Do not underestimate the risks posed by quantum computers

Quantum computing is advancing quickly, posing a real challenge to our current cryptographic systems. A cryptographically relevant quantum computer (CRQC) will soon be able to break some of today's encryption. Transitioning to post-quantum cryptography (PQC) is therefore essential. PwC experts Renato Kuiper, Arjan Visser and Angeli Hoekstra observe that many organisations continue to postpone this step, when now is precisely the time to set a clear direction. Catching up later will take more time, cost more money, and entail greater risks.

Our Digital Trust Insights Survey 2026 shows that the Netherlands is lagging behind its global and Western European peers when it comes to testing, implementing, and experimenting with quantum-resistant security measures. Organisations are exploring the technology, but few are taking concrete steps. It is precisely at this stage that early action makes a difference; otherwise, risks will only increase and the time left for implementation will become shorter.

Understanding the impact of quantum computing is crucial

Understanding the impact of quantum computing is crucial for businesses to act decisively. Here are the key drivers:

• Regulatory pressure
  New and existing regulations, such as the CRA, NIS2, DORA, and GDPR, alongside standards like NIST, ETSI, and ISO/IEC, are pushing for advanced cryptography. Compliance will soon be non-negotiable.
• Business risk
  Quantum computers have the potential to break widely used cryptographic algorithms like RSA and ECC, putting sensitive data and critical business processes at risk.
• Reputational and financial impact
  A breach due to outdated cryptography could lead to regulatory fines, loss of customer trust, and major operational disruptions.

Don't underestimate the risks of quantum computers

While current quantum computers may not yet be fully stable or powerful, the risks are immediate and should not be underestimated. You can already see this in four clear scenarios:

• Harvest now, decrypt later
  Attackers are already gathering encrypted data, with plans to decrypt it using future quantum computers.
• Secure channel decryption
  Quantum computing will enable adversaries to intercept and decrypt secure communications. By tapping into transport channels like the internet, internal networks, or stored devices, encrypted data can be collected and decrypted once quantum computers become available.
• Trust now, forge later
  Digital certificates and signatures can be forged, paving the way for sophisticated phishing and fraud. A notary-signed document could be forged later, undermining trust in transactions and potentially leading to legal disputes.
• New zero-day vulnerabilities
  Quantum algorithms will introduce new attack vectors and vulnerabilities, necessitating a complete overhaul of cryptographic systems. Quantum computers will enable the creation of new exploits, such as zero-days, for which software vendors may not yet have patches, leading to new vulnerabilities.
• New vulnerabilities
  Quantum algorithms will create new vulnerabilities. Software vendors do not yet have solutions for these, resulting in new risks emerging without immediate mitigation.

Steps for a risk-based improvement programme

Fortunately, there are newly developed encryption algorithms ready for the post-quantum era, such as those defined by NIST. Cryptography is integral to all businesses and their supply chains, making it a complex task to mitigate cryptographic risks quickly. For some, this transition could span years and require well-managed programs. We recommend considering the following steps when initiating a risk-based improvement program:

• Establish a comprehensive programme and governance structure
  Manage and monitor the entire improvement plan.
• Assess and inventory
  Identify all systems and processes using cryptography. Determine which assets are most vulnerable to quantum threats.
• Risk assessment
  Evaluate your organisation’s readiness and pinpoint high-risk areas. Prioritise these areas.
• Awareness and training
  Educate executives and staff on quantum risks and post quantum cryptography. Engage stakeholders across business and IT.
• Policy and governance
  Develop a new cryptographic policy aligned with post quantum cryptography standards. Assign clear ownership for cryptographic risk and transition planning.
• Pilot projects and testing
  Invest in pilot implementations and ‘no-regret’ moves of post quantum cryptography solutions (e.g., upgrade to TLS 1.3 in test environments). Engage IT vendors to understand their post quantum cryptography roadmaps.
• Procurement and vendor management
  Update procurement requirements to include post quantum cryptography readiness. Budget for vendor assessments and necessary upgrades.
• Ongoing monitoring and compliance
  Allocate resources for tracking regulatory changes and maintaining compliance. Plan for periodic reviews and updates as standards evolve.
• Contingency and future-proofing
  Recognise that full migration may take five to ten years; budget for phased upgrades. Start with ‘no-regret’ moves that provide immediate benefits and lower the risks.

Conclusion: Prioritise post quantum cryptography and begin your transition now

Quantum risk is not a distant problem; it is a present and growing threat. The transition to post-quantum cryptography will be complex, costly, and time-consuming. Early investment in assessment, policy, pilot projects, and ongoing compliance will reduce risk, avoid rushed transitions, and position your organisation as a leader in digital trust.

Prioritise post quantum cryptography and assign dedicated funding and resources to begin your transition now. Waiting will only increase risk and cost.