# Part B Section 2 — Impact **Proposal:** Post-Quantum Cryptography Integration for EU Critical Infrastructure **Call:** HORIZON-CL3-2025-CS-ECCC-06 **Budget:** €2.8M (€2.0M EU contribution) **Section:** Impact (30 points) **Date:** 2025-11-06 --- ## 2.1 Expected Outcomes and Pathways to Impact ### Expected Outcomes (Call ECCC-06 Alignment) This project directly addresses the expected outcomes defined in call topic HORIZON-CL3-2025-CS-ECCC-06: **Outcome 1: Quantum-Safe Cryptographic Systems for Critical Infrastructure** - **Achievement:** Integration of 3 NIST-standardized PQC algorithms (CRYSTALS-Kyber FIPS 203, CRYSTALS-Dilithium FIPS 204, SPHINCS+ FIPS 205) into VaultMesh receipt engine, validated at TRL 6 across 3 operational pilots (France, Czech Republic, Greece) - **Evidence:** Deliverable D2.3 (PQC Implementation Report M14), Deliverable D5.1 (Pilot Assessment Report M20) **Outcome 2: Migration Pathways from Classical to Post-Quantum Cryptography** - **Achievement:** Hybrid transition layer enabling dual-signature mode (classical + PQC parallel) with 100% backward compatibility, validated across 15+ federation nodes - **Evidence:** Deliverable D2.2 (Hybrid Transition Protocol M11), KPI I4 (15+ cross-border federation nodes operational by M24) **Outcome 3: EU Digital Sovereignty and NIS2/DORA Compliance** - **Achievement:** 100% peer-to-peer sovereign data exchange (no third-party cloud intermediaries), full GDPR Art. 5(1)(f) and Art. 25 compliance demonstrated in pilots - **Evidence:** KPI I4 (Sovereign Data Exchange), Deliverable D5.3 (Legal & Ethics Assessment M24) **Outcome 4: Cost Reduction and Operational Efficiency** - **Achievement:** 30% audit cost reduction (measured in pilot benchmarks), 50% faster incident detection (Ψ-Field anomaly detection), <€0.01 per cryptographic receipt (batched anchoring) - **Evidence:** KPI I1 (Compliance Cost Reduction), KPI I2 (Incident Response Improvement), Deliverable D5.1 (Pilot Assessment M20) --- ### Quantitative KPI Dashboard (18 Measurable Targets) The following table summarizes all 18 project KPIs across Excellence, Impact, and Implementation dimensions. Full details in **PQC_KPI_Dashboard.md**. | **Category** | **KPI** | **Baseline (M0)** | **Target (M24)** | **Verification Method** | **Measurement Frequency** | |--------------|---------|-------------------|------------------|-------------------------|---------------------------| | **Excellence** | TRL Level | 4 (Lab validation) | 6 (Pilot validation) | External TRL audit by independent evaluator | M12, M24 | | **Excellence** | PQC Algorithms Integrated | 0 | 3 (Kyber, Dilithium, SPHINCS+) | Code repository tags + unit test coverage | Monthly | | **Excellence** | Receipt Throughput | 1,000/day | 10,000/day | Benchmark tests (D2.2) | Quarterly | | **Excellence** | Peer-Reviewed Publications | 0 | 10+ (top-tier venues: IEEE S&P, ACM CCS, Usenix Security) | DOI links in D5.3 | M12: 3, M18: 7, M24: 10+ | | **Excellence** | Standards Drafts Submitted | 0 | 5+ (ETSI, IETF, ISO/IEC) | Draft IDs + submission confirmations (D5.2) | M18: 2, M24: 5+ | | **Excellence** | Working Group Participation | 0 | 3+ (ETSI TC CYBER, IETF CFRG, ISO/IEC JTC 1/SC 27) | Meeting attendance records | Quarterly | | **Impact** | Audit Cost Reduction | 0% (no baseline) | 30% reduction vs. manual audit | Pilot benchmarks (D5.1): time to verify receipt chain vs. manual log review | Pilot phase (M12-M24) | | **Impact** | Receipt Verification Time | N/A | <5 seconds per receipt (Merkle proof) | Performance benchmarks (D2.2) | Quarterly | | **Impact** | Cost per Receipt | €0 (no TSA/blockchain yet) | <€0.01 per receipt (batched anchoring) | Monthly TSA/blockchain invoices | Monthly | | **Impact** | Incident Detection Time | N/A | 50% faster vs. manual monitoring | Pilot logs (D5.1): time from anomaly to alert | Pilot phase | | **Impact** | False Positive Rate | N/A | <10% (Ψ-Field tuned thresholds) | Pilot feedback + precision/recall metrics | Monthly (pilot phase) | | **Impact** | Open-Source Downloads | ~100/month | 500+ post-M24 (cumulative over 6 months post-project) | GitHub Insights, Docker Hub pulls | Monthly | | **Impact** | Federation Nodes Operational | 0 | 15+ (across 3 countries) | Federation testbed logs (D4.2) | M12: 5, M18: 10, M24: 15+ | | **Impact** | Sovereign Data Exchange | 0% | 100% (mTLS peer-to-peer) | Architecture review (D1.2) + pilot deployments | Pilot phase | | **Implementation** | Deliverables On-Time | N/A | 100% (13/13) | EU portal submission confirmations | Per deliverable | | **Implementation** | Budget Variance | N/A | ≤10% per WP | Financial reports | Quarterly | | **Implementation** | Steering Committee Attendance | N/A | ≥90% (all 4 partners attend ≥22/24 meetings) | Attendance logs | Monthly | | **Implementation** | High Risks (Score ≥6) | 0 | 0 (no critical blockers by M24) | Risk register updates | Monthly | **Success Criteria Summary:** - **Excellence:** TRL 6 achieved with ≥2/3 pilot sites validating system in operational environment; ≥8 publications in top-tier venues (h-index ≥30); ≥3 standards drafts accepted for working group review - **Impact:** ≥2/3 pilot sites report ≥25% audit cost reduction; ≥1/3 pilot sites demonstrate ≥40% faster incident detection; ≥400 open-source downloads; ≥12 federation nodes operational - **Implementation:** ≥12/13 deliverables on-time; ≤10% variance from planned budget per WP; ≥90% steering committee attendance; 0 high-risk items at M24 --- ### Societal Impact: EU Digital Sovereignty and Critical Infrastructure Protection **Problem Context:** EU critical infrastructure operators (public administrations, health systems, energy grids, financial institutions) face imminent quantum computing threats to their cryptographic foundations. NIST's 2024 standardization of post-quantum algorithms (CRYSTALS-Kyber, Dilithium, SPHINCS+) creates urgent need for validated migration pathways that: 1. Maintain 100% backward compatibility with existing systems 2. Ensure sovereign data governance (no third-party cloud dependencies) 3. Comply with NIS2 Directive (Art. 21), DORA (Art. 29), and GDPR (Art. 5(1)(f)) 4. Provide tamper-evident audit trails with legal non-repudiation (RFC-3161 timestamps) **VaultMesh Solution Impact:** - **30% Audit Cost Reduction:** Automated Merkle proof verification vs. manual log reviews reduces compliance audit hours by 30% (measured in pilot benchmarks D5.1). For a mid-sized public agency conducting quarterly NIS2 audits (~80 hours/audit), this translates to **96 hours/year saved** = **€12K-€15K annual savings** per organization. - **50% Faster Incident Detection:** Ψ-Field anomaly detection (collective intelligence across federation) reduces time from security event to alert by 50% vs. manual SIEM monitoring (measured in pilot logs D5.1). For critical infrastructure, this improvement can prevent breach escalation (median cost: €2M per incident per EC Cybersecurity Report 2024). - **Sovereign Data Exchange:** 100% peer-to-peer mTLS federation eliminates dependency on non-EU cloud providers, addressing EU Digital Sovereignty Strategy (March 2024) requirement for strategic autonomy in digital infrastructure. **Beneficiaries (Direct & Indirect):** - **Direct (3 Pilot Sites, 15+ Federation Nodes):** Public Digital Services Agency (France), Masaryk University Research Network (Czech Republic), Critical Infrastructure Operator (Greece), plus 12+ additional nodes joining federated testbed - **Indirect (Post-Project Adoption):** Estimated **50-100 EU public administrations** over 3 years post-project, based on open-source dissemination (target: 500+ downloads within 6 months of M24, KPI I3) **Policy Alignment:** - **NIS2 Directive (Art. 21):** Risk management measures requiring cryptographic controls → VaultMesh provides quantum-safe cryptography + tamper-evident audit spine - **DORA (Art. 29):** ICT risk management for financial entities → LAWCHAIN receipt anchoring demonstrates operational resilience - **EU Cybersecurity Act:** Certification scheme for ICT products → VaultMesh PQC implementation serves as reference for future certification (EUCC scheme under development) - **EU Digital Sovereignty Strategy:** Reducing dependency on non-EU tech providers → 100% sovereign peer-to-peer architecture (no AWS/GCP/Azure intermediaries) --- ### Economic Impact: Cost Savings and Open-Source Value Creation **Quantified Economic Benefits (Per Organization):** Based on pilot benchmarks (D5.1) and conservative estimates: 1. **Compliance Audit Cost Reduction: €12K-€15K/year** - Baseline: 80 hours/quarter × €50/hour = €16K/year (manual NIS2 audit) - Target: 30% reduction = €11.2K/year = **€4.8K annual savings** - Across 3 pilot sites over 24 months: **€24K total savings** 2. **Incident Response Efficiency: €50K-€100K value/incident prevented** - 50% faster detection reduces breach escalation risk - Median breach cost (EC 2024): €2M × 5% escalation probability reduction = **€100K expected value per org/year** - Across 3 pilot sites: **€300K total expected value** 3. **Infrastructure Cost Avoidance: €5K-€10K/year** - No third-party cloud fees (AWS/GCP/Azure) for compliance logging - Peer-to-peer federation vs. centralized SaaS (~€8K/year for mid-sized org) - Across 3 pilots: **€24K total cost avoidance** **Total Economic Impact (Pilot Phase):** €24K + €300K + €24K = **€348K over 24 months** **Post-Project Economic Impact (3-Year Projection):** - Assuming 50 EU organizations adopt VaultMesh PQC framework (conservative estimate based on 500+ downloads KPI I3) - 50 orgs × (€4.8K audit savings + €100K incident value + €8K cloud avoidance) = **€5.64M total economic value over 3 years** **Open-Source Value Creation:** - Apache 2.0 license enables free adoption (no licensing fees) - Community contributions reduce per-organization development costs (€50K-€100K saved vs. building in-house PQC migration) - Standards contributions (5+ drafts to ETSI/IETF/ISO) create interoperability = reduced vendor lock-in = **€10M+ ecosystem value** (estimated based on ETSI TSI savings model) --- ### Scientific Impact: Advancing Post-Quantum Cryptography Research **Novelty Beyond State-of-the-Art (See Part B Section 1.4 for full ambition):** 1. **Hybrid Cryptographic Transition Layer:** First operational implementation of dual-signature mode (classical + PQC parallel) for critical infrastructure at TRL 6 → Contributes to IETF CFRG hybrid cryptography standardization 2. **Tamper-Evident Audit Spine (LAWCHAIN):** Novel Merkle compaction algorithm reducing storage overhead by 90% while maintaining full provenance → Publication target: IEEE Symposium on Security & Privacy 2026 3. **Collective Anomaly Detection (Ψ-Field):** Federated anomaly detection without centralized aggregation → Contributes to privacy-preserving machine learning research (target: ACM CCS 2026) 4. **Cryptographic Proof-of-Governance:** Genesis receipts with Merkle roots for consortium coordination → Novel application to EU funding processes (target: Journal of Cybersecurity Policy 2027) **Publication Strategy (10+ Papers Target, KPI E2):** | Venue | Timeline | Topic | Authors (Lead) | | ---------------------------- | ------------- | ------------------------------------------------------------- | ------------------------- | | **IEEE S&P 2026** | Submit M14 | Merkle Compaction Algorithm for Audit Spines | VaultMesh + Univ Brno | | **ACM CCS 2026** | Submit M16 | Federated Anomaly Detection (Ψ-Field) | Cyber Trust + VaultMesh | | **Usenix Security 2027** | Submit M20 | Hybrid PQC Transition: 3-Pilot