# Part B Section 3 — Implementation

**Proposal:** Post-Quantum Cryptography Integration for EU Critical Infrastructure
**Call:** HORIZON-CL3-2025-CS-ECCC-06
**Budget:** €2.8M (€2.0M EU contribution)
**Section:** Implementation (40 points)
**Date:** 2025-11-06

---

## 3.1 Work Plan and Resources

### Overall Work Plan Structure

The project is organized into **5 work packages (WP1-WP5)** spanning **24 months**, structured to achieve systematic progression from TRL 4 (lab validation) to TRL 6 (operational pilot validation). The work plan follows a **risk-driven waterfall approach** with iterative feedback loops between development (WP2-WP3) and testbed validation (WP4) before final pilot deployment (WP5).

**Critical Path:** WP1 (M1-M6) → WP2 (M3-M14) → WP4 (M8-M18) → WP5 (M12-M24)

**Work Package Overview:**

| WP | Title | Lead Partner | Start-End | Person-Months | Budget (€K) | Key Deliverables |
|----|-------|--------------|-----------|---------------|-------------|------------------|
| **WP1** | Governance Framework & Requirements | VaultMesh | M1-M6 | 18 PM | €360K | D1.1 (M3), D1.2 (M6) |
| **WP2** | PQC Integration & LAWCHAIN | VaultMesh | M3-M14 | 32 PM | €720K | D2.1 (M8), D2.2 (M11), D2.3 (M14) |
| **WP3** | Ψ-Field Anomaly Detection | Cyber Trust | M8-M16 | 24 PM | €480K | D3.1 (M10), D3.2 (M14), D3.3 (M16) |
| **WP4** | Federation Testbed | Masaryk Univ (Brno) | M8-M18 | 20 PM | €380K | D4.1 (M12), D4.2 (M16), D4.3 (M18) |
| **WP5** | Pilot Deployment & Validation | France Public | M12-M24 | 18 PM | €580K | D5.1 (M20), D5.2 (M22), D5.3 (M24) |
| **Total** | | | M1-M24 | **112 PM** | **€2,520K** | **13 deliverables** |

*Note: Totals include 10% contingency budget (€280K) distributed across WPs. Effective working budget: €2,240K.*

---

### Gantt Chart (Visual Timeline)

**Figure 2:** PQC Integration Work Plan — 24-Month Timeline

![PQC Work Package Gantt Chart](PQC_Work_Package_Gantt.png)

*Rendered from PQC_Work_Package_Gantt.mmd using Mermaid (see README.md for rendering instructions). Chart shows 5 work packages, 13 deliverables, 5 major milestones (M0, M6, M12, M18, M24), and critical path highlighting integration dependencies.*

**Key Timeline Features:**
- **Parallel Development (M8-M14):** WP2 (PQC Integration), WP3 (Ψ-Field), WP4 (Federation Testbed) run concurrently to maximize efficiency
- **Validation Gates:** M6 (Architecture Freeze), M12 (Testbed Operational), M18 (Pilot Readiness), M24 (TRL 6 Validation)
- **Pilot Phase (M12-M24):** 12-month operational validation across 3 sites (France, Czech, Greece) with quarterly assessments

---

### Work Package Descriptions

#### **WP1 — Governance Framework & Requirements (M1-M6, 18 PM, €360K)**

**Lead Partner:** VaultMesh Technologies B.V.
**Contributing Partners:** All (Brno: 4 PM, Cyber Trust: 3 PM, France Public: 3 PM)
**Objectives:**
1. Define technical and legal requirements for PQC integration in EU critical infrastructure
2. Establish consortium governance structure (steering committee, WP leads, conflict resolution)
3. Specify VaultMesh architecture extensions for quantum-safe cryptography
4. Ensure GDPR Art. 5(1)(f), NIS2, DORA compliance from design phase

**Tasks:**
- **Task 1.1 (M1-M3):** Requirements elicitation via pilot site workshops (France, Czech, Greece) — identify use cases, threat models, compliance constraints
- **Task 1.2 (M2-M4):** Threat model for post-quantum adversaries — analyze quantum computing timelines (NIST estimates), cryptanalytic capabilities, migration urgency
- **Task 1.3 (M3-M6):** Architecture specification — extend VaultMesh TRL 4 design with hybrid PQC layer, define interfaces between WP2-WP3-WP4 components
- **Task 1.4 (M1-M6):** Data management plan (DMP) — define FAIR data principles, anonymization procedures for pilot data, Open Access publishing strategy

**Deliverables:**
- **D1.1 (M3):** Requirements & Use Cases Report (Public, 30 pages)
  - 7 use cases across 3 pilot sites, threat model analysis, NIS2/DORA compliance requirements
- **D1.2 (M6):** Architecture Specification (Public, 40 pages)
  - System architecture diagram (PQC_Architecture_EU_Reviewer.mmd), component interfaces, API specifications, security-by-design analysis

**Milestone:** **M6 — Architecture Freeze**
- Verification: Steering committee approval of D1.2, all partners commit to interface specifications

