Klaus Comments: Invest in PQC now or wait?

Everyone in the security community is talking about post-quantum cryptography (PQC) and the so-called Q-Day—the day when quantum computers become powerful enough to break some of today’s widely used cryptographic algorithms. Even Der Spiegel, one of Germany’s most influential news magazines, has recently covered the topic extensively with a headline as dramatic as: “The day when the world’s security collapses.”

So, should only cryptographers, standardization bodies, and protocol developers worry about PQC? Or must enterprises and public authorities also act today? Some argue it is still too early because:

• Q-Day is likely years, perhaps even decades away.
• The PQC standardization process is still ongoing.
• There are only a handful of PQC-enabled products on the market. In most cases, PQC support is still in the testing phase.
• And not every candidate algorithm has yet proven secure.

At first glance, this sounds reasonable. But experts warn against complacency. Their message is clear:start preparing now. Why the urgency?

• Migration is complex and time-consuming. Replacing cryptographic foundations across IT infrastructures cannot be done overnight.
• “Store now, decrypt later.” Sensitive data encrypted today may still be valuable when Q-Day arrives. Adversaries could be harvesting information already.
• Regulators are moving. Authorities such as Germany’s BSI and France’s ANSSI are drafting guidelines that will require critical systems to be quantum-resistant within the next decade.
• Talent shortages. Expertise in PQC is scarce, and the longer organizations wait, the harder it will be to secure skilled professionals.

The good news: the first steps in a PQC migration do not require finalized standards or market-ready products. Inventory and risk assessment can and should be started today. Organizations need to identify where cryptography is used, assess risks, and raise awareness among decision-makers, administrators, and end users. And, of course, it makes sense to start looking now at products that already support PQC—such as cryptovision GreenShield. This groundwork will pay off once the transition accelerates.
Conclusion: While it may be premature in most cases to deploy PQC right now, it is absolutely prudent to begin inventory and risk assessment today. Those who start early will not only reduce future risks but also ensure a smoother migration path. Eviden Digital Identity is ready to support you on this journey.