By Daryl Flack, Partner, Avella Security
The world of cryptography has changed little for years, and that stability has created a false sense of security. The transition to quantum-safe algorithms represents a once-in-a-generation shift, one that few organisations are prepared for. According to new research from ISACA, 67% of European IT professionals are worried that quantum computing could increase or shift cybersecurity risks, but just four percent say their organisation has a defined strategy. Only five percent have a strong understanding of the new NIST post-quantum cryptography standards.
Cryptography is woven deep into every layer of modern systems: applications, operating systems, network protocols, Internet of Things (IoT) devices, and operational technology (OT) environments. Many organisations have limited visibility into where and how cryptographic mechanisms are used across their estate. Some rely on outdated or undocumented implementations, which makes discovery and transition particularly complex.
The National Cyber Security Centre (NCSC) has provided a clear roadmap for action. By 2028, organisations should have completed discovery and planning, understanding where cryptography is used and setting migration goals. By 2031, priority systems should begin migrating to post-quantum solutions. By 2035, full migration must be complete.
Those dates may seem like far away, but the challenge of identifying cryptographic dependencies across complex systems, often including legacy platforms and wider supply chain dependencies is vast. Therefore, the planning and implementation window for replacing deprecated algorithms with quantum resistant ones could take many years to achieve.
Balancing innovation and risk
Quantum computing, particularly when combined with AI, will transform industries ranging from finance and logistics to healthcare and climate science. It will solve optimisation problems that have long been beyond the reach of classical systems, driving smarter cities, sustainable energy grids, and breakthroughs in drug discovery.
But like all transformative technologies, quantum computing is a double-edged sword. The same capabilities that will revolutionise data processing will also enable attackers to break the cryptographic systems that have secured the digital economy for decades. Quantum decryption of today’s data crown jewels would undermine everything from privacy and intellectual property protection to the integrity of state communications and secrets.
Adversaries know this. Many are already pursuing “harvest now, decrypt later” strategies, stealing encrypted information today with the expectation that it can be decrypted once quantum capabilities mature. When that happens, decades of confidential material could suddenly be exposed.
For this reason, protecting critical systems and long-lived, confidential data must be a business resilience priority, safeguarding the confidentiality, integrity, and trustworthiness of the information that societies rely on for stability.
Taking ownership of PQC readiness
Responsibility for cryptographic resilience cannot be fully outsourced. Vendors will supply updated algorithms, but every organisation must ensure its own systems remain secure. Encryption touches all points of trust, communications, identity verification, digital signatures, and operational processes. Waiting passively for existing vendors to bring new solutions to market creates dependency and delays at the moment when resilience is most critical.
What cyber professionals should be asking in 2026
To prepare effectively, cyber leaders should consider:
- What’s our inventory of cryptographic assets, and where are the blind spots?
- What are our critical assets that should be prioritised for post quantum cryptography protection
- Are our vendors, partners, and regulators aligned to our plan for post-quantum cryptography (PQC) timelines?
- Do our digital transformation and AI programmes include crypto-agility requirements?
- Who owns PQC readiness at the executive level, and are they resourced to deliver it?
Practical action steps for cyber professionals
Cyber leaders should treat PQC as a business resilience priority and prepare by acting decisively, using a phased approach:
- Map cryptography across the estate, identify blind spots, and locate critical systems and sensitive or long-lived data.
- Prioritise migration to quantum-resistant algorithms and implement crypto-agility so algorithms can be swapped without major re-engineering.
- Use the supply chain as an enabler by building post-quantum cryptography (PQC) requirements into procurement strategies and supplier contracts.
- Align upgrades with natural refresh and replacement cycles where possible to reduce disruption and spread cost.
- Embed the programme in governance, investment planning, and enterprise risk management, with clear executive sponsorship and accountability.
Delay will increase both cost and complexity. Retrofitting legacy systems under time pressure, renegotiating contracts reactively, and untangling unmanaged dependencies will be significantly more expensive and disruptive.
Building quantum resilience
The transition to post-quantum cryptography (PQC) is not just about meeting NCSC or NIST timelines; it is about safeguarding trust in the digital economy.
Organisations that begin mapping cryptographic assets, prioritising sensitive, long lived data, and adopting crypto-agile practices will be far better positioned for the post-quantum era. Those that delay risk exposing the very data that they rely on to deliver their services and to maintain trust and competitive advantage. Acting now lays the foundation for enduring trust, integrity, and organisational resilience well into the decades ahead.