Validation | VaultMesh + France Public | | **ETSI White Paper** | M18 | PQC Migration Guidelines for EU Critical Infrastructure | All partners | | **IETF RFC Draft** | M22 | Hybrid Key Encapsulation (X25519 + Kyber) | VaultMesh + Brno | | **ISO/IEC TR** | M24 | Interoperability Profiles for PQC Certificates | All partners | | **Journal of Cybersecurity** | M20 | NIS2/DORA Compliance via Cryptographic Governance | France Public + VaultMesh | | **3 Conference Papers** | M12, M18, M24 | Workshop/poster presentations (ETSI Security Week, IETF CFRG) | Various | **Success Criteria:** ≥8 publications in top-tier venues (h-index ≥30) by M24 (KPI E2) **Standards Contributions (5+ Drafts Target, KPI E3):** - **ETSI TC CYBER:** PQC Migration Best Practices for EU Member States (draft submission M18) - **IETF CFRG:** Hybrid KEM Protocol (X25519 + CRYSTALS-Kyber) (draft submission M22) - **ISO/IEC JTC 1/SC 27:** Composite Certificate Interoperability Profiles (draft submission M24) - **NIST NCCoE:** Use Case Contribution (VaultMesh as Reference Implementation) (M20) - **W3C Verifiable Credentials:** PQC-Compatible Credential Signatures (exploratory draft M24) **Academic Partnerships:** - **Masaryk University (Brno):** Co-authorship on cryptographic algorithm papers, PhD student supervision (1 student dedicated to WP2/WP3) - **Cyber Trust (Greece):** Federated learning research collaboration, access to cybersecurity testbed - **France Public Digital Services:** Policy research on NIS2/DORA implementation, real-world pilot data --- ## 2.2 Measures to Maximize Impact ### Dissemination Strategy **Target Audiences:** 1. **Policy Makers (EU Member States):** National cybersecurity agencies (ENISA network), NIS2 designated authorities, public administration CISOs 2. **Critical Infrastructure Operators:** Energy (ENTSO-E), finance (European Banking Federation), health (eHealth Network), transport (EU-RAIL) 3. **Research Community:** Cryptography researchers, PQC standardization experts, federated learning community 4. **Industry:** Cybersecurity vendors (building PQC solutions), cloud providers (integrating quantum-safe protocols) 5. **General Public:** EU citizens concerned about data sovereignty, privacy advocates **Dissemination Channels:** | Channel | Activities | Timeline | Responsible Partner | Target Reach | | ------------------------- | -------------------------------------------------------------------------- | --------------------------- | -------------------- | ----------------------- | | **Open-Source Platforms** | GitHub repos (5+), Docker Hub images, Zenodo datasets | M8 onwards | VaultMesh (lead) | 500+ downloads (KPI I3) | | **Academic Conferences** | 10+ publications (IEEE S&P, ACM CCS, Usenix), 5+ presentations | M12-M24 | All partners | ~2,000 researchers | | **Standards Bodies** | ETSI TC CYBER, IETF CFRG, ISO/IEC SC 27 participation | M6 onwards | VaultMesh + Brno | ~500 standards experts | | **Policy Workshops** | 3 regional workshops (France, Czech, Greece), ENISA briefing | M15, M18, M21 | France Public (lead) | ~150 policy makers | | **Industry Webinars** | Quarterly webinars (open registration), recordings on YouTube | M9, M12, M15, M18, M21, M24 | Cyber Trust (lead) | ~500 registrations | | **Media & Press** | Press releases (M6, M12, M24), tech blog posts, EU Horizon success story | M6, M12, M24 | Coordinator | 5+ articles (KPI I3) | | **EU Portals** | CORDIS project page, EU Open Research Repository, Horizon Results Platform | M1 onwards | Coordinator | N/A (visibility) | **Open Access Commitment:** - **Publications:** 100% Gold/Green Open Access (all 10+ papers published in OA journals or preprints on arXiv) - **Data:** FAIR principles (Findable, Accessible, Interoperable, Reusable) — all pilot datasets anonymized and published on Zenodo by M24 - **Code:** Apache 2.0 license (all 5+ repositories), comprehensive documentation, Docker deployment guides --- ### Exploitation Strategy **Open-Source Model (Apache 2.0 License):** - **Rationale:** Maximize adoption in public sector (no licensing fees), align with EU Digital Sovereignty (no vendor lock-in), enable community contributions - **Commercial Support (Optional):** VaultMesh may offer paid support/training for large deployments post-project (not required for basic usage) - **Sustainability:** Community governance model post-project (Linux Foundation style), annual contributors' summit **Exploitation Pathways:** 1. **Public Sector (Primary):** - **Target:** 50-100 EU public administrations adopting VaultMesh PQC framework within 3 years post-project - **Mechanism:** Open-source downloads + 3 regional workshops (M15, M18, M21) + ENISA promotion - **Success Indicator:** 500+ downloads within 6 months of M24 (KPI I3), 15+ active federation nodes (KPI I4) 2. **Critical Infrastructure Operators (Secondary):** - **Target:** Energy, finance, health, transport sectors piloting VaultMesh for NIS2/DORA compliance - **Mechanism:** Pilot reports (D5.1) as proof-of-concept, industry webinars, standards contributions - **Success Indicator:** 3+ non-pilot organizations join federation testbed by M24 3. **Research Community (Tertiary):** - **Target:** Academic/industrial researchers building on VaultMesh as reference implementation - **Mechanism:** 10+ publications, GitHub repos, Zenodo datasets, conference presentations - **Success Indicator:** 50+ GitHub forks (KPI E2), 5+ external research papers citing VaultMesh by M24+6 **Intellectual Property Rights (IPR):** - **Background IP:** VaultMesh existing codebase (vaultmesh-core) — already Apache 2.0, no restrictions - **Foreground IP:** All project outputs (PQC sealer, verifier, Ψ-Field, federation router) — Apache 2.0 open-source - **Standards-Essential Patents (SEP):** If consortium contributes to ETSI/IETF standards, commitment to FRAND (Fair, Reasonable, Non-Discriminatory) licensing - **Data Rights:** Pilot data anonymized and published under CC-BY 4.0 (Creative Commons Attribution) **Post-Project Sustainability Plan:** | Activity | Timeline | Funding Source | Responsible | |----------|----------|----------------|-------------| | **Code Maintenance** | M24+ (indefinite) | Community volunteers + VaultMesh (in-kind) | VaultMesh (coordinator) | | **Annual Contributors' Summit** | M30, M36, M42 | €5K/event (registration fees, sponsor contributions) | Community organizing committee | | **Security Audits** | M30, M36 (biannual) | €10K/audit (community fundraising, sponsor grants) | External auditor + VaultMesh | | **Documentation Updates** | M24+ (continuous) | Community contributions (volunteer hours) | Community documentation team | | **Training Materials** | M24+ (refresh annually) | €3K/year (EU Digital Skills partnerships) | France Public (lead) | **Risk:** Low adoption if competing open-source PQC solutions emerge **Mitigation:** Early ETSI/IETF standards contributions (M18-M22) establish VaultMesh as reference implementation, 3 operational pilots (M20-M24) demonstrate real-world validation (TRL 6 advantage) --- ### Communication Strategy **Key Messages (Tailored by Audience):** 1. **Policy Makers:** "VaultMesh enables NIS2/DORA compliance with 30% cost reduction while ensuring EU digital sovereignty (100% peer-to-peer, no third-party cloud)" 2. **Infrastructure Operators:** "50% faster incident detection + quantum-safe cryptography in 3 validated pilots across France, Czech Republic, Greece" 3. **Researchers:** "First TRL 6 validation of hybrid PQC transition (classical + post-quantum parallel) with novel Merkle compaction algorithm" 4. **General Public:** "EU-funded project protects critical infrastructure from future quantum computing threats while keeping citizen data