Most discussions about quantum computers still oscillate around futurology. We talk about machines that will one day, in the near future, change the face of science and medicine. Meanwhile, for security directors in banks, hospitals or government institutions, the quantum age is not a distant vision, but a pressing problem that started yesterday. In the shadow of media reports about the next quantum processors, a quiet data security drama is playing out, known in the industry as the ‘Harvest Now, Decrypt Later’ strategy. It is a simple but brutal premise whereby cyber criminals and hostile state actors are already stealing and archiving encrypted data en masse. For them, it is currently a useless string of characters, but their long-term goal is to store it until quantum computers achieve enough computing power to crack today’s algorithms in seconds.
For industries handling sensitive data with a long lifecycle, this is a nightmare scenario. The financial sector, which relies on trust and bank secrecy, and the healthcare system, which protects patient data often for decades, are on the front line. If we assume that a stable quantum computer will be developed in ten years’ time and that medical or financial data must remain confidential for fifteen or twenty years, the maths is inexorable. The safeguards in place today are already insufficient, as the period of necessary data protection is beyond the time horizon of safe use of current cryptography. Research published by the French agency ANSSI shows that half of the organisations surveyed are already at risk of future quantum attacks, especially in the context of such common tools as VPNs or long-term certificates.
The answer to this invisible threat, however, is not to build our own quantum computers to defend ourselves, but mathematics, specifically post-quantum cryptography (PQC). Under this term is a new set of encryption algorithms specifically designed to resist the powerful computing power of future machines. Crucially, these technologies are compatible with our current hardware. You can, and should, deploy them on today’s servers, cloud and network infrastructure without waiting for a hardware revolution. This deployment is based on two foundations that are increasingly emerging in security strategies: hybridisation and crypto agility.
The hybrid approach is a kind of security bridge. It involves the simultaneous use of conventional, time-tested algorithms and new post-quantum solutions. It works like a double lock on a door – even if one is forced, the other still protects the assets. This strategy allows companies to test new technology and build resilience without risking abandoning current standards overnight. Crypto-agility, or Crypto-Agility, on the other hand, is the system’s ability to quickly replace the encryption algorithm when a vulnerability is discovered in it. In a dynamically changing world of threats, IT systems cannot be monolithic; they must allow their cryptographic foundations to be seamlessly updated without rebuilding the entire architecture or paralysing the operational performance of the enterprise.
While technological solutions are already on the table, the impetus for change is increasingly coming not from IT departments, but from the offices of regulators. Europe is clearly accelerating in the race for digital sovereignty, and bodies such as the aforementioned ANSSI and EU institutions are no longer treating quantum resilience as an option, but as a necessity. Standardisation work, led globally by the US NIST, is being closely followed and adapted to European requirements. On the Old Continent, legislation, including the Cyber Resilience Act, is beginning to play a key role. The new legislation will gradually force software and hardware providers to comply with state-of-the-art cryptographic criteria. This means that soon even non-critical infrastructure companies will have to review their supply chains, making sure that their technology partners offer solutions that are ready for the post-quantum era.
There is currently an intriguing divergence in the market. On the one hand, technology providers are showing great mobilisation, actively following recommendations and integrating new standards into their products to stay ahead of regulation. On the other hand, many end users, including large enterprises, are adopting a wait-and-see attitude. Some industries are holding off on decisions until rigid legal guidelines emerge. However, experts warn that this is a risky strategy. Crypto migration is an extremely complex, costly and time-consuming process. Organisations that only start it when hard regulations come into force may find themselves in a no-win situation, forced to make chaotic and costly upgrades under time pressure.
For sectors such as banking or healthcare, anticipating the quantum threat has therefore become a strategic necessity, going far beyond the technical aspects of IT operations. It requires coordination at management level, inventorying resources and planning multi-year budgets. The first step for any conscious organisation should be to map out exactly where cryptography is used and assess how long the protected data must remain confidential. Time to prepare is running out, and in the world of cyber security, where customer trust and the stability of the financial system are at stake, the principle of ‘prevention is better than cure’ has never been more relevant. The move to post-quantum cryptography is not just a software update – it is a fundamental shift in thinking about information persistence and security in the 21st century.
