Quantum-Safe Transition: Why Financial Institutions Must Act Now

The Quantum Safe Financial Forum (QSFF) of Europol has issued a Call to Action, urging financial institutions and policymakers to prioritize the transition to post-quantum cryptography (PQC).

https://www.europol.europa.eu/media-press/newsroom/news/call-for-action-urgent-plan-needed-to-transition-to-post-quantum-cryptography-together

The report highlights a critical issue: financial institutions risk delaying their transition due to competing cybersecurity priorities and regulatory pressures. While ransomware, AI-driven threats, and compliance with DORA and NIS2 demand immediate attention, the long-term risk of quantum computing cannot be ignored. Failure to act now could lead to severe security and operational risks once quantum computers break today’s cryptographic protections.

Two sections of the report stood out:

🔹 "The Challenge: Making the Transition a Global Priority"

🔹 "QSFF Recommendations: A Roadmap to a Quantum-Safe Financial Sector"

Key Challenges in Quantum-Safe Migration

🔹 Competing Priorities The financial sector is overwhelmed with immediate cyber threats and compliance requirements, leading to a perception that PQC migration can wait.

🔹 Interdependency No financial institution can transition in isolation—banks, payment networks, and service providers are highly interconnected, making a fragmented approach risky.

🔹 Underestimation of Complexity Institutions often underestimate the complexity of cryptographic migration. Lack of coordination could lead to a rushed and costly transition, increasing operational risks.

🔹 Extended Risk Exposure Due to the need for backward compatibility with legacy systems, obsolete cryptographic methods remain in use longer than they should.

🔹 Lack of a Common Approach Without industry-wide coordination, financial institutions face increased complexity and costs in their migration efforts.

What This Means for the Industry

The QSFF report makes it clear: financial institutions must act now to avoid a disorderly and expensive transition. A wait-and-see approach will only increase risk and costs in the long run.

• Quantum risk is an operational resilience issue, not a distant problem. Just as ransomware and AI-driven threats demand immediate action, so does quantum readiness—especially given the time required for migration.

• A voluntary framework between regulators and the private sector is key. Instead of new legislation, clear guidelines, common practices, and standardization efforts would drive an effective transition.

• Hybrid cryptography is a critical step. Combining classical and post-quantum algorithms allows institutions to migrate gradually while maintaining security.

• Collaboration is essential to prevent fragmentation. Financial institutions, vendors, and regulators must work together to ensure consistent cryptography management practices across the industry.

🚀 How can financial institutions balance immediate cyber threats with long-term quantum risks?

Let’s discuss!