Quantum technology may feel far off but certain risks are already with us in the form of “harvest now, decrypt later” — an attack vector in which malicious actors steal data now for a future in which they have access to quantum computational tools capable of breaking encryption deployed by most companies today to protect their data.
Despite increasing discussion surrounding this issue, not all organizations are aware of the risk. According to a 2025 ISACA survey, only 5% of cyber professionals considered the threat a high priority, despite two-thirds being concerned about quantum’s future ability to break encryption. That 5% was the same percentage of organizations that had defined a strategy to prepare for the quantum threat, according to the survey’s findings.
Contrary to the rhetoric of a “Q-Day” — a pivotal date on which classical cryptography will be broken by quantum computers — organizations such as the European think tank CEPS warn that this possibility will not arrive suddenly, but gradually.
“We’ve been waiting for some time for something like a quantum computer, which will likely allow us to break traditional encryption systems in a seemingly simple way,” explains Félix Barrio, director general of Spanish national cybersecurity institute INCIBE, via video call. “Although this has been demonstrated theoretically and we haven’t yet seen computers with that capability, there are different estimates,” ranging from a few months to a decade.
Barrio notes, however, that such computational power will probably only be available to a few entities, generally government agencies, given their high cost.
The first three standards for post-quantum cryptography (PQC) encryption were published by the US National Institute of Standards and Technology (NIST) in 2024.
“These are algorithms that could supposedly withstand a quantum attack using a quantum computer,” Barrio says. Currently, these algorithms are being tested and adapted to various technologies.
Quantum key distribution (QKD) — a quantum-like system that could be applied to data transmission over cable, adapted fiber optic cable, or satellite — establishes an alternative key exchange system that, through properties of quantum physics, functions as an early warning mechanism in case of detected breaches or intrusions, enabling compromised keys to be discarded.
The EU has already designed a roadmap for the transition to post-quantum cryptography, which sets the end of 2026 as the first phase for deploying these tools, with 2030 as the deadline for high-risk use cases and 2035 for the rest.
Barrio explains that INCIBE has allocated part of the resources from its innovative public procurement program to advanced cryptography resistant to quantum attacks, funding five initiatives located in different cities in Spain.
“In Spain, we have taken the lead in investing in this transition phase with the most promising projects we have identified in these public calls for proposals, and over these three years we have been working to ensure that test systems using Spanish technology can be offered and that these systems can also be commercialized,” he notes. “In Europe, in general, when you talk to other cybersecurity agencies, they are genuinely concerned.”
Where the sector stands on quantum resilience
“Today we take for granted that communications with our bank or healthcare systems are private, and that digital signatures — for example, those that support financial transactions or cryptocurrencies — are unforgeable. The impact of these guarantees becoming invalid is enormous, both economically and socially,” Alberto de Mercado, manager of systems engineering for service providers at Fortinet, tells Computerworld Spain via email.
From a cybersecurity vendor’s perspective, De Mercado speaks of the need to “implement a phased transition strategy,” taking into account elements such as the type of information exchanged and its need for long-term confidentiality, available resources, compatibility with the existing architecture, and prioritization over other more immediate cybersecurity risks.
“In this context, the concept of cryptoagility is key: deploying solutions that allow for the agile change or combination of cryptographic algorithms when necessary, guaranteeing service continuity without needing to completely redesign the architecture or change providers,” he says.
De Mercado calls for “acting now” when dealing with sensitive information that must remain confidential long-term.
“In these cases, waiting for absolute certainty means taking a risk that may be unacceptable,” he says, adding the regulatory factor: Although there is no explicit European regulation on the subject, it can be linked to regulations such as GDPR, NIS2, or DORA, which establish protection obligations, “without explicitly limiting the time frame.”
“From this perspective, organizations that handle sensitive information long-term must begin to consider this risk as part of their security assessments,” he says, a trend that also applies to cybersecurity providers, “who are progressively incorporating quantum-safe algorithms and mechanisms into their products,” as is the case with Fortinet.
Regarding current demand, De Mercado observes an initial trend toward PQC, “as it requires less investment and is easier to integrate into existing environments. QKD is reserved for very specific scenarios, such as highly sensitive interconnections between large headquarters or data centers.”
Overall, he perceives an “uneven” level of concern, with the most regulated sectors or those with the highest confidentiality requirements at a more advanced stage of testing, transition planning, or even initial deployments of secure communications.
“Generally, the more mature an organization is in cybersecurity, the better it is at mitigating immediate risks and the greater its capacity to anticipate emerging threats such as quantum computing,” he says.
How to protect yourself
From the banking sector, CaixaBank addresses the quantum threat “understanding that it is a real risk and, as such, must be managed proactively,” a company representative said via email.
“The risk is already relevant, and it is necessary to have mitigation measures in place now,” the representative continued. “At the same time, the approach is not simply to replace one encryption algorithm with another, but to equip the bank with the necessary crypto agility to be able to rotate keys, change cryptographic models, or adopt new standards quickly and in a controlled manner when necessary. In this way, not only is this specific threat mitigated, but the bank’s resilience and preparedness for future technological changes are structurally strengthened.”
The firm itself is already developing a comprehensive plan, currently under way, with 2029 as the target date for a robust crypto-agility model. This plan has two complementary dimensions. On the one hand, it includes the new PQC schemes, which the bank is currently analyzing to determine how they can be incorporated in an orderly fashion.
“The goal is to ensure that the bank is technically prepared to protect both data in transit and data at rest, as these new standards reach the necessary maturity,” the bank’s representative said. But “the approach goes far beyond a one-off technological transition, taking the opportunity to build a structurally more robust, automated, and repeatable model that will allow for much greater agility in implementing any cryptographic changes in the future.”
CaixaBank is also participating in European projects to validate practical post-quantum security solutions applicable to the financial sector, as well as in industry forums such as the Quantum Safe Financial Forum (QSFF), where they “share experiences, define best practices, and contribute to a transition that is realistic, interoperable, and aligned with the sector’s regulatory requirements,” according to the bank’s representative.
With the quantum threat becoming increasingly prevalent, reviewing the cybersecurity model will soon be imperative for all companies.
No Responses