Despite Government Regulations, Few Enterprises Have Moved Past Migration Planning
As governments in the United Kingdom, United States, and Europe embark on strategies to facilitate the transition to post-quantum cryptography, many organizations find themselves lagging behind in actual implementation. This discrepancy has raised significant concerns, particularly given the urgent nature of impending technological advancements.
Governments have taken proactive steps by publishing migration roadmaps and outlining clearer expectations for cryptographic governance and inventory management. Such efforts signal a commitment to preparing for the era of quantum computing, yet organizations remain entrenched in the preliminary phases of planning. Many are grappling with how to transition effectively without losing sight of their ongoing operational needs.
Industry leaders are closely monitoring advancements such as IBM’s projection of delivering a large-scale, fault-tolerant quantum computer by 2029. This event, often referred to as “Q-Day,” is the point at which quantum computers might feasibly undermine widely used public-key cryptography. Policymakers, therefore, are questioning the adequacy of existing guidance. They are beginning to consider whether stricter regulatory measures may be necessary to ensure organizations are prepared for this impending threat.
In this complex landscape, IT executives face fierce competition for their attention. Artificial intelligence (AI) has become a dominant topic in executive meetings, overshadowing discussions about quantum cryptography. Francis Gorman, head of the security center of excellence at Bank of Ireland, pointed out that the allure of AI projects can distract organizations from the fundamental risks posed by quantum computing. "AI has sucked the oxygen out of the room," Gorman explained, highlighting the potential danger of ignoring critical security challenges lurking in the background.
The problem, however, extends beyond the distraction caused by AI initiatives. A more profound issue lies in the governance structures within organizations. Many executives mistakenly believe that the responsibility for post-quantum migration rests solely with security teams. Gorman emphasized that without clear executive ownership and accountability, organizations are likely to continue viewing this transition as a distant concern, relegating it further down their priority list.
This governance gap also sheds light on why, despite the existence of government road maps and preparedness guidelines, enterprises have yet to take decisive action. While organizations may be aware of the long-term risks associated with quantum computing, many face difficulty justifying necessary investments in mitigative strategies absent clear ownership and business drivers. Louise Davey, president of LDIQ, a Canadian advisory firm, noted that quantum risk is often narrowly framed as a technical issue. Yet, it also encompasses legal, operational, privacy, and resilience considerations, making it even more complex to navigate.
Adding to the challenges, organizations may defer action on quantum migration until faced with regulatory pressures or market drivers. Davey noted that the migration process is often viewed as abstract and disconnected from immediate business needs. Many enterprises, in acknowledging the risks, hesitate to act until external mandates force them into compliance.
The notion of mandating specific regulations is gaining traction among some experts. While regulators have encouraged organizations to evaluate their cryptographic assets and formulate migration strategies, few jurisdictions have implemented obligatory requirements for the private sector. As Davey highlighted, while aggressive migration timelines could foster compliance fatigue and hurried implementations, firm regulations could help clarify expectations and justify investments in security measures.
“It is essential to build foundational governance and inventory frameworks,” she continued. Most organizations lack the necessary resources—such as inventory insights, decision-making authority, vendor visibility, funding, and operational capacity—to migrate effectively on short notice.
Unfortunately, the timeline to establish these capabilities can span several years, indicating that proactive planning is not merely advantageous but essential. Organizations that fully understand their cryptographic landscape, along with who is responsible for decision-making processes, are better positioned to act decisively.
While a few mature enterprises have begun migrating to post-quantum solutions, such organizations remain a minority. Many others will likely delay significant investments until compelled by regulators, auditors, or partners—a pattern previously seen with privacy and cybersecurity regulations.
However, not every expert believes that regulation is the answer. Some argue that enough information exists for organizations to start preparation now, and waiting for mandates might engender a false sense of security. Darren Bender, co-founder of ProteQC, cautioned that the absence of regulation does not absolve boards and C-suite executives from ownership of foreseeable risks. While mandates could accelerate action, they should not be the sole motivator.
"I liken this situation to catching ‘The Wizard of Oz’ halfway through," Bender said, asserting the importance of seeing the entire narrative from the beginning. Organizations should not wait for complete clarity before acting; as guidance becomes more defined, the focus is shifting from whether quantum readiness is necessary to how swiftly organizations should prepare.
If governments recognize the material threat posed by quantum risks, Bender argued, they ought to establish clear expectations for readiness. Nations that act decisively may find themselves at a competitive advantage in a landscape increasingly defined by quantum computing.