Why Your Organization Should Be Thinking About Quantum Computing and the Future of Encryption

Posted
By , , and

qubits-1169873499-300x158Quantum computing (QC) is poised to disrupt cybersecurity in ways that business leaders and legal professionals cannot afford to ignore. But what exactly is quantum computing, why does it pose such a significant threat to encryption, and what should businesses be doing about it today?

What Is Quantum Computing?
To understand quantum computing, it’s helpful to first understand how traditional computers work. “Classical” computers process information using binary digits (“bits”), which are the smallest units of digital information. A bit can either be represented as a 0 or a 1, like a light switch that is either off or on. In fact, in computing terms, a “1” means a transistor (essentially a tiny circuit) is switched on and a “0” means the transistor is switched off—where “on” means electricity is flowing, and “off” means it is not. Every task a computer performs, whether it’s sending an email, running a program, or playing a video, ultimately comes down to a long sequence of these binary bits being processed step by step.

Quantum computers, however, operate on an entirely different level. Instead of using bits, they use quantum bits, or qubits. Qubits can exist in multiple states at once, thanks to a “spooky” phenomenon borrowed from quantum mechanics called superposition. Instead of being strictly 0 or 1 (off or on), a qubit can be both at the same time. Superposition is something like a spinning coin that is neither heads nor tails until you look at it. As a result, quantum computers can evaluate multiple possible outcomes simultaneously, rather than one at a time like standard computers.

Another key principle of quantum computing (also borrowed from the spooky world of quantum mechanics) is entanglement. When qubits become entangled, they form a special connection, even if they are physically separated by vast distances. Entanglement allows one to measure a qubit and instantly know the state of its entangled partner, no matter how far apart they are. Entanglement is like if you and your best friend had matching coins, and no matter how far apart you both are, if you flip yours and look at the result, you will instantly know what side your friend’s coin landed on. This reduces computational steps and allows problems to be solved much faster than with classical computing.

Qubits’ superposition and entanglement enable quantum computers to tackle problems that would take classical computers thousands of years to solve, because quantum computers explore massive solution spaces at once, coordinate computations in ways classical systems cannot, and harness interference to focus on the best solutions. While the technology is still in its early stages, major advancements by companies such as IBM and Google indicate that practical quantum computing is within reach. One of the most pressing concerns surrounding this advancement is its impact on encryption—the foundation of data security in today’s digital landscape.

How Modern Encryption Works
In today’s digital world, encryption is the backbone of security. Every time you send a message, enter a password or complete an online transaction, encryption is used to help keep your data private. Encryption is the process of converting information into an unreadable format that can only be deciphered with a specific key. The two most widely used forms of encryption are symmetric encryption and asymmetric encryption, each serving different purposes.

Symmetric Encryption: Effective but Vulnerable
Symmetric encryption relies on a single secret key to both encrypt and decrypt data. This method is highly efficient and is used for securing everything from stored files to secure internet connections. Popular algorithms like AES (Advanced Encryption Standard) are widely trusted and used by governments and corporations worldwide. However, the main challenge with symmetric encryption is securely sharing the secret key between parties. If an attacker intercepts the key, they can easily decrypt all protected information.

Asymmetric Encryption: The Foundation of Online Security
To solve the key-sharing problem, asymmetric encryption, also known as public-key cryptography, was developed. Instead of a single key, it uses a pair of mathematically linked keys: a public key that anyone can use to encrypt data and a private key that only the recipient can use to decrypt it. This system underpins many of the security protocols that protect internet communications, including HTTPS, email encryption, and digital signatures. Some of the most widely used asymmetric encryption algorithms include Rivest-Shamir-Adleman (RSA), Elliptic Curve Cryptography (ECC), and the Diffie-Hellman key exchange. These three encryption models form the backbone of online security and allow people to communicate over the internet securely without having to share a key.

As an example, RSA encryption relies on the mathematical difficulty of factoring large prime numbers. When two very large prime numbers are multiplied together, the result is a massive number that is easy to generate. The product is publicly shared and used to encrypt the data, but the original prime numbers used to decrypt the information are kept private. If someone only has that product, factoring it back into the original prime numbers is extremely difficult if the prime numbers are sufficiently large. With current computing power, this process would take millions of years, which is why RSA is considered secure, at least for now.

All these encryption methods were designed with the assumption that certain mathematical problems are practically impossible for computers to solve within a reasonable timeframe, taking millions or billions of years. This assumption holds true for classical computers, which perform computations in a linear sequence (e.g., on, off, on, off, on, off, etc.). Quantum computers, on the other hand, can perform a large volume of varying computations simultaneously (i.e., not just in a linear fashion), thus posing an existential threat to standard encryption methods. Researchers have already developed quantum algorithms capable of breaking these cryptographic schemes once large-scale quantum computers become practical. Shor’s algorithm, a quantum algorithm developed in 1994, can utilize quantum computing to efficiently factor large numbers, potentially rendering RSA useless.

