Quantum innovation is moving from theory to strategic reality, with the NCSC now strongly promoting its timeline for crypto readiness. Seen until comparatively recently as a dystopian, futuristic breakthrough, quantum computing and related quantum technologies are now becoming serious boardroom topics. Governments, technology companies and research institutions are investing heavily – in the hope that quantum systems could help solve problems that are too complex for classical computers.

The potential is significant. Quantum computers may transform drug discovery, materials science, logistics, financial modelling, artificial intelligence and climate research. Quantum sensors could improve navigation, medical imaging, environmental monitoring and critical infrastructure resilience. But alongside this opportunity comes one of the most important cyber security challenges of the next decade: the threat quantum computers pose to today’s encryption and online trust.
For IT and cyber professionals, the question is how to prepare for the benefits and risks at the same time.
The Promise of Quantum Innovation
Quantum computers work differently from traditional computers. Instead of using ordinary bits, which represent either 0 or 1, quantum computers use quantum bits, or qubits, which can represent more complex states. This gives them the potential to process certain types of problems in ways classical machines cannot.
One of the most promising areas is scientific discovery; because nature operates according to quantum mechanics at the smallest scale, quantum computers may eventually be better suited to modelling molecules, chemical reactions and materials. This could support breakthroughs in pharmaceuticals, battery technology, carbon capture, fertilisers and advanced manufacturing.
For example:
In healthcare, quantum computing could help researchers model complex biological systems, accelerate drug discovery and improve understanding of protein interactions.
- In energy, it could support better battery chemistry, grid optimisation and new materials for clean technology.
- In logistics, quantum algorithms may help optimise routes, supply chains and resource allocation. In finance, they could improve risk modelling, fraud detection and portfolio optimisation.
Quantum innovation is not limited to computing. Quantum sensing could enable highly precise measurement, with applications in defence, healthcare, transport and environmental monitoring. Quantum communications may also change how we think about secure data transfer in the future.
The upside is clear: quantum technologies could create step change by helping society solve problems that are currently too expensive, too slow or too complex to tackle.
The Cyber Security Risk
However, an equally significant near-term concern is the impact of PQC on cyber security.
Much of today’s digital world depends on public-key cryptography. It protects online banking, secure messaging, websites, cloud services, software updates, digital signatures, identity systems and connected devices. A powerful enough quantum computer could break widely used public-key encryption methods, including RSA and elliptic-curve cryptography. These algorithms are secure against classical computers because the mathematical problems behind them are extremely difficult to solve. Quantum computers could change that.
This creates a major risk for digital trust. If current encryption becomes vulnerable, organisations could face exposure across sensitive data, customer information, payment systems, intellectual property, software integrity and critical infrastructure.
This is not only a future problem. Attackers may already be collecting encrypted data today with the intention of decrypting it later when quantum capabilities mature, in harvest now, decrypt later attacks. This is especially concerning for information that doesn’t degrade in quality over time yet must remain highly confidential for many years, such as government records, healthcare data, legal documents, defence information, financial records and trade secrets.
The Case for Post-Quantum Cryptography
The main defence against this risk is post-quantum cryptography. These are new cryptographic algorithms designed to resist attacks from both classical and quantum computers. However, moving to post-quantum cryptography is not a simple software update. Cryptography is embedded throughout modern organisations; it exists in applications, APIs, cloud services, identity platforms, certificates, VPNs, hardware security modules, operational technology, IoT devices, firmware, payment systems and supplier products.
That means quantum-safe security requires planning, visibility and coordination. You need to know where cryptography is used, which systems are most exposed and which data needs long-term protection.
This is why cryptographic agility is becoming a critical cyber security principle. Crypto-agile organisations can change cryptographic algorithms, keys and protocols without rebuilding entire systems. In a quantum era, that flexibility will be essential.
The upside is clear: quantum technologies could create step change by helping society solve problems that are currently too expensive, too slow or too complex to tackle.
The Downsides of Quantum Innovation
Quantum innovation also brings practical challenges beyond cyber security. Firstly, the technology is still developing. Today’s quantum computers are powerful research tools, but many commercial use cases remain experimental. You should be careful not to confuse long-term potential with immediate operational value.
Second, quantum readiness may widen the tech sophistication gap between organisations. Large enterprises and governments may have the resources to prepare early, while smaller businesses may rely heavily on vendors and cloud providers. This makes quantum risk a supply chain issue as much as an internal IT issue.
Finally, there is a risk of hype. Quantum computing is not a universal replacement for classical computing. It will be valuable for specific categories of problems, not every business challenge. Leaders should take it seriously without overpromising what it can deliver today.
What You Should Do Now
The best security response to quantum innovation is preparation, and that starts as early as possible. You should start by building a cryptographic inventory. This means identifying where encryption, key exchange, certificates and digital signatures are used across the business. Then, classify data based on sensitivity and how long it must remain secure.
Next, assess which of your systems depend on vulnerable public-key cryptography and prioritise high-risk areas. This includes customer-facing platforms, identity systems, secure communications, software signing, cloud environments and critical third-party services.