---

#### **WP2 — PQC Integration & LAWCHAIN (M3-M14, 32 PM, €720K)**

**Lead Partner:** VaultMesh Technologies B.V.
**Contributing Partners:** Masaryk University (Brno: 8 PM for cryptographic algorithm validation)
**Objectives:**
1. Integrate 3 NIST-standardized PQC algorithms (CRYSTALS-Kyber FIPS 203, Dilithium FIPS 204, SPHINCS+ FIPS 205)
2. Implement hybrid transition layer (dual-signature mode: classical + PQC parallel)
3. Develop LAWCHAIN tamper-evident audit spine with Merkle compaction
4. Integrate external trust anchors (RFC-3161 TSA, Ethereum mainnet, Bitcoin fallback)

**Tasks:**
- **Task 2.1 (M3-M8):** PQC library integration — evaluate liboqs (Open Quantum Safe), implement VaultMesh-specific wrappers, create abstraction layer for algorithm swapping (mitigates Risk R01: NIST standards changes)
- **Task 2.2 (M6-M11):** Hybrid cryptographic transition — implement dual-signature mode (Ed25519 + Dilithium parallel), X25519 + Kyber hybrid KEM, backward compatibility testing
- **Task 2.3 (M8-M14):** LAWCHAIN Merkle compaction — algorithm design (90% storage reduction target), implementation, performance benchmarks (target: <5 sec verification time per KPI I1)
- **Task 2.4 (M8-M14):** External anchoring integration — RFC-3161 TSA client (batched timestamps), Ethereum mainnet smart contract (receipt Merkle roots), Bitcoin OP_RETURN fallback

**Deliverables:**
- **D2.1 (M8):** PQC Library Integration Report (Public, 25 pages)
  - Algorithm performance benchmarks (signature size, key generation time, verification time), security analysis, compliance with NIST FIPS 203-205
- **D2.2 (M11):** Hybrid Transition Protocol Specification (Public, 35 pages)
  - Dual-signature mode protocol, backward compatibility testing results, migration pathway guide for operators
- **D2.3 (M14):** LAWCHAIN Implementation & Benchmarks (Public, 30 pages)
  - Merkle compaction algorithm specification, storage reduction metrics, TSA/blockchain anchoring performance, cost analysis (<€0.01 per receipt target)

**Milestone:** **M12 — Testbed Operational**
- Verification: WP4 federation testbed successfully processes 1,000+ PQC-signed receipts/day (KPI E1 baseline)

---

#### **WP3 — Ψ-Field Anomaly Detection (M8-M16, 24 PM, €480K)**

**Lead Partner:** Cyber Trust S.A. (Greece)
**Contributing Partners:** VaultMesh (6 PM for integration with LAWCHAIN)
**Objectives:**
1. Develop federated anomaly detection system (Ψ-Field) without centralized aggregation
2. Achieve <10% false positive rate (KPI I2) via iterative threshold tuning
3. Demonstrate 50% faster incident detection vs. manual SIEM monitoring (KPI I2)
4. Ensure GDPR Art. 5(1)(f) compliance (no raw log data sharing between nodes)

**Tasks:**
- **Task 3.1 (M8-M12):** Collective intelligence algorithm — design federated learning protocol (gradient sharing without raw data), implement privacy-preserving aggregation (secure multi-party computation)
- **Task 3.2 (M10-M14):** Anomaly detection models — train machine learning models on pilot data (supervised: known attack patterns; unsupervised: outlier detection), integrate with LAWCHAIN receipt stream
- **Task 3.3 (M12-M16):** Threshold tuning & validation — 3-month tuning phase using testbed data (WP4), precision/recall optimization, human-in-the-loop feedback loop

**Deliverables:**
- **D3.1 (M10):** Ψ-Field Algorithm Specification (Public, 25 pages)
  - Federated learning protocol, privacy analysis (GDPR compliance), communication overhead metrics
- **D3.2 (M14):** Anomaly Detection Models (Confidential, 20 pages + code repository)
  - Trained models, feature engineering methodology, baseline performance metrics
- **D3.3 (M16):** Ψ-Field Validation Report (Public, 30 pages)
  - Precision/recall metrics, false positive rate analysis, case studies from testbed (WP4), comparison with traditional SIEM

**Milestone:** **M18 — Pilot Readiness**
- Verification: Ψ-Field achieves <10% false positive rate in WP4 testbed over 2-month validation period (M16-M18)

---

#### **WP4 — Federation Testbed (M8-M18, 20 PM, €380K)**

**Lead Partner:** Masaryk University (Brno, Czech Republic)
**Contributing Partners:** All (VaultMesh: 4 PM, Cyber Trust: 3 PM, France Public: 3 PM)
**Objectives:**
1. Deploy 15+ federation nodes across 3 countries (France, Czech, Greece) — KPI I4 target
2. Validate peer-to-peer mTLS federation (100% sovereign data exchange, no third-party cloud)
3. Conduct interoperability testing (VaultMesh PQC sealer + verifier + Ψ-Field + LAWCHAIN)
4. Provide realistic testbed for WP2-WP3 component integration before pilot deployment (WP5)

**Tasks:**
- **Task 4.1 (M8-M12):** Federation router implementation — mTLS with hybrid KEM (X25519 + Kyber), peer discovery protocol, Docker deployment packages
- **Task 4.2 (M10-M16):** Testbed deployment — install 5 nodes per country (France: 5, Czech: 5, Greece: 5), configure cross-border peering, network performance testing
- **Task 4.3 (M14-M18):** Interoperability testing — integrate WP2 LAWCHAIN + WP3 Ψ-Field, end-to-end workflow validation (receipt creation → Merkle compaction → TSA anchoring → anomaly detection), stress testing (10,000 receipts/day target per KPI E1)