Though quantum computers today are not yet powerful enough to execute these attacks at scale, advancements in quantum hardware could bring this reality closer than many anticipate. This is also a growing concern around the so-called “store-now, decrypt-later” threat. This scenario envisions adversaries intercepting and storing encrypted data today, with the intention of decrypting it in the future once quantum capabilities become accessible. This is a particular concern for information that requires long-term confidentiality—such as sensitive personal data, commercial secrets or classified government information.

Regulatory Responses to the Quantum Threat
As quantum computing advances from theory to near-term reality, governments around the world are beginning to take proactive steps to address the significant risks it poses to data security. Policymakers recognize that quantum technology may one day render current encryption methods obsolete, threatening the confidentiality and integrity of sensitive data. In anticipation, jurisdictions including the European Union and the United States are developing legal frameworks, setting technical standards, and issuing policy guidance to support a transition to quantum-resistant cryptography.

EU Regulations and Policy Frameworks for Post-Quantum Cryptography
The European Union has recognized cryptographic security as a policy priority and is considering what steps are required to promote the development and adoption of post-quantum cryptography or quantum-safe cryptography.

Existing Legal Framework
Several EU laws already require organizations to maintain robust security measures that reflect both current threats and technological developments. For instance, the General Data Protection Regulation (GDPR) mandates that organizations implement appropriate technical and organizational security measures to protect personal data. What qualifies as “appropriate” depends on factors such as the state of the art (e.g., the most current, advanced, and effective security measures and technologies currently available), implementation costs, and the nature, sensitivity, and risk of loss associated with the personal data being processed.

Although the GDPR does not explicitly reference quantum technologies, its technology-neutral and principles-based approach means that as quantum computing advances and threatens traditional encryption methods, organizations may need to implement quantum-resistant (post-quantum) encryption solutions to remain compliant—particularly when processing sensitive or high-risk personal data. The UK Information Commissioner’s Office (ICO) adopted this approach in its 2024 Quantum Technologies paper, commenting that “organizations should consider identifying and addressing quantum risks as part of their existing legal obligations to adapt to new and emerging cyber threats to personal information.”

Similar state-of-the-art security obligations have been implemented in EU laws focused on cyber resilience, such as the NIS2 Directive (which applies to critical industries) and the Cyber Resilience Act (which applies to, among other things, connected products—or “Internet-of-Things” devices).

Policy Recommendations
Beyond binding laws, the EU has issued strategic recommendations to guide the transition to post-quantum cryptography. Notably, in April 2024 the European Commission published a Recommendation calling for a coordinated implementation roadmap for the EU’s shift to post-quantum cryptography (PQC)​. This policy document urges Member States to develop a harmonized strategy so that Europe’s digital infrastructure can migrate to quantum-safe encryption in sync​.

By late 2024, a dedicated workstream on PQC was established under the NIS Cooperation Group (which coordinates cybersecurity policy among EU countries)—co-chaired by France, Germany and the Netherlands—to harmonize national strategies​. A joint statement by 18 EU Member State cyber agencies in December 2024 urged “public administration, critical infrastructure providers, IT providers, as well as all of industry,” to make the transition to PQC a top priority. The statement stressed that systems handling sensitive data should be protected against cryptanalytically relevant quantum computers (CRQCs) well in advance, and that uncertainty around quantum development timelines should not delay action. In particular, it recommended mitigating “store-now, decrypt-later” risks as soon as possible, and at the latest by the end of 2030, along with developing detailed transition plans for public-key infrastructure systems within the same timeframe.

In addition, the European Union Agency for Cybersecurity (ENISA), acting on the EU’s policy direction, has issued technical reports providing guidance on integrating post-quantum algorithms into existing security protocols. These reports underscore the importance of cryptographic agility as a foundational principle for enhancing the resilience of EU networks. ENISA has also released draft implementation guidance for public consultation on the cybersecurity risk management measures mandated by the NIS2 Directive. Notably, this draft highlights the need to future-proof encryption mechanisms by, among other things, evaluating the adoption of quantum-resistant cryptographic algorithms.

Looking ahead, the EU’s policy framework calls for continuous assessment of progress—the Commission and ENISA will likely monitor adoption and might update recommendations or propose new regulations if the migration does not keep pace with the threat. The overarching message of EU policy is clear: plan and start the transition now. By proactively issuing recommendations and forming expert groups, the EU is signaling that governments and industries should not wait until quantum computers are full-fledged; they should begin updating cryptography systems in a coordinated manner to avoid a scramble later.

