You have probably heard the term “quantum computing” more and more over the past few years. Tech giants are racing to build them, governments are funding them, and security experts are warning about them. But what exactly is a quantum computer, and why should your organization care right now?
A different kind of computer
To understand quantum computing, start with what you already know. A classical computer (the one on your desk or in your pocket) processes information as bits: tiny switches that are either off (0) or on (1). Every calculation happens step by step, following strict logical rules.
A quantum computer works on an entirely different principle. Instead of bits, it uses “qubits”, which can represent 0 and 1 simultaneously, a property called superposition. On top of that, qubits can be entangled, meaning the state of one instantly influences another, regardless of distance. The result? A quantum computer can explore an enormous number of possibilities at once, solving certain categories of problems exponentially faster than any classical machine ever could.
To be clear: quantum computers are not just “faster computers.”
They are a fundamentally different tool, one that happens to be extraordinarily good at a specific set of tasks, including breaking the encryption that protects the internet.
Why this is a cybersecurity problem
Most of the encryption securing your emails, financial transactions, and digital identities today relies on mathematical problems that are practically impossible to solve with classical computers. Algorithms like RSA and ECC, the backbone of modern secure communications, are safe precisely because factoring large numbers or solving discrete logarithms would take thousands of years with today’s machines.
A sufficiently powerful quantum computer running an algorithm called Shor’s algorithm could crack these protections in hours. Authentication systems, digital signatures, secure payment channels: all of it becomes vulnerable.
The credible risk window, according to most experts, is somewhere between 2030 and 2035. And the consequences could extend well beyond that window: impacts on digital identity and signature integrity are expected to persist through 2040. That may sound distant, but one threat is already active today.
Harvest now, decrypt later
Even without a quantum computer capable of breaking encryption today, adversaries (including nation-state actors) are already collecting encrypted data with patience. The strategy is simple: harvest sensitive information now, store it, and decrypt it once quantum capabilities are mature enough. This is known as “Harvest now, decrypt later” (NHDL).
For organizations handling long-lived, high-value data (medical records, legal documents, financial contracts, state secrets) this is not a future problem. It is a present one.
The regulatory clock is ticking
Governments and regulators are not standing still. In Europe, the regulatory landscape is already taking shape.
- In April 2024, the European Commission published a roadmap for transitioning to Post-Quantum Cryptography.
- In July 2025, the European Commission communicated its European Quantum Strategy to the European Parliament and the Council, setting the stage for a dedicated Quantum Act.
- A European Quantum Act is expected to be proposed in Q2 2026, with the ambition of making Europe a global quantum leader by 2030.
On the standards side, the US National Institute of Standards and Technology (NIST) has already finalized its first Post-Quantum Cryptography (PQC) standards, including ML-KEM (formerly CRYSTALS-Kyber) for key exchange and ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures.
From 2027 onward, security products requiring qualification in France will need to include quantum-resistant cryptography to be certified. By 2030, according to ANSSI, purchasing products without PQC will no longer be considered reasonable practice.
What should your organization do now?
The good news is that Post-Quantum Cryptography (PQC) exists and is ready to be implemented. The transition is manageable, but it takes time, and organizations that start early will avoid the costly rush of a last-minute migration.
According to a November 2025 Gartner report (4 Steps Toward Postquantum Readiness, Mark Horvath), organizations should structure their approach around four key phases.
First, establish enforceable cryptography policies and crypto-agility standards. Designate a cross-functional team responsible for defining cryptography policy, and require all new systems to support rapid algorithm swapping with minimal code changes. Regulators increasingly expect proof that your organization can update its cryptography quickly in response to emerging threats.
Second, build and maintain a complete inventory of cryptographic assets. Identify every place cryptography is used across your systems, including cloud platforms, third-party integrations, and legacy infrastructure. Categorize assets by complexity (vendor products, custom applications, legacy debt) to prioritize your migration efforts, particularly for systems exposed to “Harvest now, decrypt later” risks.
Third, develop phased timelines for your PQC transition. Define clear milestones: pilot testing with hybrid certificates, crypto-agile library adoption, and full migration to NIST-approved algorithms by 2030. A structured roadmap prevents last-minute scrambles and budget overruns.
Fourth, require formal vendor assessments and contract standards. Never accept verbal assurances of quantum readiness. Mandate documented upgrade plans, cryptographic bills of materials, and contractual commitments with deadlines, including penalties if vendors fail to deliver.
The quantum threat is not science fiction, and it is not something to address in 2029. The decisions made in the next two to three years will determine how exposed, or how resilient your organization is when the tipping point arrives.
These four steps are just the starting point. In our upcoming webinar, we will walk through the technical details behind each one, the full regulatory timeline, and concrete actions your team can take today.
