The threat The audit Process Request an audit

For banks, energy and European critical infrastructure

We help you make your cryptography quantum-ready.

Our audits run on your own systems, map every weakness to a real business risk, and deliver a signed evidence pack your board, supervisors and insurers can verify.

Audits aligned to DORA NIS2 ENISA NIST FIPS 203 / 204 / 205

The threat · already underway

Harvest now.
Decrypt later.

The data you encrypt today is already being copied and stored — quietly, at scale, by adversaries who cannot read it yet. They don't need to. The day a cryptographically relevant quantum computer arrives, every RSA and elliptic-curve key breaks at once, and everything harvested is decrypted in retrospect. The secrets you keep this year are the breaches of the next decade.

See how we find the exposure

The audit

Three deliverables. One signed pack.

Every Quantum Readiness Audit produces the same three things — the evidence DORA and NIS2 ask for, in open formats you can verify without us.

Deliverable 01

A living CBOM

A Cryptographic Bill of Materials covering every algorithm, key and certificate in scope. Each entry is tied to the business service that depends on it and the regulation that governs it — a register you keep current, not a snapshot that ages.

Deliverable 02

A risk-ranked roadmap

Every asset scored on algorithm strength, data sensitivity, exposure and regulatory urgency, then phased into immediate, planned and opportunistic waves. Your board sees the order of work — and the reasoning behind it.

Deliverable 03

A signed evidence pack

The whole set delivered as a cryptographically signed archive — every file hashed and signed, so any later change is detectable. An auditor can verify it offline, without ever contacting Kvantis.

How it works

From scoping call to board read-out.

Four steps, a fixed scope and fee, and no production access at any point. Typical elapsed time is two to four weeks — a few hours of your team's time, not weeks.

01

Scope

A 30-minute call to agree which systems, services and data stores are covered, and who owns each. Scope and fee are fixed in writing before work starts.

30 minutes · no production access
02

Inventory

Built from your own configuration exports, certificate lists and code references, on your own infrastructure. Nothing is uploaded to Kvantis.

~2 hours of your team
03

Analysis

Each asset is risk-scored and mapped to its DORA and NIS2 obligations and its post-quantum target. No effort required from your side.

No effort from your team
04

Read-out

A board-level presentation with a 90-day plan for the assets that cannot wait — a deck for directors, a technical report for engineers.

One meeting · 2–4 weeks end to end

Aligned to the mandates that govern European resilience.

01

DORA

Digital Operational Resilience Act — Article 9(4)(d) and the ICT-risk RTS on encryption and cryptographic controls.

02

NIS2

Article 21 security and documentation duties — including policies on the use of cryptography — with personal liability for management.

03

ENISA

European Union Agency for Cybersecurity guidance and reference practice.

04

NIST PQC

Standardised post-quantum algorithms: ML-KEM, ML-DSA and SLH-DSA.

Book a scoping call

Tell us what you protect.

No production access, nothing uploaded, and a fixed scope and fee agreed in writing before any work begins. Every message is read by the team, not a sales queue, and answered within one business day.

Read by the team, not a sales queue, and answered within one business day.

Thanks — your enquiry has been sent. Prefer to talk first? Call +47 47 63 99 64. Either way, you'll hear back within one business day.

Something went wrong. Please email us directly at info@kvantis.no or call +47 47 63 99 64.