ENISA (the EU Agency for Cybersecurity) has published the first draft of Version 3 of the Agreed Cryptographic Mechanisms (ACM) document
The draft, authored by the ECCG (European Cybersecurity Certification Group), follows on from version 2.0 (May 2025) and marks a significant realignment – defining which cryptographic functions are accepted by all national cybersecurity certification authorities (NCCAs) for products undergoing European Cybersecurity Certifications.
The ACM document is a key resource for developers and evaluators, as well as users of cryptography, to assess and select state-of-the-art cryptographic mechanisms that best suit their specific security objectives.
In this article, we unpack the changes and explain what this means for the post-quantum era.
‘Admissible’ replaces ‘Legacy’
With quantum threats advancing, it’s likely that algorithm lifespans need rethinking. With that in mind, ENISA defines the proactive ‘Admissible’ tag to replace ‘Legacy’ when referring to vulnerable mechanisms.
Admissible mechanisms that are expected to become vulnerable in the short term are given a notation such as A[2033] – in this case indicating that the algorithm expires on December 31, 2033. The new notation A[2033+] signifies that the mechanism is safe for now and will remain acceptable at least until 2033, with the potential for extensions.
ENISA clarifies that ‘greenfield’ systems must use recommended mechanisms rather than admissible, and that the use of admissible mechanisms now requires formal justification (for example, backward compatibility).
What has ENISA added to the Agreed list?
- EdDSA – formally included as a new agreed mechanism for digital signatures
- Extendable-Output functions (XOFs)
- Argon2-ID – the new mechanism for secure password hashing
- Hybridization and TLS – explicit additions for hybrid (PQ/T) focusing on bridging the gap between traditional and post-quantum
What has been removed?
Version 3 removes the following mechanisms, which were deprecated in 2025.
| Mechanism type | What is removed/prohibited? |
|---|---|
| Assymetric/Public Key | RSA Modulus < 3000 bits, FF-DLOG Modulus < 3000 bits |
| Hashing | SHA-224, SHA-512/224 |
| Diffie-Hellman Groups | 2048-bit MODP Group, 2048-bit FFDHE Group |
| Protocols and modes | MAC-then-Encrypt, Encrypt-and-MAC, obsolete TLS v1.2 Cipher Suites |
It’s worth noting that FF-DSA was deprecated by NIST in the US, but remains usable under strict conditions in Europe with updated justifications.
AES key length
It has been suggested previously that the quantum threat requires an immediate doubling of symmetric key lengths (for example, AES-256 rather than AES-128).
However ENISA points out that key doubling is not strictly necessary for PQC use. The suggestion here is a key length of k ≥ 192.
Future updates to the ACM
Appendix C of ENISA’s draft details how the document will adapt in the future, including the pipeline for new algorithms.
To be included in future versions of the ACM, candidate algorithms should be:
- Standardized
- Stable for a minimum of two years
- Versatile (having a generic purpose with multiple use cases)
- Highly secure (125-bit security to enter at the ‘Recommended’ tier)
- Peer-reviewed (including academia, side-channel analysis, fault-attack testing and with public documentation)
Conclusion
Version 3 of ENISA’s Agreed Cryptographic Mechanism document is not a minor update. It’s a structural realignment for the post-quantum era, and it’s likely to define the EUCC certification of cryptographic products of the future.
The public review is open until the end of July 2026. It’s certainly worth noting the formal removal of mechanisms that were deprecated in 2025, and the definition of “Admissible mechanisms” with validity possibly extending beyond 2033, allowing for a more gradual migration of complex large-scale deployments meeting an acceptable level of security for the foreseeable future.
This concept represents a deviation from the approach recommended by NIST and CNSA 2.0, where “Deprecated” and “Disallowed” mechanisms are all mandated to be phased out by no later than 2033 with no extensions proposed.
For PQShield, it’s another fascinating moment in the story of crypto modernization, showing the central importance of updating cyber security in the face of future threats.
You can find out more about the Agreed Cryptographic Mechanisms document here.
You can also find out how PQShield is solving the problem of post-quantum migration across hardware and software, with our range of PQC-compliant solutions here.