Post-Quantum Cryptography: Why you need to do something about it now

Let’s face it: mention “quantum” and most people either think of science fiction or switch off entirely; However, quantum computing is moving from theory to reality. While addressing “Post-Quantum Cryptography” may sound intimidating, the risks and opportunities are practical and immediate for anyone responsible for data, privacy, and resilience.

What is PQC?

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to withstand attacks from quantum computers. Today’s encryption, used in everything from banking to email, could (let's face it, will) be broken by quantum computers in the future.

Myths About Post-Quantum Cryptography

PQC is surrounded by misconceptions that often delay action or cloud decision-making:

• “Quantum computers are decades away—there’s no rush”

  Many believe PQC is a distant concern. In reality, attackers can steal encrypted data now and decrypt it later when quantum technology matures. This “harvest now, decrypt later” approach is already a reality. The migration to PQC is a multi-year journey. Waiting until quantum computers are mainstream is too late.

  
  

• “PQC is only relevant for highly sensitive data”

  It’s easy to assume only governments or large banks need to worry. But any personal data, trade secrets, or intellectual property can be targeted. Regulations like GDPR and DORA require organisations of all sizes to protect data against foreseeable threats, including quantum risks.

  
  

• “Switching to PQC is just a software update”

  PQC isn’t a simple patch. It requires a full cryptographic inventory, system upgrades, and careful integration with existing workflows. Many legacy systems use hardcoded or undocumented encryption, making migration complex and time-consuming.

  
  

• “Current encryption will keep us safe until we’re ready”

  Standard encryption algorithms like RSA and ECC will be vulnerable to quantum attacks. Organisations relying on these will face significant risks if they don’t plan for transition. The NCSC emphasises that cryptographic agility, being able to swap algorithms easily, is now essential.

  
  

• “PQC is unproven and risky”

  While PQC algorithms are newer, they are being rigorously tested by international bodies such as NIST and the NCSC. Delaying adoption because of perceived risk can leave organisations exposed to far greater threats when quantum attacks become practical.

Understanding, and debunking, these myths is the first step to building a realistic, proactive approach to PQC. Much like other cyber risks, It’s not about fear, it’s about readiness.

Regulatory Pressures: DORA, GDPR, and Beyond

• DORA (Digital Operational Resilience Act) expects financial organisations to maintain strong operational resilience. This now includes the ability to adapt cryptographic controls as new threats emerge. Preparing for PQC is no longer optional, it’s part of demonstrating resilience.

  
  

• GDPR requires personal data to be protected “by design and by default.” If encryption methods become vulnerable, organisations risk breaching these requirements. Future-proofing encryption is now a privacy obligation, not just a technical one.

  
  

• AI Security relies on robust cryptography. As AI systems process large volumes of sensitive information, it’s critical to ensure that data remains secure, even if quantum computing becomes a reality.

Regulators are clear, organisations must manage risks that could impact the security and resilience of the data and services they are responsible for. Taking action now is key to staying compliant and resilient.

Challenges

• Inventory: Most organisations don’t have a clear view of where and how cryptography is used in their environment.

  
  

• Complexity: Cryptographic migrations can take years, due to lack of visibility, interdependencies and legacy systems.

  
  

• Interoperability: New PQC algorithms must work with existing systems and partners.

  
  

What should you do?

Don’t wait for quantum computers to arrive, now is the time to prepare. Regulators expect organisations to plan for PQC as part of resilience and privacy frameworks.

1. Educate your board and senior leaders on what Post-Quantum Cryptography means for your business, and why you need to prepare to manage the risk within your risk appetite.

   
   

2. Compile a cryptographic inventory. Identify where encryption is used: data at rest, in transit, and in use.

   
   

3. Perform an Impact Assessment. Consider which data, if exposed in the future, would cause the most harm.

   
   

4. Develop a roadmap to migrate to quantum-resistant cryptography. Consider the NCSC's guidance, they have published a roadmap for PQC migration (NCSC PQC Migration Timelines).

   
   

5. Engage vendors. Ask suppliers about their PQC readiness and timelines.

   
   

6. Build agility. Design systems so cryptographic components can be replaced without major disruption.

   
   

Conclusion

As the NCSC puts it: “Organisations should begin preparing for post-quantum cryptography now, rather than waiting for quantum computers to become widely available.”

Preparing early is not just about compliance. It’s about protecting your organisation’s future, and your customers’ trust.

If you need help understanding the implications of PQC, get in touch.