In 2023, we posed the question: Is this the year we cross the Quantum Rubicon? That conversation sparked widespread recognition of the impact quantum computing could have both positively and negatively on the cyber security landscape. The threat it poses to Public Key Cryptography (PKC) is significant. As the UK’s National Cyber Security Centre (NCSC) warns, "Most PKC algorithms in use today will be vulnerable to a Cryptanalytically Relevant Quantum Computer (CRQC)."

Now, the call to action is louder. For organisations dependent on PKC Post-Quantum Cryptography (PQC) is not just a future consideration, it is a present-day business transformation challenge.

 

The business impact today

Asymmetric cryptography underpins core business functions, key exchange, digital signatures, tokenisation. From Public Key Infrastructure (PKI) services and secure communications to identity management, blockchain and cryptocurrencies, these are all at risk.

This threat emerges just as society becomes increasingly reliant on these capabilities. Digital identities, blockchain records, encryption-by-default Internet protocols, Internet-of-Things (IoT)-based trust, Zero Trust Architectures, and cloud-native continuous integration/continuous delivery (CI/CD) workflows all depend on resilient cryptographic foundations.

Quantum computing introduces a material risk to:

  • Ecommerce
  • IoT and operational technology
  • Network security
  • Cloud DevOps
  • Privacy enforcement

 

Why organisations must act now

Several intersecting forces make immediate action essential:

Threat horizon

Significant quantum developments are accelerating, with major investments from Nvidia, IBM, Google, Microsoft, and China.

Harvest now, decrypt later

Malicious actors are storing encrypted data now, to exploit it when CRQC becomes available.

 

Transformation timeframes

Migrating to PQC is complex. Ecosystem-wide dependencies, especially in IoT and legacy integrations, demand coordinated, phased upgrades.

 

Standardisation

With NIST’s publication of FIPS 203 (key exchange) and 204 (digital signing), there is now a viable industry standard. And NIST are following that up with NIST SP 1800-38 a currently draft practice guide.

 

Regulatory pressure

In 2022 the White House Office of Management and Budget released an executive order on PQC including the need for federal agencies to move to post-quantum cryptography by 2035. This month this executive order has been revised by the Trump administration removing the hard timeline but reiterating the threat and emphasising risk management. Here in the UK NCSC has issued a roadmap to quantum-safe, targeted at all organisations, which commends plans be in place by 2028 for full transformation by 2035. 

In short, transformation is now both technically feasible and regulatory expected.

 

Reframing as a strategic transformation

Quantum-proofing your business isn’t a cryptographic upgrade, it is a transformation journey across IT, operations, and business leadership.

Key strategic questions include:

  • Where do you use cryptography, particularly PKC?
  • What’s the business criticality of those use cases?
  • What would be the impact of compromise?
  • How hard will migration be and what operational risk does that introduce?
  • What constraints or dependencies complicate the journey?

These answers should inform your PQC roadmap. From risk prioritisation to delivery resourcing, transformation requires cross-functional coordination:

  • Strategy and roadmap development
  • Resource planning and partner selection
  • Impact analysis and migration plans
  • Testing and assurance
  • Stakeholder engagement and communications

 

Conclusion: Crossing the rubicon

The quantum threat to PKC is real and approaching. But the path forward is clear. Standards are in place. Regulations are tightening. And proven delivery partners are ready.

Post-Quantum cryptography is more than a security update; it’s a business imperative.

Download our viewpoint on Crossing the Rubicon with Post-Quantum Cryptography

Contact CGI today to begin your PQC transition journey.

Let us help you protect your business, uninterrupted, secure, and future-ready.