sovereign" **Communication Timeline:** | Milestone | Communication Activity | Channel | Audience | |-----------|------------------------|---------|----------| | **M1 (Kickoff)** | Press release: "€2.8M EU Project Launches PQC Integration" | CORDIS, partner websites | General public | | **M6 (D1.2 Complete)** | Technical blog post: "VaultMesh PQC Architecture Specification" | Medium, GitHub blog | Researchers, developers | | **M12 (First Pilot Deployed)** | Case study: "France Public Services Pilot Quantum-Safe Cryptography" | ENISA newsletter, tech press | Policy makers, operators | | **M18 (Standards Drafts)** | Webinar: "Contributing to ETSI/IETF PQC Standards" | ETSI Security Week, IETF CFRG | Standards community | | **M24 (Project End)** | Final conference + press release: "3 EU Pilots Achieve TRL 6 for PQC" | EU Horizon Results Platform, major tech outlets | All audiences | **Branding & Visual Identity:** - **Project Logo:** VaultMesh shield with quantum wave pattern (designed M2) - **Tagline:** "Quantum-Safe. Sovereign. Proven." (emphasizes TRL 6 validation + EU sovereignty) - **Color Scheme:** EU blue (#003399) + cryptographic green (#2e7d32) for trust/security **Social Media Presence:** - **Twitter/X:** @VaultMeshEU (project-specific account, launched M3) - **LinkedIn:** VaultMesh company page + project updates (quarterly posts) - **YouTube:** Webinar recordings, pilot demo videos (M12, M18, M24) - **Target:** 500+ followers by M24 (not a KPI, but indicative of reach) --- ## 2.3 Barriers and Mitigation Strategies ### Technical Barriers **Barrier 1: NIST PQC Standards Changes (Risk R01, Score 4)** - **Description:** NIST may revise CRYSTALS-Kyber/Dilithium/SPHINCS+ specifications post-standardization (precedent: Kyber parameter changes 2023) - **Impact:** High (requires re-implementation, delays pilots) - **Mitigation:** Modular cryptographic library (WP2 Task 2.1) with abstraction layer enabling algorithm swap without full system re-architecture; monthly NIST monitoring (WP5); €50K contingency budget allocated for re-implementation if needed (Risk Register allocation) - **Residual Risk:** MODERATE (likelihood 2/3 after mitigation) **Barrier 2: Performance Overhead of PQC Algorithms (Risk R08 partial)** - **Description:** PQC signatures (Dilithium) are ~10x larger than Ed25519, potentially impacting receipt storage/transmission - **Impact:** Medium (affects KPI E1 receipt throughput target) - **Mitigation:** Merkle compaction algorithm (WP2 Task 2.3) reduces storage overhead by 90%; batched TSA/blockchain anchoring (WP2 Task 2.4) amortizes signature costs across 100+ receipts; performance benchmarks (D2.2 M11) validate <5 second verification time (KPI I1) - **Residual Risk:** LOW (mitigation proven in VaultMesh TRL 4 prototype) **Barrier 3: Ψ-Field False Positives in Operational Pilots (Risk R08, Score 4)** - **Description:** Anomaly detection may generate excessive false positives, reducing operator trust - **Impact:** Medium (affects KPI I2 target <10% false positive rate) - **Mitigation:** 3-month tuning phase (M13-M15) before pilot deployment; human-in-the-loop validation (operators review alerts before automated response); quarterly precision/recall metrics (KPI I2); fallback to manual SIEM if false positive rate >15% - **Residual Risk:** MODERATE (requires iterative tuning, success depends on pilot data quality) --- ### Organizational Barriers **Barrier 4: Pilot Site Deployment Delays (Risk R04, Score 4)** - **Description:** Public administrations may face procurement delays, political changes, or resource constraints - **Impact:** High (affects TRL 6 validation timeline, KPI E1) - **Mitigation:** 3 pilot sites (France, Czech, Greece) provide redundancy; if 1 pilot delays, other 2 sufficient for TRL 6 validation (success criteria: ≥2/3 pilots); legal pre-clearance (M1-M3) for data processing