Should Organizations Be Concerned About Post-Quantum Cryptography?

AI Governance
January 14, 20263 min read

Post-quantum Cryptography Readiness

Should Organizations Be Concerned About Post-Quantum Cryptography? According to the Capgemini report, the short answer is yes.

But before we go into more detail, let's first answer the question of what post-quantum cryptography is. Post-quantum cryptography refers to the design of cryptographic algorithms that are secure even against the computational power of quantum computers.

Here are key stats from the Report:

  • 70% of surveyed organizations are exploring or deploying PQC.

  • 61% of early adopters expect quantum breakthroughs within 10 years.

  • 57% are preparing for “Q-Day,” regardless of the exact timeline.

  • 70% say PQC is essential to maintaining their competitive edge.

  • Only 16% qualify as fully prepared “quantum-safe champions.

Quantum computing is evolving at a fast pace, and with it comes an impending cybersecurity crisis. Traditional encryption methods, like RSA (Rivest-Shamir-Adleman) and ECC are under threat. Quantum computers promise many changes and improvements, from advancing drug discovery to reimagining climate modeling. But they also pose a danger to cybersecurity. That is, the ability to break current cryptographic systems.

Techniques like “harvest-now, decrypt-later” are already being used by attackers to collect encrypted data in hopes of decrypting it once quantum capabilities catch up.

Capgemini’s report recommends that post-quantum cryptography (PQC) should be included in every organization’s security strategy, warning that time is running out.

65% of organizations surveyed expressed concern about this threat. If this is a real concern, then there should be an urgency to solve this problem

Regulatory Pressure Accelerates the Shift

·    Regulatory bodies are taking notice and action.

  • In 2024, the U.S. National Institute of Standards and Technology (NIST) finalized three post-quantum encryption algorithms - CRYSTALS-Kyber, CRYSTALS-Dilithium, and SPHINCS+ - urging immediate adoption.

  • In addition, according to the report, the NSA has recommended deprecating vulnerable encryption standards by 2030 (like RSA), with a full ban by 2035.

  • The EU has also called for critical infrastructure to be quantum-safe by 2030. These mandates make quantum safety a compliance issue as much as a security one.

How Are Organizations Responding?

Capgemini surveyed 1,000 global organizations with over $1 billion in annual revenue.  This is what they found.

  • 70% - the “early adopters” - are already assessing or deploying quantum-safe solutions.

  • The defense, banking, and aerospace sectors are leading the charge, with adoption rates nearing or exceeding 90%.

  • However, sectors like retail and consumer goods are lagging.

  • 61% of  early adopters believe that a cryptographically relevant quantum computer (CRQC) could emerge within the next decade.

  • 71% of early adopters see PQC as essential to long-term competitiveness and data security.

  • Companies like Vodafone and Apple have already started integrating PQC algorithms into their products

There’s consensus that quantum computing is no longer a distant concern - it’s an imminent risk.

Few Are Truly Ready For Post-quantum Cryptography

Despite growing awareness, only 15% of early adopters - termed “quantum-safe champions”—are fully prepared. These organizations have mature governance structures, cryptographic inventories, and technical infrastructure in place. The rest are still in early planning or pilot phases.

Barriers to adoption remain significant. Only 2% of cybersecurity budgets are currently allocated to quantum-safe initiatives. Most organizations face challenges like lack of training, unclear timelines, integration difficulties, and limited availability of mature PQC tools.

What to do now?

Experts across industries stress that organizations cannot afford to wait. The first public breach using quantum methods will trigger a crisis. Those who delay risk regulatory penalties, business disruption, and erosion of trust.

As Marco Pereira, Global Head of Cybersecurity at Capgemini, puts it:
“Quantum readiness isn’t about predicting a date - it’s about managing irreversible risk.”

The time to transition is now. Organizations that act early will not only protect their assets but gain a strategic advantage in the quantum era.

  1. Become “crypto-agility” - the ability to quickly switch cryptographic algorithms as threats and standards evolve.

  2. Maintain a comprehensive inventory of cryptographic assets.

  3. Plan phased migrations, focusing on crypto-agile infrastructure, and building cross-industry partnerships

Quantum threats are no longer theoretical. The race is on - and every organization needs to gear up for a future encrypted.

Post-quantum cryptographyPQC readinessQuantum-safe securityQuantum computing threatCybersecurity future-proofingQuantum-resistant encryptionCorporate cybersecurity strategyCRYSTALS-KyberDilithiumSPHINCS+Quantum risk managementCryptographic agility
Back to Blog