Blog  The future of post-quantum cryptography and compliance

Quantum computing is advancing fast and progressing more rapidly than many security leaders anticipated. While large-scale, cryptographically relevant quantum systems remain in development, the threat they pose to classical encryption is reshaping cybersecurity priorities. The algorithms currently protecting most digital infrastructure will not hold up against a sufficiently powerful quantum adversary. That risk is no longer hypothetical, and post-quantum cryptography (PQC) is of critical concern.

CISOs must understand the direction of standards and enforcement now to begin aligning their quantum resistant encryption strategy and risk programs with the incoming future. Learn where PQC stands today, how it is expected to evolve, and what compliance regulations are emerging to address the quantum threat.

Understanding post-quantum cryptography now

Post-quantum cryptography (PQC) refers to the cryptographic algorithms designed to withstand attacks from both classical and quantum computers. These algorithms aim to replace vulnerable legacy standards, such as RSA and elliptic-curve cryptography (ECC), which rely on m mathematical problems—factoring large integers and computing discrete logarithms—that quantum systems will eventually solve with ease.

Quantum computers capable of executing Shor’s algorithm at scale could render much of today’s public key infrastructure (PKI) obsolete. The risk is not limited to future data, either. Any sensitive information encrypted today and stored long term, such as medical records, classified government data, or intellectual property, could be harvested now and decrypted later (HNDL), accelerating the need for future-proof encryption and cryptographic agility.

In response, NIST has launched the effort to evaluate and standardize quantum-resistant algorithms, selecting a core set of finalist algorithms for standardization in 2016. Meanwhile, major technology providers have already begun piloting and deploying these algorithms in test environments and production systems. These early initiatives have helped to identify implementation challenges and performance trade-offs that will shape future standards and deployment strategies. Vendors are also using this phase to refine tooling and interoperability support for PQC within existing security ecosystems. The imperative is clear from these early efforts: security teams can no longer treat PQC as an experimental domain. Quantum-resistent encryption will become standard best practice sooner than it appears, especially for data with long retention periods or strategic value.

Future expectations and systemic impacts of quantum

PQC is not a drop-in replacement for existing PKI. Adopting quantum-resistant algorithms requires deep changes across the cryptographic stack, from protocols and key management to hardware and firmware dependencies. Organizations must evaluate how and where cryptography is implemented across systems, especially those relying on embedded libraries, custom integrations, or legacy protocols.

Cryptographic agility (or crypto agility), the ability to rapidly adapt to new cryptographic algorithms without disrupting operations, has become a critical design principle of future PKI. Without it, migrating to post-quantum algorithms will involve extensive, time-consuming reengineering efforts that expose systems to unnecessary risk. A poorly-planned quantum transition could cause significant operational disruption if cryptographic dependencies are not well understood and managed in advance.

Your team must also update their software development lifecycle practices to incorporate cryptographic review and upgrade planning. This includes integrating quantum considerations into code reviews and testing pipelines to avoid interference with future migrations.

It’s time to move towards systems that are quantum safe by design. That means building infrastructure that can support hybrid cryptographic approaches, isolating critical functions that rely on vulnerable algorithms, and avoiding hardcoded cryptographic primitives. Retrofitting will not scale in large, complex environments, so designing for agility and resilience now will reduce risk and cost in the quantum-powered future.

Emerging compliance standards and the push for readiness

Regulators are shifting focus from quantum research and development to preparedness and enforcement. In the United States, federal agencies are establishing mandates requiring agencies and contractors to inventory cryptographic systems and plan migrations to quantum-resistant algorithms. This shift is a key indicator of the formal beginning of post-quantum compliance.

NIST’s guidance on crypto agility outlines the foundational steps organizations should take to prepare:

• • Inventory all cryptographic assets. Identify where cryptography is used across applications, devices, and systems. This includes certificates, key stores, hardcoded algorithms, and protocols. A complete inventory provides the baseline for assessing exposure and planning upgrades.
  • Classify cryptographic assets by risk and exposure. Once inventoried, assets should be assessed based on factors such as data sensitivity, external exposure risk, and level of importance to infrastructure. Systems that protect long-lived or high value data, especially if publicly accessible, should receive the highest priority.
  • Identify dependencies on vulnerable algorithms. Determine which systems rely on cryptographic schemes such as RSA and ECC that quantum computers will eventually compromise. Mapping these dependencies helps define the scope and urgency of your migration efforts.
  • Establish visibility as a foundation for planning. Without visibility into where and how cryptography is used, your organization cannot create an effective migration strategy. This initial phase of discovery is essential for sequencing upgrades, allocating resources, and minimizing operational risk during the transition.

The compliance roadmap extends beyond visibility. Regulators and standards bodies expect organizations to establish clear, documented migration strategies, adopt quantum safe algorithms where feasible, and integrate agility into cryptographic systems. This includes deploying hybrid cryptographic approaches and modular architecture able to support future changes without disrupting production environments. Critical infrastructure sectors such as finance, healthcare, defense, and energy will likely face the earliest and most stringent requirements.

Compliance is no longer a downstream activity. It is a proactive discipline requiring quantum risk considerations to be embedded in governance, procurement, vendor contracts, and operational security. Organizations that treat quantum readiness as part of enterprise risk management, rather than a technical side project, will position themselves to meet regulatory expectations without last-minute scrambles.

Act early to protect trust

PQC compliance is not a distant concern, but a current operational and regulatory priority requiring action today. The threat posed by quantum computing is looming, and preparation is the key to facing the future successfully.

It’s time to assess your organization’s agility, align with NIST’s guidance, and test your new cryptographic solutions. Planning for compliance should also start now, with a clear roadmap for inventory, classification, and migration. Seek guidance from vendors and partners who are PQC-aware and actively testing quantum-resistant solutions to accelerate your path to quantum maturity.

Organizations that act sooner than later gain the benefit of shaping how PQC is implemented within their environments and across their industries. Early adopters will have more influence over vendor roadmaps, interoperability standards, and regulatory guidance.

The quantum era will challenge existing security models, but it will also reward those who begin early. Trust will not go to the biggest, or the fastest—but the best prepared. Start now to face the quantum future securely.