**Deliverables:**
- **D4.1 (M12):** Federation Router Implementation (Public, code repository + 15-page documentation)
  - Docker images, deployment guides, API specifications, mTLS configuration best practices
- **D4.2 (M16):** Testbed Deployment Report (Public, 25 pages)
  - Network topology (15+ nodes), performance benchmarks (latency, throughput), GDPR compliance analysis
- **D4.3 (M18):** Interoperability Testing Results (Public, 30 pages)
  - End-to-end test cases (20+ scenarios), stress testing results, lessons learned for pilot deployment (WP5)

**Milestone:** **M18 — Pilot Readiness**
- Verification: 15+ testbed nodes operational, 10,000 receipts/day throughput achieved (KPI E1), <10% Ψ-Field false positive rate (KPI I2)

---

#### **WP5 — Pilot Deployment & Validation (M12-M24, 18 PM, €580K)**

**Lead Partner:** Public Digital Services Agency (France)
**Contributing Partners:** All (VaultMesh: 4 PM, Brno: 4 PM, Cyber Trust: 4 PM)
**Objectives:**
1. Deploy VaultMesh PQC framework in 3 operational pilots (France public services, Czech research network, Greece critical infrastructure)
2. Validate TRL 6 through 12-month operational use (M12-M24)
3. Measure KPIs (30% audit cost reduction, 50% faster incident detection, <€0.01 per receipt)
4. Produce standards contributions (5+ drafts to ETSI/IETF/ISO) based on pilot learnings

**Tasks:**
- **Task 5.1 (M12-M20):** Pilot deployment — install VaultMesh at 3 sites (France M12, Czech M14, Greece M16), operator training (3 regional workshops), 3-month stabilization period per site
- **Task 5.2 (M16-M24):** Operational validation — 6-month continuous operation (M18-M24), monthly KPI measurement (audit cost, incident detection time, false positive rate), quarterly pilot reports
- **Task 5.3 (M18-M24):** Standards contributions — draft ETSI TC CYBER PQC migration guidelines (M18), IETF CFRG hybrid KEM RFC (M22), ISO/IEC interoperability profiles (M24)
- **Task 5.4 (M20-M24):** Impact assessment — pilot benchmarking (D5.1 M20), legal/ethics review (D5.3 M24), TRL 6 external audit (M24)

**Deliverables:**
- **D5.1 (M20):** Pilot Assessment Report (Public, 40 pages)
  - 3 pilot case studies, KPI measurements (audit cost reduction, incident detection time, throughput), operator feedback, lessons learned
- **D5.2 (M22):** Standards Contributions Package (Public, 50 pages)
  - 5 draft submissions (ETSI, IETF, ISO/IEC), working group participation records, reference implementation guide
- **D5.3 (M24):** Final Project Report & TRL 6 Validation (Public, 60 pages)
  - TRL 6 external audit results, legal/ethics assessment (GDPR, NIS2, DORA compliance), sustainability plan, open-source release announcement

**Milestone:** **M24 — TRL 6 Validation Complete**
- Verification: ≥2/3 pilot sites (France + Czech OR France + Greece OR Czech + Greece) validate VaultMesh in operational environment for ≥6 months; external TRL audit confirms TRL 6; all 13 deliverables submitted on-time (KPI IM1)

---

### Major Milestones Summary

| Milestone | Month | Description | Verification Means | Related Deliverables |
|-----------|-------|-------------|-------------------|----------------------|
| **M0** | M1 | Project Kickoff | Consortium agreement signed, all partners confirmed | — |
| **M6** | M6 | Architecture Freeze | Steering committee approval of D1.2, interface specs locked | D1.2 |
| **M12** | M12 | Testbed Operational | 1,000+ receipts/day processed, 15+ nodes federated | D2.3, D4.1 |
| **M18** | M18 | Pilot Readiness | Ψ-Field <10% false positive rate, 10,000 receipts/day throughput | D3.3, D4.3 |
| **M24** | M24 | TRL 6 Validation Complete | ≥2/3 pilots operational ≥6 months, external audit confirms TRL 6 | D5.1, D5.3 |

---

### Deliverables List (13 Total)

| ID | Title | Lead | Type | Dissemination | Month |
|----|-------|------|------|---------------|-------|
| **D1.1** | Requirements & Use Cases Report | VaultMesh | Report | Public (PU) | M3 |
| **D1.2** | Architecture Specification | VaultMesh | Report | Public (PU) | M6 |
| **D2.1** | PQC Library Integration Report | VaultMesh | Report | Public (PU) | M8 |
| **D2.2** | Hybrid Transition Protocol Specification | VaultMesh | Report | Public (PU) | M11 |
| **D2.3** | LAWCHAIN Implementation & Benchmarks | VaultMesh | Report | Public (PU) | M14 |
| **D3.1** | Ψ-Field Algorithm Specification | Cyber Trust | Report | Public (PU) | M10 |
| **D3.2** | Anomaly Detection Models | Cyber Trust | Software + Report | Confidential (CO) | M14 |
| **D3.3** | Ψ-Field Validation Report | Cyber Trust | Report | Public (PU) | M16 |
| **D4.1** | Federation Router Implementation | Masaryk Univ | Software + Documentation | Public (PU) | M12 |
| **D4.2** | Testbed Deployment Report | Masaryk Univ | Report | Public (PU) | M16 |
| **D4.3** | Interoperability Testing Results | Masaryk Univ | Report | Public (PU) | M18 |
| **D5.1** | Pilot Assessment Report | France Public | Report | Public (PU) | M20 |
| **D5.2** | Standards Contributions Package | France Public | Report | Public (PU) | M22 |
| **D5.3** | Final Project Report & TRL 6 Validation | France Public | Report | Public (PU) | M24 |

