The counter-clock race towards postquantum cryptography has already begun

We live in an era in which massive data theft and technological advancement go hand in hand: the same cloud infrastructure that facilitates work and information exchange also offers attackers virtually unlimited capacity to store what they get exfiltered. This has led to a strategy that, although disturbing, is extremely logical from the perspective of an opponent: to accumulate large volumes of encrypted information today and wait for the power of calculation necessary to decipher it in the future. This approach, known in the sector as Harvest Now, Decrypt Later, makes any data that should remain confidential for decades a high value target.

It's not about science fiction: it's a race against the clock. Quantum computers promise to violate the mathematical bases on which we support the current cryptography. Existing prototypes are still far from being able to run the complex algorithms needed to break TLS, RSA or ECC on a large scale, but public road maps and massive investments in technology indicate that a quantum computer with cryptographic relevance could come in the next decade. If this prediction is met, today's encrypted information could be exposed in a few years; therefore the recommendation of the experts is to start adaptation now and not when the risk is evident. For an updated technical and predictive overview, see the analysis of quantum development routes in The Quantum Insider: Quantum Computing Roadmaps.

The technical response to this threat is postquantum cryptography (PQC), a set of algorithms designed to resist attacks from both classic and future quantum computers. Institutions such as NIST have led standardization and evaluation processes that are already setting a course, but operational adoption is much more than choosing an algorithm: it involves rethinking the key life cycle, third-party dependencies, hardware and software architecture.

Moving to a "quantum safe" environment is not a timely task but an organizational and technical project that must be planned calmly and rigorously. The experience and reference documentation recommend that the change be articulated following phases that clarify responsibility, scope and urgency. It is first appropriate to establish leadership and governance, to appoint responsible and to make the risk visible to management, connecting that assessment with the classification of data according to its useful life. Then you will play map the cryptographic assets: certificates, APIs, embedded devices, and suppliers that manage keys. This initial X-ray is essential for prioritizing what to migrate first.

With the information on the table, a realistic migration plan is designed: timetable, priority criteria, budget and success metrics. Here. should not hasten to radical change without measuring impact. The prevailing practical recommendation in agencies such as the NCSC and ETSI is to bet on hybrid approaches and cryptographic agility: to introduce postquantum primitive together with current ones to gain operational experience without sacrificing interoperability or availability.

Technical execution requires attention to details that are often surprising outside the cryptographic circle. Not all devices can already support the computer load or key size of PQC solutions: IoT devices, smart cards and certain cryptographic modules may require updated hardware or optimized libraries. The PKI ecosystem is interdependent: changing algorithms pushes suppliers, certification authorities and partners to coordinate. In regulated sectors, the absence of certified components still complicates the purchase and deployment, so many managers choose to migrate software services (e.g. TLS and SSH) as a test while working on critical infrastructure renovation.

In addition to technical challenges, there are clear organizational barriers: the feeling that the threat is distant makes it difficult to allocate budget, and the lack of PQC-trained personnel slows adoption. These difficulties have practical solutions: quantifying exposure through risk frameworks (for example, applying ideas such as the formulation that links the time that something must remain safe with the arrival of quantum capacities), investing in training and supporting consultants or cross-sectoral forums to accelerate knowledge transfers. Public agencies have published useful guides to help organizations prioritize and prepare road maps: the NIST migration guide and CISA resources are recommended starting points ( NIST PQC, CISA Quantum-Readiness).

In the face of uncertainty about which algorithm will be "the winner" in the long term, the most pragmatic strategy is controlled experimentation: deploy PQC solutions in non-critical environments, measure performance and security, and evolve towards hybrid integrations with the ability to exchange algorithms through centralized configuration. Cryptographic agility - design systems that allow to change primitive with the least effort possible - should become a design requirement for any new development.

No less important is collaboration. The transition to postquantum cryptography cannot be an isolated project within a company: it requires coordination with suppliers, certification authorities, regulators and industry pairs. Participate in industrial groups and follow the work of bodies such as BSI, ENISA or ETSI itself helps to stay aligned with best practices and to influence emerging standards.

The practical conclusion is clear: the window to act is already open. It is not necessary to wait for the arrival of a perfectly operational quantum computer to start mitigating the risk; the smart strategy combines governance, asset inventory, pilot testing in controlled environments and the adoption of hybrid mechanisms and cryptographic agility. For those who want a comprehensive picture and operational data on current threats and future predictions, the Security Navigator 2026 report brings together incident analysis, extortion trends and sections dedicated to quantum risk preparedness: Security Navigator 2026.

If your organization has not yet started mapping your cryptographic exhibition, that is the first urgent step. Making an inventory, determining the useful life of critical information and establishing a team responsible for migration does not guarantee invulnerability, but it does allow to move from reactive concern to a planned and manageable response. In technology such as public health, prevention - in this case, migration to postquantum practices and technologies - will always be cheaper and less painful than curing a gap years later.

To expand readings and practical guides, it is appropriate to review the technical documentation and recommendations of NIST, CISA, NCSC and ETSI, as well as studies on specific challenges in embedded and certification environments. These resources provide both the strategic context and the details needed to turn the theoretical debate into concrete and prioritized actions.