EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Learn how to prepare for quantum threats with a clear roadmap to post-quantum cryptography readiness.
In brief
- Quantum computers will break today’s encryption, organizations must act now to stay secure.
- The EU sets 2026 and 2030 deadlines for quantum-safe cryptography migration.
- Start your quantum-secure journey: assess risks, plan ahead, and protect long-term data today.
Quantum computers will eventually break widely used public-key cryptographic algorithms like RSA and ECC. This poses a risk to secure communications and digital signatures. Even though cryptographically relevant quantum computers that are able to break today’s cryptography are not yet available, there is a threat. One of the reasons for this is the “harvest now, decrypt later” principle. Adversaries are already collecting and storing encrypted data today to be able to decrypt that information in the future. Hence, if data has to remain confidential for 10 years, organizations need to start using quantum-secure mechanisms today to guarantee future confidentiality.
Alternatives capable of withstanding quantum attacks are already available and are known as post-quantum cryptography. Global standards bodies like NIST have defined new standards with several algorithms that are ready for implementation.
Governments and regulators are actively defining deadlines for the implementation of post-quantum cryptography. The European Union’s roadmap sets clear milestones:
- 2026: National strategies and awareness campaigns, planning of high-risk use cases should be available
- 2030: Completion of migration for high-risk use cases, proof-of-concepts ongoing for medium-risk use cases.
- 2035: Broad adoption across all sectors
Organizations must align their strategies with these timelines to ensure resilience and compliance.
Organizing the migration to post-quantum cryptography can be structured into three overlapping phases: Awareness and Assessment, Planning and Strategy, and Implementation and Beyond.
The quantum-secure journey begins with building a foundational understanding of quantum computing across IT, security, leadership, and audit teams. This can be achieved through workshops, webinars, and internal knowledge sharing.
Next, organizations must assess their data to understand its sensitivity, retention requirements, current protection mechanisms, and the ease with which it can be migrated. Priority should be given to long-lived, sensitive data that is currently protected by public-key cryptography. A risk matrix helps classify assets into low, medium, or high quantum risk based on confidentiality needs, migration complexity, and asset lifespan. Legacy systems that cannot be upgraded must be flagged early for phase-out planning.
With awareness and inventory in place, organizations should develop a migration roadmap. This includes setting priorities, allocating resources, and coordinating with vendors. The roadmap should align with EU milestones and focus on high-risk systems first. Based on the roadmap, the actual implementation can start. Continuous monitoring will be necessary as the field is still evolving.
This effort will help organizations to mitigate the risk that quantum computers pose and ensure that they are ready for the future. The quantum threat is real and the time to act is now.
EY Belgium newsletter
Subscribe to our monthly newsletter and stay updated on our latest insights.
Related articles
Quantum computing: Why your organization should prepare now
Quantum computing is coming: Discover the potential, the risks and why your organization should act today to stay ahead.
How can telcos navigate a world of evolving risks?
As the risks facing communications operators continue to evolve and expand, here’s our ranking of the 10 top telecommunications risks for 2026. Learn more.
Summary
To prepare your organization for the transition to quantum-secure cryptography, it's essential to start planning today. Begin by assessing your current environment, this will help you identify and prioritize the areas that need attention. With the EU requiring a migration plan by 2026 and high-risk use cases to be mitigated by 2030, early action is not just recommended, it's necessary.