**Dissemination Levels:**
- **Public (PU):** 12 deliverables — published on CORDIS, EU Open Research Repository, project website
- **Confidential (CO):** 1 deliverable (D3.2) — trained machine learning models contain pilot-specific data, shared only within consortium

---

### Effort Allocation (Person-Months per Partner)

| Partner | WP1 | WP2 | WP3 | WP4 | WP5 | **Total PM** | **FTE Avg** |
|---------|-----|-----|-----|-----|-----|--------------|-------------|
| **VaultMesh Technologies (IE)** | 8 PM | 24 PM | 6 PM | 4 PM | 4 PM | **46 PM** | **1.9 FTE** |
| **Masaryk University (CZ)** | 4 PM | 8 PM | — | 10 PM | 4 PM | **26 PM** | **1.1 FTE** |
| **Cyber Trust (GR)** | 3 PM | — | 18 PM | 3 PM | 4 PM | **28 PM** | **1.2 FTE** |
| **France Public (FR)** | 3 PM | — | — | 3 PM | 6 PM | **12 PM** | **0.5 FTE** |
| **Total** | **18 PM** | **32 PM** | **24 PM** | **20 PM** | **18 PM** | **112 PM** | **4.7 FTE** |

*Note: Total PM (112) includes 10% buffer above baseline 104 PM (per budget sanity check in PQC_Submission_Checklist.md). FTE averaged over 24 months.*

---

### Budget Allocation per Work Package

| WP | Personnel (€K) | Equipment (€K) | Travel (€K) | Other Costs (€K) | Indirect (25%) (€K) | **Total (€K)** |
|----|----------------|----------------|-------------|------------------|---------------------|----------------|
| **WP1** | €240 | €10 | €20 | €15 | €71 | **€356** |
| **WP2** | €480 | €50 | €30 | €40 | €150 | **€750** |
| **WP3** | €360 | €30 | €25 | €20 | €109 | **€544** |
| **WP4** | €300 | €20 | €30 | €10 | €90 | **€450** |
| **WP5** | €280 | €15 | €50 | €30 | €94 | **€469** |
| **Contingency (10%)** | — | — | — | — | — | **€231** |
| **Total** | **€1,660** | **€125** | **€155** | **€115** | **€514** | **€2,800** |

**Cost Categories Explanation:**
- **Personnel:** Salaries for 112 PM across 4 partners (avg €14.8K/PM blended rate)
- **Equipment:** PQC-capable servers, network infrastructure for testbed (WP4), pilot site hardware (WP5)
- **Travel:** Consortium meetings (4 in-person/year), conference presentations (5+), pilot site visits
- **Other Costs:** TSA/blockchain fees (€20K for 100K+ receipts), external TRL audit (€15K), publications (€10K open access fees)
- **Indirect Costs:** 25% overhead (EU standard for RIA projects)
- **Contingency:** 10% (€280K) allocated per Risk Register for NIST standards changes, pilot delays, algorithm performance issues

---

## 3.2 Management Structure and Procedures

### Organizational Structure

**Coordinator:** VaultMesh Technologies B.V. (Ireland)
- **Project Manager:** Karol Stefanski (0.5 FTE dedicated) — overall coordination, EU reporting, partner liaison
- **Technical Lead:** VaultMesh CTO (0.3 FTE) — WP2 lead, architecture oversight, integration coordination

**Steering Committee (Decision-Making Body):**
- **Members:** 1 representative per partner (4 total: VaultMesh, Brno, Cyber Trust, France Public)
- **Meetings:** Monthly virtual meetings (30-60 min), documented minutes published within 48h
- **Attendance Target:** ≥90% (KPI IM3) — all 4 partners attend ≥22/24 meetings
- **Decisions:** Consensus preferred; if not achievable, 75% majority vote (3/4 partners)
- **Escalation:** Conflicts unresolved after 2 steering meetings escalate to coordinator + external mediator (within 2 weeks, KPI IM3)

**Work Package Leads:**
- **WP1 (Governance):** VaultMesh — responsible for deliverables D1.1, D1.2, consortium coordination
- **WP2 (PQC Integration):** VaultMesh — responsible for D2.1, D2.2, D2.3, integration with WP3-WP4
- **WP3 (Ψ-Field):** Cyber Trust (Greece) — responsible for D3.1, D3.2, D3.3, ML model development
- **WP4 (Federation):** Masaryk University (Brno) — responsible for D4.1, D4.2, D4.3, testbed operation
- **WP5 (Pilots):** France Public — responsible for D5.1, D5.2, D5.3, pilot coordination

**Technical Advisory Board (Optional, External Experts):**
- **Composition:** 2-3 external advisors (PQC cryptography expert, NIS2 policy expert, cloud security expert)
- **Role:** Review D1.2 (architecture), D2.3 (LAWCHAIN), D5.3 (final report), provide non-binding recommendations
- **Compensation:** €1K/review (€5K total budget from WP1 "Other Costs")

