Is the financial sector ready for the transition towards post-quantum cryptography?

Explore how advancing quantum computing poses risks to the Dutch financial sector's cryptography and the urgent need for post-quantum solutions.

In brief:

• Quantum computing threatens to dismantle asymmetric cryptography, crucial for secure financial communications and transactions.

• The Dutch financial sector has a critical five-year window to transition to post-quantum cryptography to safeguard sensitive data.

• Implementing new cryptographic standards is complex, requiring comprehensive inventories and proactive measures to mitigate vulnerabilities.

The Dutch financial sector has earned a reputation for innovation, with its commitment to technology and cybersecurity often seen as a benchmark for others. However, advances in quantum computing present a material risk to modern financial systems. Once theoretical, quantum capabilities are steadily maturing, bringing the potential to compromise the asymmetric cryptography that secures communications, payments, identities, and market infrastructure. This development raises a crucial question: are Dutch financial institutions ready to confront the impending cryptographic challenges posed by quantum technology?

Quantum computing is closer than you think

Quantum computing is no longer a distant dream. Recent advancements in quantum computer processor technology from Google, IBM, and Microsoft, signal that the quantum era is not just far away on the horizon (Google, 2024) (IBM, 2025) (Microsoft, 2025). These machines, once fully developed, will possess the ability to dismantle asymmetric cryptographic protocols that are essential not only for financial institutions but also for various sectors reliant on digital infrastructure.

Estimates suggest that the decade from 2030 to 2040 may witness quantum computers capable of breaking asymmetric encryption. For Dutch financial institutions, continued reliance on classical encryption methods poses significant risks, as these methods will become inadequate in the face of quantum computing advancements. The Dutch Central Bank (DNB) emphasizes the need for institutions to monitor developments closely and take proactive measures to secure their systems, including transitioning to post-quantum encryption standards (DNB, 2024).

Vulnerabilities in current cryptography

The core issue resides in the computational assumptions that underpin modern asymmetric cryptography. These schemes rely on the difficulty of solving mathematical problems that would take classical computers an impractically long time to compute. These methods underpin secure communication, digital signatures, identity verification, and key exchange across the financial sector. Quantum computing is changing the game when it comes to solving complex mathematical problems.

A sufficiently capable quantum computer can utilize specially designed quantum algorithms to perform specific tasks much faster than traditional computers. For instance, many online security algorithms, such as RSA, depend on the difficulty of factoring large numbers. Currently, this task is challenging for classical computers, which is why these systems are considered secure. However, a quantum computer could accomplish this quickly, rendering these security systems vulnerable.

Waiting for fully operational quantum systems is a risky bet due to the ‘harvest now, decrypt later’ threat

The primary concern is the 'harvest now, decrypt later' (HNDL) attack model: capable adversaries intercept and store encrypted data today, whether in transit or at rest, with the intention of decrypting it once cryptographically relevant quantum computers become available. This approach can be used by attackers to accumulate valuable information over time, or to ensure they have access to data that may be useful in the future, particularly in the context of evolving threats and technological advancements.

Data considered secure today may be at risk in the future, particularly for information with long-term confidentiality requirements, such as financial records, health data, or classified communications. While regularly updating sensitive information can mitigate exposure, immutable identifiers like ID numbers and passport information remain vulnerable. The permanence of such data increases the potential for fraud and identity misuse, underscoring the need for proactive measures by financial institutions.

The challenge of transitioning to post-quantum cryptography

Implementing post-quantum cryptography effectively across complex systems and organizations is a significant challenge. The transition to more secure cryptographic methods is not only resource-intensive but also requires a deep understanding of the cryptographic landscape within an organization. The first step involves developing a comprehensive cryptographic inventory that maps all cryptographic components across the organization and its supply chain, including algorithms, protocols, keys, certificates, data flows, and system dependencies. Without this visibility, organizations risk overlooking critical vulnerabilities and hidden interdependencies, leading to delays in remediation and increased exposure to quantum-related threats.

For example, many organizations faced considerable challenges when migrating from the vulnerable SHA-1 hashing algorithm to its secure successor, SHA-256. In practice, this migration took more than five years for many organizations, even after the necessary specifications and implementations were available (AIVD,2024). This lengthy timeline highlights the operational friction that can accompany the adoption of new cryptographic standards, algorithms, and supporting technologies. Similar complexity and potential delay should be anticipated for the transition to post-quantum cryptography, as timelines for cryptographically relevant quantum capabilities continue to tighten.