U.S. Regulations and Policy Frameworks for Post-Quantum Cryptography
The United States also has issued several standards, policies, regulations and laws addressing encryption standards in the post-quantum world:

    1. National Security Memorandum 10, released in 2022, explores the quantum future of the United States and proposes ways to mitigate the cryptographic risks of quantum computing.
    2. The U.S. enacted the Quantum Computing Cybersecurity Preparedness Act in 2022, requiring federal agencies to plan for post-quantum encryption. The Act required government agencies to inventory and prioritize systems vulnerable to quantum computing attacks within six months of its enactment. The Act also required the Office of Management and Budget to issue guidance on agency migration plans within one year of the National Institute of Standards and Technology (NIST) publishing post-quantum cryptography standards.
    3. The NIST finalized three post-quantum cryptography standards (FIPS 203, FIPS 204 and FIPS 205) in August 2024, which are ready for immediate use.
    4. The National Security Agency (NSA) released its Commercial National Security Algorithm Suite 2.0 in 2022, outlining requirements for future quantum-resistant algorithms in national security systems.
    5. The Department of Homeland Security (DHS), in partnership with NIST, has released a roadmap to help organizations protect their data and systems and reduce risks related to the advancement of quantum computing technology.
    6. The Cybersecurity and Infrastructure Security Agency (CISA) established a Post-Quantum Cryptography Initiative in July 2024 to address threats posed by quantum computing and support critical infrastructure and government network owners during the transition to post-quantum cryptography.

These initiatives aim to prepare the United States for the potential threats posed by quantum computing to current encryption methods and to help facilitate a smooth transition to post-quantum cryptography across government agencies and the private sector. What organizations can take away from these policies and regulations is that mitigation of the quantum threat is an imminent reality that requires legal, technical and business buy-in today.

Mitigating the Quantum Threat: Legal, Technical, and Business Strategies
As quantum computing advances, businesses need a multifaceted strategy to counter the threat it poses to current encryption​. This includes addressing legal obligations, deploying technical solutions, and updating business practices to help foster long-term data security.

Legal Considerations
Organizations should be aware of emerging regulations and industry standards that call for quantum-resistant security. As the technology of quantum computing crystallizes, governments and industry standards organizations will continue to craft laws and standards around the risk that quantum computing poses to information security, and it is important for companies to ensure their compliance as the regulatory landscape evolves.

Companies should also perform due diligence under existing data protection laws​. Applicable regulations do not generally prescribe specific technologies but instead place the responsibility of safeguarding data on the data controller. To align with evolving security needs, organizations should begin proactively evaluating governance documents, policies, and supplier agreements in light of the potential risks posed by quantum computing. This includes revising vendor and client contracts to ensure third parties comply with new encryption standards as they emerge. By establishing a legal framework that mandates cryptographic upgrades and distributes responsibility across stakeholders, businesses can better prepare for the transition to quantum-safe security.

Business Procedures
Beyond the law, organizations should begin embedding quantum readiness in their risk management and operations. A prudent first step is conducting a risk assessment and cryptographic inventory—identifying all sensitive data and encrypted systems, evaluating which assets would be most at risk if quantum decryption became possible, especially considering the “store-now, decrypt-later” threat​. Conducting a risk assessment should help prioritize what needs early migration to PQC.

Another priority is workforce training: IT staff, developers and security teams should be educated about quantum risks and new cryptography so they can implement changes correctly​. Collaboration with technology partners will be key to staying ahead of developments. Businesses should work closely with cloud providers, cybersecurity vendors and industry consortia to pilot quantum-safe solutions and share knowledge. Such partnerships help organizations access expertise and tools for quantum security. By treating the quantum threat as a strategic enterprise risk, companies can allocate resources, update incident response plans and tailor their business continuity plans to account for the impact of potentially impaired encryption standards in the future.

Conclusion
No sector reliant on digital security is immune to the quantum threat, but cloud-based and data-driven businesses are especially affected. Cloud service providers are already adapting: Amazon Web Services has announced a phased plan to implement post-quantum cryptography in its infrastructure, offering some protections by default and enabling customers to opt into stronger quantum-safe settings as needed​. Similarly, Google has started using post-quantum algorithms to secure internal communications on its networks, demonstrating confidence in the new encryption methods and setting an example for data-driven firms​. The financial industry is also mobilizing due to its heavy reliance on encryption—Europol’s Quantum Safe Financial Forum has urged banks to make transitioning to PQC a top priority, warning that “Store now, decrypt later” attacks could jeopardize confidential data if action is delayed​.

These real-world steps underscore that quantum preparedness is not theoretical – leading enterprises are acting now to integrate quantum-resistant measures into their business models, platforms, and customer offerings. Organizations that follow suit by learning from these examples will be better positioned to maintain trust and continuity in the face of quantum-driven disruption.

RELATED ARTICLES

Old School Meets New School: Critical Minerals Used in Quantum Computing

Critical Materials for the Energy Transition: Of “Rare Earths” and Even Rarer Minerals