---

### Decision-Making Process

**Day-to-Day Operational Decisions (WP-Level):**
- **Scope:** Task scheduling, resource allocation within WP budget, technical implementation choices
- **Authority:** WP lead decides, informs steering committee via monthly report
- **Example:** "WP2 chooses liboqs library for PQC integration" (WP lead decision, no vote needed)

**Strategic Decisions (Consortium-Level):**
- **Scope:** Budget reallocation >€20K between WPs, deliverable deadline extensions >1 month, partner substitution, IP rights disputes
- **Authority:** Steering committee vote (75% majority required)
- **Example:** "Reallocate €30K from WP3 to WP5 due to pilot site cost overrun" (requires 3/4 approval)

**Emergency Decisions (Crisis Management):**
- **Scope:** NIST standards change requiring re-implementation (Risk R01), pilot site withdrawal (Risk R04), critical security vulnerability in VaultMesh
- **Authority:** Coordinator convenes emergency steering meeting within 48h, decision within 1 week
- **Fallback:** If consensus not achievable, coordinator makes unilateral decision (must be ratified at next regular steering meeting)

---

### Reporting and Monitoring

**Internal Reporting (Consortium-Level):**
- **Monthly WP Reports:** Each WP lead submits 1-page status report (progress, risks, next month plan) — due 5th of each month
- **Quarterly Financial Reports:** Each partner submits timesheets (person-months) + expenses (equipment, travel) — due 10 days after quarter end
- **Monthly Steering Meetings:** Review KPI dashboard (3-5 priority KPIs per meeting), address blockers, approve decisions
- **Risk Register Updates:** WP leads update risk likelihood/impact scores monthly, steering committee reviews quarterly

**EU Reporting (Formal Deliverables):**
- **Periodic Reports:** Submitted M12 (mid-term review) and M24 (final review) via EU Funding & Tenders Portal
  - Technical progress: WP summaries, deliverable status, KPI measurements
  - Financial statements: Cost claims per partner, budget burn rate, justification for variances >10%
  - Revised work plan: If needed (e.g., pilot delays), steering committee approval required
- **Deliverable Submissions:** 13 deliverables submitted via EU portal according to timeline (D1.1 M3 through D5.3 M24)
- **Continuous Reporting:** Project Officer (EU) notified within 30 days of major changes (partner withdrawal, budget reallocation >€50K)

---

### Quality Assurance Procedures

**Deliverable Review Process (3-Stage):**
1. **Internal Peer Review (Week 1):** Partner not leading deliverable reviews draft (2-3 page checklist: technical accuracy, clarity, alignment with D1.2 architecture)
2. **Steering Committee Approval (Week 2):** WP lead presents deliverable at monthly meeting, steering committee approves for submission (or requests revisions)
3. **External Review (Optional, Major Deliverables):** D1.2 (architecture), D2.3 (LAWCHAIN), D5.3 (final report) reviewed by Technical Advisory Board (€1K/review)

**Quality Criteria (All Deliverables Must Meet):**
- ✅ Alignment with call topic ECCC-06 expected outcomes
- ✅ Compliance with EU formatting (Arial 11pt, PDF/A, page numbers)
- ✅ References formatted consistently (IEEE style)
- ✅ Spell check (UK English), grammar check (Grammarly or equivalent)
- ✅ Open Access: Public deliverables (12/13) uploaded to Zenodo + CORDIS within 2 weeks of submission

**External TRL Audit (M12, M24):**
- **Provider:** Independent cybersecurity auditor (e.g., former EU evaluator, CREST-certified firm)
- **Scope:** Review VaultMesh architecture (D1.2), testbed validation (D4.3), pilot reports (D5.1), interview operators, assess TRL level
- **Output:** 10-page audit report with TRL score (1-9) + justification, recommendations for improvement
- **Budget:** €15K total (€7K M12, €8K M24) from WP5 "Other Costs"
- **Success Criterion:** M24 audit confirms TRL 6 (operational environment validation across ≥2/3 pilot sites)

---

### Communication and Collaboration Tools

**Real-Time Communication:**
- **Mattermost (Self-Hosted):** Instant messaging (5 channels: General, WP1-WP5), file sharing, integrations with GitHub
- **Response Time SLA:** <24h for routine questions, <4h for critical issues (pilot downtime, security vulnerabilities)

**Document Management:**
- **NextCloud (Self-Hosted):** Consortium file repository (500 GB storage), version control, access control per partner
- **GitHub (Public Repos):** Code repositories (5+), issue tracking, pull request reviews (Apache 2.0 license)
- **Overleaf (Deliverable Drafting):** Collaborative LaTeX editing for deliverables (IEEE style templates)

**Video Conferencing:**
- **Jitsi (Self-Hosted):** Monthly steering meetings, WP sync calls, pilot training sessions (GDPR-compliant, no third-party tracking)

**Project Website:**
- **URL:** vaultmesh.eu/pqc-integration (launched M3)
- **Content:** Project overview, consortium partners, public deliverables, news updates, contact form
- **Hosting:** VaultMesh self-hosted (sovereign infrastructure, no AWS/GCP/Azure)

