Post-Quantum Cryptography (PQC) FAQ: Protecting Your Business in the Dawn of Quantum Computing

Q-day is the term used to describe the future point in time when quantum computers become powerful enough to break widely used public-key cryptographic algorithms, such as RSA and ECC. On Q-day, encrypted data protected by these traditional methods could be decrypted by adversaries with access to a sufficiently advanced quantum computer. This creates significant risks for any sensitive data that is currently being stored or transmitted using vulnerable encryption. Preparing for Q-day is a key driver behind the adoption of quantum-safe/Post-Quantum Cryptography, ensuring long-term protection of critical information.

Harvest Now, Decrypt Later (HNDL) refers to a strategy where attackers steal and store encrypted data today, with the intention of decrypting it in the future once quantum computers are powerful enough to break current encryption methods.

Trust Now, Forge Later (TNFL) refers to a risk scenario where digital signatures or authentication mechanisms that are trusted today could be forged in the future by attackers with access to quantum computers.

Sensitive data stolen today can be stored and decrypted later once quantum capabilities mature, which means long‑lived data (financial records, health information, IP, citizen data) is already at risk from “HNDL” attacks. Regulators and standards bodies are signalling that organisations are expected to start planning and migrating well before quantum computers are widely available, so waiting may translate into compliance gaps and higher remediation costs.​

PQC ensures that critical services, customer channels, and digital supply chains remain secure as cryptographic standards evolve. A robust PQC programme includes cryptographic inventories, risk-based prioritisation, and crypto-agility (the ability to switch algorithms quickly), all of which strengthen operational resilience and business continuity.

Across jurisdictions, guidance now links quantum readiness to good cybersecurity risk management and “state of the art” encryption. Examples include NIS2 and its implementing regulations in Europe, sector rules such as DORA for financial services, and international roadmaps encouraging organisations to phase out vulnerable cryptography by the early‑to‑mid 2030s.​

Boards and executives are expected to treat quantum risk as a strategic issue, not a purely technical one. Typical questions include: 

• Where in our organisation is cryptography currently used to protect sensitive data, systems, and transactions?

• How long does our sensitive data need to remain confidential, and does it have a long “shelf life”?

• What is our current level of awareness and preparedness for quantum threats across the business?

• What is our roadmap for migrating to quantum-safe cryptography, and who is responsible for overseeing it?

• How are our critical suppliers and partners preparing for quantum risk, and are they aligned with our own plans?

• Are our existing budgets, resources, and controls sufficient to address PQC migration and ongoing compliance requirements?

• How are we keeping up to date with regulatory expectations (e.g., NIS2, DORA) and industry standards for quantum readiness?

• What would be the business impact if encrypted data or digital signatures were compromised after Q-day?

Orgainstaions should strat with edcuation and awareness, assessing the impacts associated with PQC risks, and building a strategic response. Thijs will include compiling a cryptographic inventory, a quantum risk assessment and a high‑level PQC roadmap aligned to existing cyber and resilience programmes. Engaging key vendors, updating encryption policies for crypto‑agility and piloting PQC in low‑risk environments are pragmatic early moves that demonstrate progress to regulators, customers and internal stakeholders.​

NIST has selected several PQC algorithms, such as CRYSTALS-Kyber (for encryption) and CRYSTALS-Dilithium (for digital signatures). These are being standardised and will replace or supplement current algorithms like RSA and ECC. Although, this is expected to change at pace, hence crypto-agility is key in any strategy.

Responsibility typically sits with the CISO, CTO, or a dedicated cryptography lead, but PQC migration requires collaboration across leadership, IT, compliance, risk, and procurement teams.

No, any organisation handling sensitive or regulated data should be planning for PQC. SMEs are also at risk from quantum threats and may face regulatory requirements in the future.

How can I get started with post-quantum cryptography (PQC)?

Getting started with PQC is straightforward when you have the right expertise and support. ICA Consultancy offers a structured approach to help you on your journey:

• Executive Awareness: Begin with C-suite and board-level guidance to understand quantum threats, regulatory drivers, and the strategic opportunities of quantum-safe cryptography. Our consultants deliver actionable insights to inform your leadership’s decision-making and investment planning.

• PQC GRC: Establish robust governance, risk, and compliance frameworks tailored for the quantum era. We help define your organisation’s policies, compliance requirements, and risk management protocols in line with emerging PQC standards and regulatory expectations.

• PQC Readiness Assessment: Assess your current cryptographic landscape, identify capability gaps, and receive a clear, practical roadmap to enhance your quantum resilience. Our structured maturity models ensure you can prioritise actions and demonstrate progress.