Certifications & Compliance

Certification status, stated precisely

This page separates what BCrypto has attained from what we are working toward. Nothing here implies a certification we do not hold. Formal validations are sequenced against funding and pilot milestones, and every dated claim on this page is reviewed quarterly.

Attained today

NIST FIPS 203 (ML-KEM-1024) implemented in hardware

ML-KEM-1024 runs in hardware, and every build is gated in CI by known-answer tests (KAT): the same byte-identical test vectors must pass on Android, iOS and Desktop before anything ships.

Three patent applications filed with UIBM

Three patent applications covering the hardware-enforced voice security architecture were filed with UIBM, the Italian Patent Office, in 2026. Filed means filed — examination and grant are separate, later steps.

TRL 6 — firmware feature-complete

The firmware is feature-complete and demonstrated in a relevant environment, corresponding to TRL 6. TRL measures engineering maturity; it is not a certification, and we cite it as exactly that.

EU-designed supply chain

Design authority for hardware and firmware sits in the EU, with a supply chain documented for provenance and auditability — a baseline requirement in European government and defence procurement.

RFC 9116 security.txt and coordinated disclosure

A security.txt file per RFC 9116 and a coordinated vulnerability disclosure policy are published and operational today, with defined acknowledgement and disclosure windows.

In progress and targeted

None of the items in this section is held today. Formal validations are long, costly processes: each one starts when the funding or pilot milestone that justifies it is reached. We state that dependency openly rather than imply progress that has not happened.

CAVP algorithm validation

Independent validation of the ML-KEM-1024 implementation under NIST's Cryptographic Algorithm Validation Program — third-party confirmation of the vectors our CI already enforces, and the prerequisite for FIPS 140-3.

FIPS 140-3 module validation

Formal validation of the complete cryptographic module — roles, interfaces, key management, physical security — by an accredited laboratory. It goes far beyond algorithm conformance and begins after CAVP.

Common Criteria evaluation

Evaluation of the product under Common Criteria. Scope and assurance level will be fixed together with the first institutional customers, so that the evaluated configuration matches real deployments.

ISO 27001 certification

Certification of BCrypto's information security management system under ISO 27001. Preparation runs alongside product work; the audit itself is scheduled against company growth milestones.

NATO STANAG interoperability qualification

Qualification against the applicable STANAG interoperability requirements. This step follows customer-led pilots: procuring nations determine which standards and test regimes apply, so pilots necessarily come first.

EU CRA readiness

Alignment of product and processes with the EU Cyber Resilience Act (CRA) ahead of its application dates — conformity assessment, vulnerability handling and update obligations.

NIS2 alignment mapping

A documented mapping of how Q-Audion deployments support customers' NIS2 obligations. BCrypto is not the regulated entity here; the mapping exists to shorten our customers' compliance work.

Algorithm conformance is not module validation

FIPS 203 algorithm conformance is not FIPS 140-3 module validation. The first means our ML-KEM-1024 implementation produces the standardised results — verified on every build by KAT-gated CI. The second is a separate, formal evaluation of the entire cryptographic module by an accredited laboratory. BCrypto has the first today; the second is on the roadmap, not in hand.

Every dated claim on this page is reviewed quarterly. Certification work is sequenced against funding and pilot milestones; when a milestone moves, the entry is updated rather than left to imply progress that has not happened.

Ready to Secure Your Digital Sovereignty?

Join Europe's post-quantum security revolution. Contact our team for institutional partnerships and strategic collaborations.