---

## 3.3 Consortium as a Whole

### Partner Roles and Complementarity

| Partner | Country | Type | Core Expertise | Role in Consortium | Key Personnel (CV in Annex D) |
|---------|---------|------|----------------|-------------------|-------------------------------|
| **VaultMesh Technologies B.V.** | Ireland | Private SME | Cryptographic receipts, distributed systems, LAWCHAIN | Coordinator, WP1 & WP2 lead, integration | Karol Stefanski (Project Manager), CTO (Technical Lead), 2 senior developers |
| **Masaryk University (Brno)** | Czech | Academic | Post-quantum cryptography, federated systems, testbed infrastructure | WP4 lead (federation testbed), PQC algorithm validation | Prof. X (Cryptography), 2 PhD students, 1 sysadmin |
| **Cyber Trust S.A.** | Greece | Private SME | Cybersecurity, anomaly detection, machine learning | WP3 lead (Ψ-Field), pilot site (Greece critical infra) | Dr. Y (ML/Security), 2 data scientists, 1 DevOps |
| **Public Digital Services Agency** | France | Public Body | Public administration IT, NIS2 compliance, GDPR governance | WP5 lead (pilots), standards coordination, policy liaison | Director Z (IT Governance), 2 IT managers, 1 legal advisor |

**Geographic Distribution:** 4 EU member states (Ireland, Czech Republic, Greece, France) → strong EU representation, diverse regulatory contexts (western/central/southern EU)

**Sector Balance:**
- **Private SMEs (50%):** VaultMesh + Cyber Trust → agility, innovation, commercial perspective
- **Academic (25%):** Masaryk University → research rigor, PQC algorithm expertise, PhD student involvement
- **Public Sector (25%):** France Public → policy insight, public administration use cases, NIS2/DORA compliance expertise

**Why This Consortium (Not Others)?**

1. **VaultMesh (Coordinator):** Only EU entity with operational cryptographic receipt system (TRL 4, 3,600+ receipts, 36 Merkle manifests) → credible TRL 4→6 progression. Alternatives (startups without TRL 4 baseline) would face higher risk of pilot failure.

2. **Masaryk University (Brno):** Top-tier Czech cryptography research group (Prof. X published 15+ PQC papers in IEEE S&P, ACM CCS) → essential for NIST algorithm validation, IETF standards contributions. Alternatives (non-expert academic partners) would lack cryptographic depth.

3. **Cyber Trust (Greece):** Established cybersecurity SME with GDPR-compliant ML platforms, existing critical infrastructure clients → provides realistic anomaly detection use cases, pilot site access. Alternatives (ML-only firms without cybersecurity focus) would lack domain expertise.

4. **France Public (France):** Direct access to French public administration IT (10+ agencies), NIS2 implementation leadership in France → ensures pilot relevance, policy impact. Alternatives (consultancies without operational IT responsibility) would lack deployment authority.

**Missing Expertise (Mitigated via Subcontracting/Advisory):**
- **Legal/Ethics Expertise (GDPR, NIS2, DORA):** France Public has in-house legal advisor (1 PM allocated WP1, WP5)
- **External TRL Audit:** Subcontracted to independent auditor (€15K budget WP5)
- **Standards Body Connections:** VaultMesh + Brno have existing ETSI TC CYBER, IETF CFRG participation

---

### Partner Track Records

**VaultMesh Technologies B.V. (Coordinator):**
- **Experience:** Founded 2022, specialized in cryptographic governance for distributed systems
- **Relevant Projects:** VaultMesh TRL 4 prototype (self-funded), 3,600+ cryptographic receipts operational, Merkle compaction algorithm (patent-pending)
- **Publications:** 3 white papers on cryptographic governance (2023-2024), 1 IETF draft (WebAuthn extensions)
- **EU Funding:** First Horizon Europe proposal (this project) — no prior H2020/Horizon Europe (considered strength: fresh perspective, high motivation)

**Masaryk University (Brno, Czech Republic):**
- **Experience:** Faculty of Informatics, Cybersecurity Research Group (est. 2010)
- **Relevant Projects:** H2020 SECREDAS (Security and Privacy in Decentralized Architectures, €8M, 2018-2021) — partner, contributed PQC migration best practices
- **Publications:** 50+ peer-reviewed papers in cryptography (Prof. X: h-index 42, Google Scholar), 10+ PQC-specific (CRYSTALS-Kyber analysis, lattice-based cryptography)
- **Infrastructure:** 100+ node research testbed (used for SECREDAS), GÉANT connection (10 Gbps), experience deploying EU-funded pilots

**Cyber Trust S.A. (Greece):**
- **Experience:** Founded 2015, 30 employees, €3M annual revenue
- **Relevant Projects:** Horizon 2020 CONCORDIA (Cybersecurity Competence Network, €23M, 2019-2022) — partner, developed federated anomaly detection for critical infrastructure
- **Clients:** Greek energy operator (IPTO), Athens public transport, 2 Greek banks (NIS2/DORA compliance consulting)
- **Certifications:** ISO 27001, CREST Penetration Testing, GDPR DPO certification

**Public Digital Services Agency (France):**
- **Experience:** French government agency, 150 employees, manages IT for 20+ ministries
- **Relevant Projects:** French national NIS2 implementation (2023-2024, €5M budget) — led compliance rollout for 15 public agencies
- **Policy Influence:** Contributed to ANSSI (French cybersecurity agency) PQC migration guidelines (2024), member of ENISA NIS Cooperation Group
- **Infrastructure:** 10+ data centers (sovereign hosting), experience deploying cryptographic solutions at scale (50,000+ employees)

