Quantum Threat in Finance: The BIS Roadmap and Why the Time to Act Is Now

The BIS 2025 roadmap warns financial institutions of urgent quantum risks. Explore key recommendations for quantum-safe migration and BIS readiness steps.

Gireesh Kumar N

7/9/20254 min read

The Bank for International Settlements (BIS) has released a landmark report: Quantum-readiness for the financial system: a roadmap (BIS Papers No. 158, July 2025)

For those working in cybersecurity, cryptography, or financial infrastructure, this is more than just another technical publication. It’s a strategic, coordinated call to action for central banks, regulators, and financial institutions to begin transitioning to quantum-safe cryptography — now.

The Core Message Is Simple: Waiting Is Risky

The BIS warns that the emergence of cryptographically relevant quantum computers (CRQCs) — capable of breaking RSA, ECC, and other widely used public-key encryption algorithms — may still be years away, but the “harvest now, decrypt later” (HNDL) threat is already active.

Data encrypted today can be stolen now and decrypted in the future — exposing institutions to legal, reputational, and systemic risk.

In the financial sector, where trust, confidentiality, authentication, and data integrity are paramount, the potential disruption is profound.

What Makes This BIS Paper Stand Out?

Unlike many high-level alerts, this paper is both strategically comprehensive and technically detailed. It:

  • Explains how quantum computing breaks today’s cryptography.

  • Reviews all quantum-safe solution options — from post-quantum cryptography (PQC) to quantum key distribution (QKD), hybrid models, and pre-shared keys.

  • Highlights protocol impacts (e.g. TLS 1.2 vs 1.3, PKI, software signing, authentication).

  • Acknowledges that PQC is the most practical near-term solution, while QKD remains experimental.

  • Advocates for a layered defence-in-depth strategy that includes cryptographic agility and hybridization.

But the paper also acknowledges a hard truth: This transition is not a simple “algorithm swap.”

Cryptographic migration is a multi-year journey involving protocols, systems, vendors, key management, hardware, governance, and training.

Spotlight: The Roadmap to Quantum-Readiness

The BIS outlines a three-phase roadmap to guide this transition. It includes targeted recommendations for:

  • The Financial Ecosystem (central banks, regulators, FMIs, and vendors), and

  • Individual Financial Institutions

Recommendations for the Financial Ecosystem

Central banks, regulators, and financial market infrastructures must lead systemic coordination. Here’s how the BIS envisions system-level readiness:

1. Obtain Engagement

  • Build Stakeholder Engagement Educate institutions and the public about quantum risk. Foster cooperation across domestic and cross-border financial systems.

  • Conduct Systemic Risk Assessments Map cryptographic dependencies. Analyze the sensitivity and required longevity of protected data.

2. Plan

  • Set Common Technical Priorities and Timelines Agree on cryptographic algorithms, key sizes, and hybrid models. Align on timelines for phasing out vulnerable protocols.

  • Create a Shared Migration Plan Define national/international cut-off dates for insecure cryptography. Ensure backward compatibility where needed.

3. Monitor

  • Execute Transition Plans Timely implementation across both public and private sectors.

  • Perform System-Level Testing Conduct performance, stress, and penetration tests to validate readiness.

  • Integrate Quantum Risk into Cyber Risk Management Frameworks Update regulations and risk assessment methodologies to account for quantum threats.

Recommendations for Individual Financial Institutions

“Quantum-readiness is not a simple technical upgrade. It requires organization-wide alignment.” — BIS. The roadmap for individual institutions focuses on three critical actions:

Awareness

  • Appoint an executive to lead the quantum-readiness initiative.

  • Form a cross-functional team (IT, security, legal, compliance, ops).

  • Define what quantum-readiness means for the organization.

  • Launch training and workshops across departments.

  • Establish governance structures and allocate an initial budget.

  • Key considerations across hybrid cryptography, crypto agility, and defence-in-depth.

Planning

  • Define vision, timeline, and objectives of the migration.

  • Conduct a cryptographic inventory (manual + automated).

  • Identify systems and data needing long-term protection.

  • Perform risk assessment and classify systems by sensitivity and urgency.

  • Coordinate timelines with external parties including vendors and other third parties.

  • Update security policies, procurement processes, and compliance practices.

  • Plan phased migration aligned with business continuity and risk frameworks.

  • Pilot quantum-safe implementations in non-critical systems.

  • Budget planning and long-term funding strategy.

Execution

  • Prioritize implementation for high-impact systems and implement quantum-safe solutions.

  • Test quantum-safe algorithms in live and test environments.

  • Monitor performance, interoperability, and resilience.

  • Ensure agility: prepare for future algorithm changes or emerging standards.

  • Engage in continuous risk assessment, review, and roadmap refinement.

  • Ensure implementations work as expected without introducing new vulnerabilities.

The BIS emphasizes that migration is not a one-time event. It is a dynamic, multi-year journey with feedback loops, testing cycles, and collaboration at every stage.

The Industry Message Is Getting Louder

The BIS roadmap aligns with a wave of global regulatory action. Institutions around the world are recognizing the need to act — and fast.

Some of these global signals include (not necessarily exhaustive):

  • NIST/CISA/NSA: PQC standards finalized (FIPS 203–205); federal migration underway.

  • DORA: Cryptographic integrity mandated;

  • EU reinforces its cybersecurity with post-quantum cryptography

  • G7 CEG: Urges hybrid cryptography and cross-sector testing.

  • MAS: Crypto inventory and PQC pilot advisory to all financial institutions.

  • Bank of France & MAS: Joint cross-border PQC communication trial.

  • BIS Leap: PQC testing for central banks.

  • Israel: Mandates board-level strategy and crypto inventory within 12 months.

  • FS-ISAC: Calls for cryptographic agility and migration planning.

  • PCI DSS v4.0.1: Requires up-to-date cryptographic inventories.

The global financial system is aligning around one message: Quantum-safe migration is urgent, complex, and inevitable.

Why This Paper Matters

What makes this BIS paper stand out is its depth and practicality. It doesn’t just talk about the threat — it lays out detailed pathways for action across policy, governance, and technical domains.

But that’s also where the challenge lies: For many organizations, this level of complexity — cryptographic inventory, risk assessment, hybrid deployments, migrations, cross-border coordination — can feel overwhelming.

Understanding the full scope, getting started with acquiring the right skills and tools is key to moving forward confidently.

How AvinyaSQ Starter Packs Help You Get Started

At AvinyaSQ, we’ve designed our Quantum Safe Migration Ignite Starter Packs to help institutions take their first meaningful steps — without being overwhelmed. It includes:

  • Workshops & Executive Training

  • Readiness Assessment & Prioritization

  • Crypto Inventory & Discovery

  • Quantum Risk Assessment

  • Supply Chain/Vendor Quantum Risk Management

  • Pilot PQC Deployment

Whether you're a bank, regulator, or critical infrastructure provider, we help you bridge the gap between BIS-level strategy and operational execution.

Is your organization prepared to start this transition? Let’s connect to explore how AvinyaSQ Ignite Starter Packs can help you move forward with clarity and confidence.

Privacy Policy |

Terms & Conditions |

© AvInyaSQ 2025. All rights reserved |