Supplier engagement is also essential. Businesses should ask vendors about their post-quantum cryptography roadmap, including when products will support quantum-safe algorithms and how migration will be managed.
Finally, you should make cryptographic agility part of your wider cyber resilience strategy. The goal is not only to prepare for quantum computers, but to improve security architecture today.
Our CTO’s View
Quantum innovation represents both promise and pressure. It could help solve some of the world’s hardest problems, from medicine and energy to logistics and climate science. But it could also disrupt the encryption systems that protect the digital economy. Those that succeed in the quantum era will not simply be those that adopt the technology first. They will be those that prepare intelligently.
That means exploring quantum use cases with discipline, avoiding hype and treating post-quantum cryptography as a strategic cyber security priority.
Quantum innovation represents both promise and pressure. It could help solve some of the world’s hardest problems, from medicine and energy to logistics and climate science. But it could also disrupt the encryption systems that protect the digital economy.
FAQ: Quantum Innovation and Cyber Security
Which cryptographic systems are most exposed to quantum risk?
The highest-risk systems are those that depend on public-key cryptography, especially RSA, elliptic-curve cryptography, ECDH and ECDSA. These algorithms underpin many common security functions, including TLS, VPNs, digital certificates, code signing, identity platforms, secure email, software updates and machine-to-machine authentication. A future cryptographically relevant quantum computer could undermine these public-key systems, which is why post-quantum migration is now a security architecture issue rather than a theoretical research topic. The NCSC describes the threat to asymmetric public-key cryptography from future large-scale, fault-tolerant quantum computers as well understood.
What should be included in a post-quantum cryptography inventory?
A useful PQC inventory should go beyond listing encryption products. It should identify where cryptography is used across applications, infrastructure, APIs, certificates, identity systems, HSMs, key management platforms, VPNs, TLS endpoints, cloud services, operational technology, IoT devices, firmware signing, software supply chains and third-party services. The inventory should capture the algorithm, protocol, key length, certificate lifecycle, data protected, system owner, vendor dependency and whether the system supports algorithm replacement. This becomes the foundation for crypto-agility.
Which NIST post-quantum algorithms matter most for enterprise security teams?
NIST has finalised three Federal Information Processing Standards for post-quantum cryptography: FIPS 203, the Module-Lattice-Based Key-Encapsulation Mechanism Standard; FIPS 204, the Module-Lattice-Based Digital Signature Standard; and FIPS 205, the Stateless Hash-Based Digital Signature Standard. In practical terms, ML-KEM is relevant to key establishment, while ML-DSA and SLH-DSA are relevant to digital signatures.
How should you prioritise PQC migration?
Prioritisation should be based on three factors: cryptographic exposure, data sensitivity and data shelf life. Systems protecting long-lived sensitive data should move up the priority list because of harvest now, decrypt later risk, where adversaries collect encrypted data today and attempt to decrypt it once quantum capability matures. Security teams should prioritise identity, certificate management, customer-facing services, secure communications, software signing, critical infrastructure and regulated data environments.
What is crypto-agility in a post-quantum context?
Crypto-agility means being able to change cryptographic algorithms, libraries, certificates and protocols without redesigning the whole system. This matters because PQC migration will not be a single cutover. Standards, vendor support, protocol implementations and assurance requirements will continue to evolve. Crypto-agile systems reduce future migration cost and lower the risk of being locked into vulnerable or deprecated algorithms.
Is quantum key distribution a replacement for post-quantum cryptography?
For most organisations, no. QKD is a specialist technology for generating and sharing keys, but it does not remove the need for authentication and introduces hardware, infrastructure and operational complexity. The NCSC recommends PQC as the primary mitigation for the quantum threat to cryptography and says QKD should not be solely relied on for generating and distributing cryptographic keys.
What should security teams ask vendors about quantum readiness?
Vendor due diligence should include specific questions: Which products use RSA, ECC, ECDH or ECDSA? What is the roadmap for ML-KEM, ML-DSA and SLH-DSA support? Will products support hybrid classical/PQC modes during transition? How will certificates, firmware signing, APIs and integrations be upgraded? Are there dependencies on third-party cryptographic libraries? What evidence will the vendor provide for testing, validation and interoperability?
How does quantum risk affect AI, cloud and identity systems?
Quantum risk is not isolated from other technology trends. AI platforms, cloud workloads and identity systems all depend on cryptographic trust. Model pipelines, API authentication, workload identity, secrets management, confidential data stores and software supply chains all need secure encryption and signing. As organisations adopt more AI-enabled and cloud-native architectures, cryptographic visibility becomes harder but more important.
What is the practical next step for a cyber team?
The first step is not buying a quantum product. It is building visibility. Create the cryptographic inventory, identify quantum-vulnerable dependencies, classify long-lived sensitive data, assess supplier readiness and design a migration roadmap. The NCSC’s indicative milestones are discovery and initial planning by 2028, highest-priority migration activity by 2031, and full migration by 2035.