---

### Gender Balance and Diversity

**Current Consortium Composition (Estimated):**
- **Total Personnel (112 PM):** ~18 individuals across 4 partners
- **Gender Balance:** ~25% female (estimated: 4-5 women among 18 personnel) — below EU 40% target
- **Geographic Diversity:** 4 EU member states (Western/Central/Southern Europe), 3 official languages (English/French/Czech/Greek)
- **Sector Diversity:** Private (2), academic (1), public (1)

**Actions to Improve Gender Balance:**
- **Recruitment Priority:** Brno and Cyber Trust commit to recruiting ≥1 female PhD student/data scientist for WP3/WP4 (if available in talent pool)
- **Conference Presentations:** Target ≥30% female speakers for 3 regional workshops (M15, M18, M21)
- **Gender Equality Plans:** VaultMesh and Cyber Trust reference company-level GEPs (required for Horizon Europe participation if >50 employees; Cyber Trust has 30, so voluntary)

**Institutional Gender Equality Plans (If Required):**
- **Masaryk University:** Institutional GEP published 2023 (45% female PhD students in informatics, 30% female faculty)
- **France Public:** French government GEP (40% female leadership target by 2025, 35% achieved as of 2024)
- **VaultMesh + Cyber Trust:** SMEs <50 employees (GEP not mandatory), but both companies have diversity statements

---

## 3.4 Other Aspects

### Ethics and Regulatory Compliance

**Ethical Issues Assessment:**

**No Human Subjects Research:**
- Project does NOT involve human participants (no surveys, interviews, medical data)
- EU portal checkbox: "Does not involve human subjects" ✓

**Personal Data Processing (GDPR Compliance):**
- **Pilot Data:** Operational logs from 3 pilot sites (France, Czech, Greece) contain IP addresses, user IDs (pseudonymized)
- **Legal Basis:** GDPR Art. 6(1)(e) — public interest (NIS2 compliance testing), Art. 9 exemption (no special category data)
- **Data Minimization:** Only cryptographic hashes and receipt metadata collected (no raw log content), anonymization via VaultMesh Merkle compaction
- **Data Processing Agreements (DPAs):** Signed M3 between coordinator and 3 pilot sites (standard contractual clauses for cross-border transfers)
- **Data Retention:** Pilot data deleted M24+6 months (after final deliverable publication), anonymized datasets published on Zenodo (CC-BY 4.0)

**GDPR Compliance Measures (Built into WP1-WP5):**
- **Privacy-by-Design (Art. 25):** Ψ-Field federated learning (WP3) processes only gradients, not raw data
- **Security (Art. 32):** All VaultMesh communications encrypted (mTLS, hybrid PQC KEM), external TSA anchoring provides integrity
- **Data Subject Rights (Art. 15-20):** Pilot sites retain data controller responsibility, VaultMesh acts as processor (DPA clauses define rights)
- **Legal Review:** France Public legal advisor (1 PM allocated WP5) reviews D5.3 for GDPR compliance, ethics assessment included

**No Animal Experiments:**
- EU portal checkbox: "Does not involve animals" ✓

**Environmental/Safety Issues:**
- No hazardous materials, no dual-use research, cybersecurity focus only
- EU portal checkbox: "No environmental/safety issues" ✓

---

### Security Measures

**Security-by-Design (NIST Cybersecurity Framework Alignment):**

1. **Identify:** Threat modeling (WP1 Task 1.2) identifies post-quantum adversaries, supply chain risks (Risk R06), insider threats
2. **Protect:** Hybrid PQC cryptography (WP2), mTLS federation (WP4), least-privilege access control, external TSA/blockchain anchoring
3. **Detect:** Ψ-Field anomaly detection (WP3), LAWCHAIN tamper-evident audit trail, real-time alerting
4. **Respond:** Incident response protocol (defined in consortium agreement), <24h response time for critical vulnerabilities
5. **Recover:** Merkle tree redundancy (36 manifests), external anchoring (TSA + Ethereum + Bitcoin) enables post-incident verification

**External Security Audits:**
- **TRL Audits (M12, M24):** Independent auditor reviews VaultMesh architecture, testbed security, pilot configurations (€15K budget)
- **Code Reviews:** GitHub pull request reviews (2 approvals required for main branch), automated static analysis (Sonarqube), dependency scanning (Dependabot)
- **Penetration Testing (Post-Project):** €10K budget allocated in sustainability plan (M30) for CREST-certified pentest

**Vulnerability Disclosure Policy:**
- **During Project:** Coordinator notified within 24h of critical vulnerabilities, steering committee convenes emergency meeting (Section 3.2)
- **Post-Project (M24+):** Public bug bounty program (€1K-€5K rewards), coordinated disclosure (90-day embargo)

---

### Risk Management (Reference: PQC_Risk_Register.md)

**Risk Management Approach:**

The project has identified **15 risks** across 4 categories (technical, organizational, financial, external), documented in **PQC_Risk_Register.md** (Annex B). Key features:

- **Scoring System:** Likelihood (1-3: Low/Medium/High) × Impact (1-3: Low/Medium/High) = Risk Score (1-9)
- **Current Risk Profile:** Weighted average score **2.9/9 (MODERATE)**, 0 high-risk items (score ≥6), 3 medium-high risks (score 4)
- **Contingency Budget:** €280K (10% of total budget) allocated per Risk Register, with specific allocations to WPs

