Risk Analysis 8 min read

Post-Quantum Cryptography: The Migration Decision CISOs Can No Longer Defer

NIST's post-quantum cryptography standards are final, NSA compliance deadlines for national security systems begin in January 2027, and adversaries are already collecting encrypted data for future decryption. This briefing provides CISOs with the governance framework for starting migration now.

CISO Brief May 31, 2026

The post-quantum cryptography transition is unusual among cyber risks because the threat is not yet fully realised — cryptographically relevant quantum computers capable of breaking RSA and elliptic curve cryptography do not yet exist — but the preparations required are multi-year in scope. The window between “start now” and “too late” is closing, and in 2026 it is finally generating the board-level attention it has deserved for several years.

NIST finalised its first three post-quantum cryptographic standards in August 2024. NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) mandates quantum-safe algorithms for all new national security systems from January 2027. The financial services regulators and the EU are following closely. For CISOs who have not yet initiated a PQC programme, the question is no longer whether to start, but how to prioritise the work given limited resources.

Why the Urgency Is Real Now

The most immediate threat is “harvest now, decrypt later” (HNDL). Intelligence agencies from the US, UK, Canada, and Australia have all issued public assessments confirming that nation-state adversaries are actively collecting encrypted network traffic and stored data with the explicit intent to decrypt it once quantum computing capability becomes sufficient.

This changes the risk calculus materially. A data breach that exposes RSA-encrypted communications today represents a future risk, not a present one — but the data is already exfiltrated and beyond your control. Sensitive information with a long shelf life — medical records, financial transactions, intellectual property, classified communications — is at risk from data collected over the next several years.

The HNDL threat is most acute for organisations whose data retains value over a 10-15 year horizon. Financial transaction records, pharmaceutical research data, defence-related intellectual property, and long-term communications between executives and counsel all fit this profile. If your threat model includes nation-state actors — and for any organisation of significant size, it should — HNDL is a present risk that warrants present action.

The Standards Landscape

NIST’s three finalised PQC standards replace the cryptographic algorithms that quantum computers could break:

ML-KEM (FIPS 203, based on CRYSTALS-Kyber) replaces RSA and ECDH for key encapsulation and key exchange. This is the algorithm that will protect TLS sessions, VPN tunnels, and secure messaging once it is deployed end-to-end.

ML-DSA (FIPS 204, based on CRYSTALS-Dilithium) replaces RSA and ECDSA for digital signatures. Code signing, email signing (S/MIME), document signatures, and certificate infrastructure depend on this class of algorithm.

SLH-DSA (FIPS 205, based on SPHINCS+) provides an alternative signature scheme with different performance characteristics — relevant for applications where ML-DSA’s performance or key size is a constraint.

A fourth standard, FN-DSA (based on FALCON), is expected to be finalised in 2026 and offers smaller signature sizes for bandwidth-constrained environments.

Where to Focus First

Not all cryptographic uses carry equal risk. A migration roadmap should prioritise by the combination of data sensitivity and data longevity:

Highest priority — long-lived sensitive data and infrastructure:

  • PKI and certificate authority infrastructure: root CAs and issuing CAs that sign certificates valid for years
  • VPN and remote access infrastructure: site-to-site VPNs protecting sensitive data in transit
  • Secure file transfer and long-term storage encryption: financial archives, medical records, regulated data
  • Code signing infrastructure: a compromised code signing key allows malicious software to be distributed as trusted

Medium priority — enterprise communications:

  • TLS configuration for web services (dependent on browser and client support timelines)
  • Email encryption and signing (S/MIME replacement or hybrid schemes)
  • Encrypted messaging platforms

Lower priority — short-lived data:

  • Session tokens, short-lived JWTs, real-time streaming data where the time-to-value of decryption is minutes to hours

The NSA’s guidance for national security systems requires ML-KEM implementation for key exchange and ML-DSA for digital signatures. For commercial organisations, the same prioritisation logic applies even without a regulatory mandate.

The Board Governance Questions

Post-quantum migration is a long-duration capital allocation decision, not a security project. Three governance questions boards should be asking:

“What data do we hold that would still be valuable to an adversary in 10 years, and is it at risk from harvest-now-decrypt-later?” This question drives prioritisation. A retail business whose transaction data loses relevance after 18 months has a materially different risk profile from a pharmaceutical company protecting drug discovery research.

“Do we know where all our cryptographic dependencies are?” Most organisations don’t. Cryptographic inventory — identifying every system and protocol that uses RSA, ECDH, or ECDSA — is a precondition for migration planning and typically takes 6-18 months to complete accurately for a large enterprise. This is the work that justifies starting now even before the quantum threat is imminent.

“Are we building cryptographic agility into new systems?” Every new system deployed in 2026 should be designed to swap cryptographic algorithms without architectural changes. Cryptographic agility — abstracting algorithm selection from implementation — is the lesson from every previous cryptographic transition and should be a requirement in procurement and development standards today.

Practical Starting Points

For most enterprise CISOs, the concrete near-term actions are:

  1. Commission a cryptographic inventory of your highest-value systems. Third-party tools exist for this (network scanning for TLS cipher suites, code analysis for cryptographic library usage), but manual review of critical infrastructure is also required.

  2. Assess your PKI vendor’s PQC roadmap. If your PKI is hosted by a third party or relies on a hardware security module (HSM), verify that the vendor has a PQC migration path. HSM firmware upgrades for PQC support are not yet universally available and may require hardware replacement.

  3. Include PQC requirements in new procurement. Any new VPN, TLS termination, or PKI infrastructure procured from 2026 should include a contractual commitment to PQC support or a clear migration path.

  4. Establish a hybrid encryption posture for highest-risk systems. Hybrid schemes — classical algorithm plus post-quantum algorithm simultaneously — provide defence-in-depth during the transition period. TLS 1.3 supports hybrid key exchange today; deploying it for the highest-sensitivity traffic is achievable now without waiting for full migration.

The estimated cost of a full enterprise PQC migration runs to the billions of dollars industry-wide and 2-5 years of sustained effort per organisation. The implication is not that migration should wait until budgets align — it is that the work needs to start now so it can complete before the quantum threat materialises. Boards that defer this decision until a concrete quantum timeline is announced will find themselves making emergency resource allocations under time pressure, which is the most expensive and error-prone way to do cryptographic infrastructure work.

post-quantumPQCcryptographyNISTML-KEMNSA-CNSA2harvest-now-decrypt-latermigrationboard-reportingcryptographic-agility
Related Risk Analysiss All briefings ›