In December 2021, the Hungarian Parliament amended the Act on Electronic Information Security of State and Local Government Bodies in order to define the basic requirements for post-quantum encryption, designate the authority responsible for the topic and define the scope of application of post-quantum encryption obligation. The amendments will take effect on July 1, 2022.
Why is this necessary?
Advances in quantum computing promise that calculations that may take a long period of time (up to thousands of years) with conventional computers can be carried out in minutes (or in seconds). Of course, the new possibilities can also bring new (data protection) risks, especially in the field of data security and encryption. Although the development of quantum computers is likely to take longer period of time, preparation for the post-quantum era is particularly important for organizations where the security of processed data and information has key importance on the operation of such organisation, especially if the data shall be retained for a longer period of time since in this case the retention of data can extend into the post-quantum era and encryption according to old standards could be cracked. (Please see my previous post about a publication of ENISA that may help organisations to prepare for the post-quantum era.)
What is post-quantum encryption?
The new rules introduce the concept of post-quantum encryption. Post-quantum encryption means an encryption that provides a post-quantum application or solution against a mathematically probable quantum computer-based attack, using the communication between the two endpoints to create a shared key by the data transfer between the two end users, without the key being disclosed to an unauthorized third party.
Which organizations should use post-quantum encryption?
The organizations required to apply post-quantum encryption will be defined in the decree of the Chairman of the Authority for Regulated Activities. The following organisations may be subject to the post-quantum encryption obligation:
- organizations obliged to use government networks (on the basis of Government Decree 346/2010 (XII. 28.)),
- banks under the Act on Credit Institutions and Financial Undertakings, and
- public utility service providers subject to the laws specified in Annex 1 to Act on Electronic Information Security of State and Local Government Bodies (including the Natural Gas Supply Act, the Act on the Security Storage of Natural Gas, the Electricity Act, the Distant Heating Act, the Water Utilities Act, and the Waste Act).
What are the rules to be followed by organizations involved in applying post-quantum encryption?
The applicable rules can be divided into three parts:
- protection of the organizations obliged to apply post-quantum encryption,
- the conditions for the organizations providing post-quantum encryption services,
- provisions to be applied to certification bodies.
Following the entry into force of the provisions on post-quantum encryption on 1 July 2022, the President of the Authority for Regulated Activities shall specify in a decree the followings:
- the organizations obliged to apply post-quantum encryption,
- detailed rules for the registration of an organization providing post-quantum encryption application,
- detailed rules for certifying the integrity of the IT components of the organization providing the post-quantum encryption application.
After the expiry of the 60-day period following the entry into force of the decree of the President of the Authority for Regulated Activities, organisation obliged to apply post-quantum encryption shall apply the new post-quantum encryption rules.