Why Organisations Must Prepare Now for Post‑Quantum Cryptography

Large-scale quantum computers are on the horizon, and the development of this technology is accelerating at pace.

In practice, this requires organisations to develop plans for migrating to quantum‑safe security, in anticipation of quantum computers that could eventually break all current encryption protocols, such as Rivest–Shamir–Adleman (RSA), which underpin banking, government and critical infrastructure systems, as well as then the internet.

The cornerstone of the quantum-safe migration will be post-quantum cryptography (PQC). 

The UK’s National Cybersecurity Centre (NCSC) has set a deadline of 2035 for organisations to completely migrate their systems, services and products to PQC.

In addition, the G7 Cyber Expert Group (CEG) called for financial businesses and public entities to complete the PQC transition by 2034 at the latest.

Meanwhile, the US National Institute of Standards & Technology (NIST) formalised the world’s first post-quantum cryptographic standards in August 2024. These standards are designed to provide organisations with a framework for the transition.

Despite the government timelines and resources now avalaible, many firms have no defined strategy to defend against quantum-enabled threats and have not taken steps to prepare for quantum computing. There also remains a lack of understanding of the NIST’s post-quantum cryptographic standards, which were formalised in August 2024.

The post‑quantum threat is the risk that future quantum computers will break today’s cryptography, exposing encrypted data, undermining digital trust and forcing a global transition to quantum‑safe security.

One of the biggest risks around the emergence of quantum computing is cybercriminal’s deploying ‘harvest now, decrypt later’ (HNDL) strategies.

At its core, HNDL describes an adversarial approach in which attackers collect and store encrypted data today, with the expectation that future quantum computers will be able to break the encryption protecting it.

Attackers do not need to quantum computers today to conduct HNDL attacks. The objective is not immediate access, but long‑term intelligence value.

For organisations handling sensitive data with long lifespans, such as government records, intellectual property, healthcare data or critical infrastructure information, the risk of HNDL incidents is high. 

Post‑quantum cryptography (PQC) protects against the post‑quantum threat by replacing today’s vulnerable cryptographic algorithms with ones built on mathematical problems that quantum computers cannot efficiently break.

Speaking to Infosecurity, Shahram Mossayebi, co-founder of Crypto Quantique, noted, “When it comes to PQC, we don't have to wait for quantum computers to come. I think we have enough evidence that the risk is considerable, that someone behind the door might have something, or soon might have something, that we need to do something about it today.”

PQC can be deployed through software upgrades, making it a relatively easy path forward. However, it does require testing and hardening.

In 2024, Infosecurity spoke to Philip Intallura, Global Head of Quantum Technologies at HSBC, who explained: “The key strength of PQC is it’s scalable. For a bank like HSBC that operates across many markets, PQC is likely to be the main solution for most of our applications.”

In early 2026, The US Cybersecurity and Infrastructure Security Agency (CISA) published an initial list of hardware and software product categories that support or are expected to support PQC standards.

The list aims to help guide organisations in planning PQC adoption and shaping technology investment strategies amid the rise of quantum computing.

For CISOs, the transition to post‑quantum cryptography (PQC) should be treated as a strategic security programme rather than a future technical upgrade.

Intallura said, “The single most important step is to make sure your board are having conversations about quantum computing and the emerging threats that they pose.”

PQC risk should be communicated in business terms to leadership, ensuring long‑term investment and governance before quantum threats become operational.

Meanwhile, resources like NIST’s post-quantum cryptography standards provide a framework to secure systems and data against future quantum threats.

Thing to consider when migrating to quantum-secure cryptography:  

• Examine the risk factor to your organisation, for example many financial institutions have already begun their quantum transition because of the nature of their cryptography standards and the data they hold. However, quantum computing will impact cybersecurity differently across different industries.
• Gathering evidence, identify gaps across the network and understand how regulatory requirements vary across the regions in which the organisation operates.
• Create a clear inventory of applications and the cryptographic protocols they use today, alongside an assessment of the data they handle, including its sensitivity and how long it needs to remain secure.
• Asses your supply chain for cryptographic vulnerabilities and where they are on the journey to being post-quantum ready.
• Consider utilising post-quantum specialists who can identify vulnerabilities and create a strategy for migration to quantum-secure cryptography.
• Consider what applications you are going to prioritise for transition.
• Build crypto‑agility into security architectures which enable algorithms to be replaced without large‑scale redesign.

Quantum computing is moving from theory to reality, and the security implications are no longer hypothetical. Post‑quantum cryptography provides a viable and scalable response, but it cannot be treated as a last‑minute technical fix.

For CISOs, the priority now is to treat PQC as a strategic issue. Security leaders must work with business stakeholders to understand where quantum‑vulnerable cryptography exists, factor quantum risk into long‑term security planning and begin laying the foundations for a controlled transition.

Acting early will give organisations the time and flexibility needed to adapt securely as the post‑quantum era approaches.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?