agreements; dedicated WP5 coordinator (France Public) manages pilot timelines; monthly steering committee reviews pilot status (KPI IM3) - **Residual Risk:** MODERATE (2/3 pilots likely to succeed, 1/3 may delay) **Barrier 5: Consortium Coordination Across 4 Partners (Risk R05, Score 3)** - **Description:** Geographic distribution (Ireland, Czech, Greece, France) + diverse partner types (private, academic, public) may create coordination friction - **Impact:** Medium (affects deliverable on-time rate KPI IM1) - **Mitigation:** Monthly steering committee meetings (KPI IM3, target ≥90% attendance); dedicated project manager (0.5 FTE at VaultMesh); Mattermost real-time chat + NextCloud file sharing; cryptographic proof-of-governance (PROOF_CHAIN.md) ensures accountability; conflict resolution protocol in consortium agreement (<2 weeks resolution time, KPI IM3) - **Residual Risk:** LOW (proven coordination mechanisms from VaultMesh TRL 4 phase) --- ### Adoption Barriers **Barrier 6: Competing Open-Source PQC Solutions** - **Description:** Other EU/US projects may release similar PQC migration frameworks (e.g., NIST NCCoE, German BSI initiatives) - **Impact:** Medium (affects KPI I3 open-source downloads target) - **Mitigation:** Early standards contributions (ETSI/IETF drafts M18-M22) establish VaultMesh as reference implementation; TRL 6 validation (vs. competitors at TRL 4-5) provides credibility advantage; cryptographic proof-of-governance (unique differentiator); Apache 2.0 license enables integration with other solutions (not zero-sum competition) - **Residual Risk:** LOW (VaultMesh's proof-driven architecture + TRL 6 validation creates sustainable differentiation) **Barrier 7: Complexity of Hybrid Transition for Non-Expert Users** - **Description:** IT administrators at pilot sites may lack PQC expertise, hindering adoption - **Impact:** Medium (affects pilot deployment timeline, KPI I3 adoption) - **Mitigation:** 3 regional training workshops (M15, M18, M21, KPI I3); comprehensive documentation (D2.1 M8, D4.3 M18); Docker deployment guides (WP4 Task 4.1); dedicated support channel (Mattermost, response <24h); VaultMesh "Quick Start" guide (5 pages, non-technical language) published M10 - **Residual Risk:** LOW (training workshops + documentation reduce learning curve) --- ### Regulatory Barriers **Barrier 8: GDPR Compliance for Cross-Border Federation** - **Description:** Peer-to-peer data exchange across 3 countries (France, Czech, Greece) must comply with GDPR Art. 5(1)(f) (integrity/confidentiality) and Art. 44-46 (cross-border transfers) - **Impact:** Medium (affects KPI I4 sovereign data exchange) - **Mitigation:** Legal review (M10, coordinated by France Public, expert in GDPR); data processing agreements (DPAs) signed M3; all pilot data anonymized (no personal data processed); standard contractual clauses (SCCs) for cross-border transfers; ethics assessment (D5.3 M24) documents compliance - **Residual Risk:** LOW (GDPR compliance embedded in WP1 requirements, no personal data in pilots) **Barrier 9: NIS2/DORA Certification Requirements (Future)** - **Description:** EU may mandate formal certification (EUCC scheme) for cryptographic products used in critical infrastructure post-2026 - **Impact:** Low (post-project risk, but affects long-term adoption) - **Mitigation:** VaultMesh architecture designed with EUCC in mind (security-by-design, WP1 Task 1.3); external TRL audit (M12, M24) provides pre-certification validation; ETSI TC CYBER participation (M6+) ensures alignment with emerging certification schemes; sustainability plan includes €10K/audit budget for future EUCC certification (post-M24) - **Residual Risk:** LOW (VaultMesh positioned for future certification, no immediate blockers) --- ## 2.4 Sustainability Beyond Project Duration ### Technical Sustainability **Code Maintenance (M24+ Indefinite):** - **Approach:** Community-driven development (Linux Foundation model) - **Governance:** VaultMesh as initial maintainer, transition to multi-organization steering committee by M30 - **Funding:** Volunteer contributions + VaultMesh in-kind support (estimated 0.25 FTE post-project) **Security Audits (Biannual M30, M36, M42):** - **Approach:** External cybersecurity auditor reviews VaultMesh codebase for vulnerabilities - **Funding:** €10K/audit via community fundraising (sponsor contributions from pilot sites) + EU Digital Skills partnerships - **Commitment:** Masaryk University (Brno) committed to co-fund M30 audit (€5K in-kind) --- ### Organizational Sustainability **Community Governance (M24+):** - **Structure:** Technical Steering Committee (5-7 members: VaultMesh + pilot sites + external contributors) - **Meetings:** Quarterly virtual meetings (30 min), annual in-person summit (2 days) - **Decision-Making:** Rough consensus model (IETF style), 2/3 majority for major changes **Training & Capacity Building (M24+):** - **Materials:** All workshop materials (M15, M18, M21) published as open educational resources (OER) under CC-BY 4.0 - **Partnerships:** France Public committed to annual refresher workshop (2026, 2027, 2028) via national cybersecurity training program - **Online Platform:** YouTube channel with deployment tutorials, troubleshooting guides (launched M12, maintained post-project) --- ### Financial Sustainability **Revenue Model (Optional, Not Required for Basic Usage):** - **Free Tier:** Open-source download, community support (GitHub issues), standard documentation - **Paid Support (Optional):** VaultMesh offers enterprise SLA (24h response time, custom integration) for €5K-€10K/year (post-project, if demand exists) - **Estimate:** 10-20 organizations may opt for paid support post-project = €50K-€200K/year revenue (sustains 0.5-1.0 FTE) **Public Funding (Post-Project Opportunities):** - **EU Digital Europe Programme:** Cybersecurity deployment grants (€50K-€200K per member state) — VaultMesh eligible as TRL 6 validated solution - **National Cybersecurity Agencies:** France, Czech, Greece may fund VaultMesh deployment in additional public agencies (estimated €20K-€50K per deployment) --- ### Policy Sustainability **Standards Embedding (M18-M24 and Beyond):** - **ETSI TC CYBER:** PQC Migration Guidelines (draft M18) → target approval by M36 → mandated in EU procurement by 2028 - **IETF CFRG:** Hybrid KEM RFC (draft M22) → target publication by M42 → referenced in NIST SP 800-series by 2029 - **ISO/IEC JTC 1:** Interoperability profiles (draft M24) → target international standard by M48 → global adoption **EU Policy Integration:** - **NIS2 Implementing Acts (2026-2027):** VaultMesh pilot reports (D5.1 M20) submitted to ENISA as use case for quantum-safe transition - **DORA Technical Standards (2027):** Influence EBA/ESMA guidelines on cryptographic resilience via project publications - **EU Cybersecurity Certification Scheme (EUCC):** VaultMesh positioned as pre-certified reference implementation --- **Success Criteria for Sustainability:** - ✅ **Technical:** ≥5 active contributors (non-consortium) by M30, ≥1 security audit completed by M36 - ✅ **Organizational:** ≥10 organizations in community governance by M30, annual summit attendance ≥20 people by 2027 - ✅ **Financial:** €50K+ revenue (paid support + grants) by M30, 0.5-1.0 FTE sustainable via community funding - ✅ **Policy:** ≥1 ETSI/IETF standard approved by M36, ≥1 NIS2/DORA implementing act references VaultMesh by 2027 --- **Document Control:** - **Version:** 1.0-IMPACT-SECTION - **Date:** 2025-11-06 - **Owner:** VaultMesh Technologies B.V. (Coordinator) - **Classification:** Consortium Internal (Part B Section 2 Draft) - **Related Files:** PQC_KPI_Dashboard.md, PQC_Risk_Register.md, PartB_Excellence.md