Why Post-Quantum Cryptography Is Now a Business Risk

Quantum computing has long hovered at the edge of banking’s strategic radar. For years, it was treated as a research curiosity — intriguing, yes, but with little bearing on today’s balance sheets. That comfort is fading fast. What began as a theoretical challenge for cryptographers has become a strategic concern for risk managers, regulators, and the boardroom.

What was once an abstract mathematical problem has become a continuity-of-trust issue — and that places it firmly in the realm of strategic risk.

The acceleration of post-quantum cryptography (PQC) timelines, combined with tightening European regulation, means that financial institutions can no longer treat this as a laboratory discussion. The question is no longer if quantum computing will impact banking security — but when, and how well-prepared institutions will be when it does.

From technical challenge to strategic risk

For over a decade, PQC lived in the domain of mathematicians and protocol engineers. Today, the risk has shifted dramatically. Two forces are driving the change: quantum capability is advancing faster than anticipated, and regulatory expectations are moving just as swiftly to meet it.

Recent demonstrations show the quantum era is no longer distant. China’s Jinan-1 satellite established a 12,900-kilometre entangled photon link across hemispheres — a record for quantum communication [1]. In Europe, Deutsche Telekom’s metropolitan quantum network in Berlin maintained entanglement fidelity of up to 99% across 100-kilometre fibre links for several days [2]. These are not speculative prototypes; they are operational proof-of-concepts that underline the rapid pace of quantum infrastructure development.

Regulators have taken notice. The European Commission’s Coordinated Implementation Roadmap for PQC (2025) calls for hybrid migration to begin no later than 2026, prioritising “high-assurance” sectors — financial services among them [3]. The reasoning is simple: if core encryption systems are eventually compromised by quantum-enabled attackers, the consequences for trust, market stability, and data integrity would be catastrophic.

What was once an abstract mathematical problem has become a continuity-of-trust issue — and that places it firmly in the realm of strategic risk.

The “store now, decrypt later” problem

The most significant near-term threat is not a live quantum attack, but the passive collection of encrypted data today — to be decrypted later when quantum resources become available.

ENISA’s Threat Landscape 2025 highlights this as a growing pattern among state-aligned actors, noting evidence of “long-term cryptographic harvesting” of high-value datasets [4]. Financial institutions are an obvious target: they hold vast archives of confidential data that must remain protected for decades under regulatory and fiduciary requirements.

The uncomfortable truth is that even if the encryption remains secure for another ten years, adversaries may already possess the ciphertext. Once quantum decryption becomes viable, those archives — and the trust underpinning them — could be irrevocably compromised. PQC isn’t just about securing the future; it’s about protecting the past.

Timelines and migration complexity

Replacing classical encryption schemes such as RSA and elliptic-curve cryptography (ECC) with NIST’s approved PQC algorithms — CRYSTALS-Kyber, Dilithium, FALCON, and SPHINCS+ — is far from a simple patch.

Industry estimates suggest that large European banks may need between €20 and €30 million to complete a full PQC migration, encompassing software updates, hardware replacement, certification cycles, and retraining. More importantly, the complexity extends beyond individual institutions.

Payment networks, card processors, and ATM ecosystems all rely on shared cryptographic primitives. A PQC upgrade that is not synchronised across the chain risks fragmentation and operational failure. Vendor readiness is uneven, and many critical suppliers are still evaluating PQC support within their product roadmaps. This creates a quantum-era supply-chain risk: even if a bank is ready, its ecosystem may not be.

The European Commission expects hybrid PQC implementations — combining classical and quantum-resistant algorithms — to dominate from 2026 to 2030, with full migrations to follow. That window is alarmingly narrow when measured against typical banking technology refresh cycles.

Signals from early movers

The market has already started to respond.

• The European Central Bank (ECB) and the European Banking Authority (EBA) have initiated consultations on post-quantum readiness under the Digital Operational Resilience Act (DORA) framework [5].
• IBM is collaborating with several European central banks, including the Bundesbank, to test hybrid key exchange mechanisms using Kyber within secure messaging channels.
• Visa and Mastercard have begun pilot implementations of quantum-safe tokenisation systems for card networks.
• BNP Paribas and Santander have established internal PQC taskforces to audit their cryptographic inventories and model migration scenarios.

These early initiatives demonstrate that PQC is moving beyond research and into procurement and governance planning. The shift from theoretical security to operational policy has begun.

What banks — and their suppliers — should do now

Preparation must start with visibility. Most institutions do not have a full inventory of where and how cryptography is used across their systems. Without this, migration cannot be planned rationally.

1. Map the cryptographic estate – Identify every instance of RSA and ECC in software, devices, and communications protocols.
2. Launch hybrid trials – Begin testing combinations of classical and quantum-resistant algorithms (for example, Kyber alongside RSA).
3. Engage the vendor ecosystem – Ensure suppliers of hardware security modules, cloud services, and core banking systems are aligned with PQC standards.
4. Plan for compliance – Integrate PQC readiness into DORA, NIS2, and ENISA guideline frameworks.
5. Elevate to board level – Treat PQC migration as a business-continuity and reputational issue, not an IT upgrade.

The message from both policymakers and technologists is consistent: organisations that delay will face higher costs, tighter deadlines, and diminished control over their own cryptographic destiny.

From crypto-library to corporate credibility

As 2026 approaches, the language of quantum resilience will enter the vocabulary of regulators and rating agencies. Auditors and supervisory bodies will begin asking not only whether a bank is PQC-ready, but how that readiness is being managed, tested, and reported.

The transition to quantum-safe systems represents more than a technical milestone. It is a marker of institutional credibility — the ability to safeguard digital trust in a world where computation itself is changing.

Banks that act now will not just comply with future mandates; they will differentiate themselves as stewards of digital integrity in the post-quantum era. Those that wait risk discovering, too late, that the quantum revolution has already rewritten the rules of trust.

TQS commentary

The financial sector’s quantum countdown has already started — not with headlines, but with procurement plans, audits, and board-level briefings. The defining question is no longer whether quantum computing will break classical encryption, but whether banks will have rebuilt their trust architecture in time. Europe’s PQC roadmap makes clear that the next 18 months are the “quiet before compliance.” Those who use this time to prepare will enter the post-quantum era on their own terms. Those who don’t will have it dictated to them.

Sources

1. Chinese Academy of Sciences, Jinan-1 Quantum Satellite Experiments (2025)
2. Deutsche Telekom, Berlin Quantum Network Pilot Results (2025)
3. European Commission, Coordinated Implementation Roadmap for PQC (2025)
4. ENISA, Threat Landscape 2025
5. Digital Operational Resilience Act (DORA), EU 2025