does not. NIST standardized the algorithms. ETSI writes the specifications for integrating them into protocols and networks, and it formalizes hybrid constructions through TS 103 744.
  2. “ETSI is a regulator with a deadline.” ETSI is a standards body, not a regulator, and it carries no migration deadline of its own. Its documents acquire regulatory weight only when EU regulation references them, as eIDAS references TS 119 312.
  3. “ETSI and ENISA are the same body.” ENISA is the EU cybersecurity agency producing broad coordinating guidance. ETSI is a standards development organization producing granular technical specifications. ENISA’s certification schemes reference ETSI’s standards.
  4. “You can use post-quantum signatures for EU-legal documents now.” Not yet for qualified electronic signatures. That path requires TS 119 312 to be updated to include post-quantum algorithms, so a qualified-signature estate cannot migrate to post-quantum until that standard lands.
  5. “ETSI’s hybrid spec and the IETF’s are competing standards.” They are aligned counterparts, both specifying a classical key exchange combined with a post-quantum KEM. ETSI TS 103 744 is the European specification with parameter sets and test vectors; the IETF work is the internet-protocol path.

Questions people ask

Is ETSI a mandate or a standards body? A standards body. ETSI produces technical specifications rather than laws, and those specifications carry regulatory weight only where EU regulation references them, as eIDAS references TS 119 312 for qualified electronic signatures.

What is ETSI TS 103 744? ETSI’s specification for quantum-safe hybrid key establishment, which defines how to combine a classical key exchange with a post-quantum KEM into one session key, with combiner constructions, parameter sets, and test vectors so independent implementations interoperate. It is the European counterpart to the IETF hybrid key-exchange work.

Which post-quantum algorithms does ETSI endorse? The NIST-standardized set, ML-KEM for key establishment and ML-DSA and SLH-DSA for signatures, aligned with ENISA and BSI. ETSI’s contribution is the protocol-level and telecom-sector integration guidance layered on top.

Why does ETSI matter for a telecom client? Because mobile-network security standards flow through 3GPP, which ETSI hosts, and because equipment vendors build to ETSI and 3GPP specifications. A telecom operator’s migration question is what its vendors’ timelines are for post-quantum-capable network software, and ETSI is where the sector-level answer is written.

What does ETSI have to do with EU electronic signatures? The eIDAS regulation requires qualified electronic signatures to use cryptographic suites specified in ETSI TS 119 312. Post-quantum signatures cannot be used for legally-binding EU signatures until that standard is updated, so ETSI is the gating body for that specific migration.

How does ETSI compare to NIST? They are complementary. NIST standardized the algorithms; ETSI writes how to put them into real protocols and networks. When ETSI, BSI, and ENISA all endorse the same ML-KEM and ML-DSA targets, that is strong evidence the migration destination is a genuine transatlantic and European consensus.


Everything here is the map, given freely. When your team needs ETSI’s telecom and hybrid-key-exchange guidance translated into a migration plan sequenced against your own network, your vendors, and the EU deadlines that reach you, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.