Call for action: urgent plan needed to transition to post-quantum cryptography together

On 7 February 2025, Europol hosted a Quantum Safe Financial Forum (QSFF) event, during which the QSFF has issued a call to action for financial institutions and policymakers, urging them to prioritise the transition to quantum-safe cryptography. With the rapid advancement of quantum computing, the financial sector faces an imminent threat to its cryptographic security. This transition presents both a challenge and an opportunity to enhance cryptographic management practices across the industry. During the event, representatives from leading organisations discussed the need to urgently address the transition and the challenges industry peers, vendors, policymakers, and society are facing.

A coordinated approach to the transition

A sufficiently advanced quantum computer has the potential to break widely used public-key cryptographic algorithms, endangering the confidentiality of financial transactions, authentication processes, and digital contracts. While estimates suggest that quantum computers capable of such threats could emerge within the next 10 to 15 years, the time required to transition away from vulnerable cryptographic methods is significant. A successful transition to post-quantum cryptography requires collaboration among financial institutions, technology providers, policymakers, and regulators.

The forum recommends the following key actions:

1. Financial institutions and policymakers should prioritise the transition to quantum-safe cryptography and actively support its implementation.
2. Coordination among different stakeholders will be key, ensuring alignment on their planning, roadmaps and the concrete implementation of the transition to PQC, establishing common goals and a shared view of the requirements to achieve them.
3. There is no need for additional legislation to be made, a voluntary framework established between regulators and the private sector would be sufficient, setting guidelines for quantum-safe cryptography and promoting standardisation across institutions.
4. This transition presents an opportunity to enhance cryptography management practices. A forward-looking framework to cryptography management is needed.
5. Promote collaboration, knowledge sharing and fostering a cohesive approach across jurisdictions at global scale. This means encouraging the industry, including private and public sector actors, to partner up in the context of quantum-safe experiments, projects, Points of Contact and other initiatives.

The threat of ‘Store now, decrypt later’ and the regulatory response to it

The QSFF warns of the increasing risk posed by ‘Store now, decrypt later’ (SNDL) attacks, where malicious actors collect encrypted data today with the intention of decrypting it in the future using quantum computing. Sensitive financial information, including long-term investment strategies and confidential agreements, could be compromised if urgent security measures are not taken.

These challenges have been identified by Europol and presented in the First Report on Encryption, published by the EU Innovation Hub, and The Second Quantum Revolution report, published by Europol’s Innovation Lab. Although these reports focus on the law enforcement perspective, there are synergies that can also be applied to the financial industry.

Governments and regulatory bodies worldwide have begun addressing the quantum threat, with the introduction of major regulatory acts in Europe, the United Kingdom, the United States and Singapore. Despite these efforts, a 2023 survey of 200 financial sector leaders found that 86% of organisations feel unprepared for post-quantum cybersecurity. Additionally, 84% anticipate the need to adopt quantum-safe solutions within the next two to five years.

The QSFF urges financial institutions, vendors, and policymakers to take immediate steps towards a quantum-safe financial ecosystem. The QSFF emphasises that action should be taken promptly to protect the industry from significant risks, financial losses, and reputational damage.