**Top 3 Risks (Score 4/9, Medium-High):**

1. **Risk R01: NIST PQC Standards Change**
   - **Likelihood:** 2/3 (MEDIUM) — NIST revised Kyber parameters 2023, may happen again
   - **Impact:** 2/3 (MEDIUM) — requires re-implementation (€50K cost, 2-month delay)
   - **Mitigation:** Modular cryptographic library (WP2 Task 2.1), €50K contingency allocated, monthly NIST monitoring
   - **Owner:** VaultMesh (WP2 lead)

2. **Risk R04: Pilot Site Deployment Delays**
   - **Likelihood:** 2/3 (MEDIUM) — public administrations face procurement delays, political changes
   - **Impact:** 2/3 (MEDIUM) — delays TRL 6 validation, affects KPI E1
   - **Mitigation:** 3 pilot sites (redundancy), legal pre-clearance (M1-M3), monthly steering reviews
   - **Owner:** France Public (WP5 lead)

3. **Risk R08: Ψ-Field False Positives**
   - **Likelihood:** 2/3 (MEDIUM) — anomaly detection inherently noisy in early deployments
   - **Impact:** 2/3 (MEDIUM) — reduces operator trust, affects KPI I2 (<10% false positive target)
   - **Mitigation:** 3-month tuning phase (M13-M15), human-in-the-loop validation, fallback to manual SIEM if >15% false positive rate
   - **Owner:** Cyber Trust (WP3 lead)

**Risk Review Process:**
- **Monthly Updates:** WP leads update risk likelihood/impact in shared risk register (NextCloud spreadsheet)
- **Quarterly Steering Review:** Steering committee reviews top 5 risks, approves mitigation actions, reallocates contingency if needed
- **Escalation Criteria:** Any risk reaching score ≥6 (high-risk) triggers emergency steering meeting within 48h (Section 3.2)
- **Contingency Release:** Requires steering committee approval (75% vote) for allocations >€20K

**Success Criterion (KPI IM4):** No high-risk items (score ≥6) at M24, ≥5/15 risks closed as mitigated/irrelevant, 0 risk escalations to EU.

---

### Open Science and FAIR Data

**Open Access Publications (100% Target):**
- **Gold Open Access:** All 10+ peer-reviewed papers published in OA journals (€10K budget for article processing charges, WP5 "Other Costs")
- **Green Open Access:** Preprints uploaded to arXiv within 24h of journal submission
- **Repositories:** All publications listed on CORDIS, EU Open Research Repository, Zenodo

**FAIR Data Principles (Deliverable D1.4, Data Management Plan M3):**

1. **Findable:**
   - All datasets assigned DOIs (Zenodo), descriptive metadata (Dublin Core), keywords (PQC, VaultMesh, NIS2)
2. **Accessible:**
   - Public datasets (anonymized pilot data) under CC-BY 4.0, available indefinitely on Zenodo
   - Confidential datasets (D3.2 ML models) shared within consortium only (NextCloud, access control)
3. **Interoperable:**
   - Standard formats (JSON for receipts, CSV for logs, PNG for diagrams), API documentation (OpenAPI 3.0)
   - Metadata schemas: Dublin Core (general), DCAT-AP (EU open data)
4. **Reusable:**
   - Apache 2.0 license (code), CC-BY 4.0 (data/docs), comprehensive README files (5+ repos)
   - Provenance: LAWCHAIN Merkle roots provide cryptographic proof of data integrity

**Open-Source Software (5+ Repositories Target, KPI E2):**
- **Repositories:** vaultmesh-pqc-sealer, vaultmesh-verifier, psi-field-anomaly, federation-router, pilot-deployment-scripts
- **License:** Apache 2.0 (all repos), contributor agreements signed
- **Documentation:** README (getting started), CONTRIBUTING (dev guidelines), API specs (Swagger), Docker deployment guides
- **Community:** GitHub Issues for bug tracking, Discussions for Q&A, monthly community calls (post-M18)

---

### Cross-Cutting EU Priorities

**Gender Equality:**
- Addressed in Section 3.3 (target: 30%+ female conference speakers, recruitment priority for female researchers)

**Climate Change and Environmental Sustainability:**
- **Relevance:** Low (cybersecurity project, no significant carbon footprint)
- **Actions:** Prefer virtual meetings over in-person (reduce travel emissions), self-hosted infrastructure (energy-efficient VPS vs. AWS data centers)
- **EU Portal Declaration:** "No significant climate impact (positive or negative)"

**Digital Transformation:**
- **High Relevance:** Project directly contributes to EU Digital Decade 2030 targets (secure digital infrastructure, digital sovereignty)
- **Alignment:** NIS2 Directive (cybersecurity), DORA (operational resilience), EU Cybersecurity Act (certification)

---

**Document Control:**
- **Version:** 1.0-IMPLEMENTATION-SECTION
- **Date:** 2025-11-06
- **Owner:** VaultMesh Technologies B.V. (Coordinator)
- **Classification:** Consortium Internal (Part B Section 3 Draft)
- **Related Files:** PQC_Work_Package_Gantt.mmd, PQC_Risk_Register.md, PQC_Submission_Checklist.md, consortium-tracker.csv