Organizations should begin preparing for the quantum computing era today, according to a new German cybersecurity guide that warns that waiting for powerful quantum computers to arrive could leave sensitive data exposed years before the technology becomes operational.
The report, “Post-Quantum Cryptography in Practice: A Guide for Long-Term IT Security,” was published by researchers Leonie Wolf, Lukas Stoppel and Fabian Ising of ATHENE and the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT). The guide provides a framework for governments, public agencies and organizations seeking to protect communications and data against future attacks enabled by quantum computers.
The central message is that the transition to post-quantum cryptography, or PQC, is not merely a future technical upgrade but a long-term strategic effort that should already be underway.
According to the German cybersecurity researchers, the threat is driven by the potential of quantum computers to solve certain mathematical problems far more efficiently than conventional computers. Many of today’s widely used public-key encryption and digital signature systems, including RSA and elliptic curve cryptography, rely on those mathematical problems remaining difficult to solve.
If sufficiently powerful quantum computers become available, those protections could fail.
While such machines do not yet exist, organizations cannot afford to wait, according to the report. One reason is the growing concern surrounding so-called “harvest now, decrypt later” attacks. In this scenario, encrypted communications are intercepted and stored today with the expectation that future quantum computers will eventually be able to decrypt them.
That risk is especially significant for information that must remain confidential for many years. The guide highlights several categories of data that could be vulnerable, including health records, biometric information, political communications, diplomatic documents, legal records and other long-term sensitive information.
The researchers note that migration efforts often take years because of the complexity of modern information technology environments. Systems procured today may remain in service for a decade or longer, meaning organizations must account for quantum security well before the threat fully materializes.
‘A Threat With a Long Timeline’
The report points to growing concern among experts about the eventual arrival of cryptographically relevant quantum computers.
Drawing on findings from the Quantum Threat Timeline Report 2024, the guide notes that more than half of surveyed experts believe there is at least a 50% chance that a quantum computer capable of breaking a 2048-bit RSA key in less than 24 hours could emerge within the next decade.
Although estimates vary, the researchers advise that uncertainty about the exact timing should not delay action.
The German cybersecurity guide stresses that quantum computers should not be viewed simply as faster versions of conventional computers. Their significance lies in their ability to solve certain classes of problems using fundamentally different computational methods.
For cryptography, the most significant concern is Shor’s algorithm, which could efficiently solve the mathematical problems underlying RSA, Diffie-Hellman key exchange and elliptic curve cryptography. Those technologies currently form the backbone of secure internet communications, digital certificates and many authentication systems.
Not all cryptographic systems face the same level of risk.
Symmetric encryption algorithms such as the Advanced Encryption Standard, or AES, remain comparatively resilient. The report explains that quantum attacks against symmetric encryption would primarily rely on Grover’s algorithm, which effectively reduces security strength but does not completely break the encryption.
As a result, organizations can largely preserve security by increasing key lengths. The guide recommends using 256-bit keys for symmetric encryption systems such as AES and ChaCha20.
Post-Quantum Algorithms Already Exist
The researchers emphasize that the cybersecurity community is not starting from scratch.
After an eight-year evaluation process, the U.S. National Institute of Standards and Technology finalized its first set of post-quantum cryptography standards in 2024. These standards include ML-KEM for key establishment and ML-DSA and SLH-DSA for digital signatures.
Unlike RSA and elliptic curve cryptography, these algorithms are based on mathematical problems for which no practical quantum attacks are currently known.
The report notes that Germany’s Federal Office for Information Security, known as BSI, has also incorporated post-quantum algorithms into its recommendations and technical guidance.
At the same time, the guide acknowledges that post-quantum cryptography remains relatively new compared with decades-old systems such as RSA. Because of that, both NIST and BSI currently recommend hybrid approaches that combine classical and post-quantum cryptographic methods.
Hybrid systems are designed so that communications remain secure as long as at least one of the underlying cryptographic mechanisms remains secure. This approach provides a measure of protection while organizations gain operational experience with newer algorithms.
Focus First on Visibility and Risk
Rather than urging organizations to replace every cryptographic system immediately, the guide recommends beginning with what it calls “no-regret moves” — actions that improve cybersecurity regardless of how quickly quantum computing advances.
The first recommendation is comprehensive inventory management.
According to the researchers, organizations often do not know exactly where cryptography is used throughout their networks. Before any migration can occur, IT teams should identify communication protocols, cryptographic libraries, algorithms, key lengths and dependencies across their infrastructure.
The report recommends documenting systems that rely on technologies such as TLS, VPNs, SSH connections and email encryption. Organizations should also map external dependencies involving software vendors, cloud providers and third-party services.
The researchers write that only systems that are documented can be effectively upgraded.
The guide also highlights the importance of crypto agility — the ability to replace cryptographic algorithms without redesigning entire applications. Systems built with crypto agility can adapt more quickly as standards evolve or new vulnerabilities emerge.
After inventorying systems, organizations should conduct risk assessments.
The framework proposed in the report evaluates three factors: the vulnerability of existing cryptography, the potential damage caused by compromise and the expected complexity of migration.
Systems protecting highly sensitive information for long periods receive higher priority. Likewise, systems that will require years to migrate should be addressed earlier because of their extended implementation timelines.
The report points to the European Union’s 2025 roadmap for post-quantum migration, which recommends that high-risk systems complete migration by the end of 2030 and begin planning no later than the end of 2026.
Procurement May Be Important Motivation
One of the guide’s strongest recommendations concerns procurement.
Because many government and enterprise software systems remain operational for years or even decades, the researchers write that purchasing decisions made today will determine how difficult future migrations become.
The report recommends requiring vendors to document their cryptographic implementations, support crypto-agile architectures and demonstrate compatibility with hybrid and post-quantum cryptographic methods.
Organizations should also prioritize products that support post-quantum key exchange mechanisms and, eventually, post-quantum digital signatures.
For existing infrastructure, the guide identifies several areas where progress can begin immediately.
Many internet-facing technologies already support post-quantum or hybrid cryptography. The report highlights developments in TLS, OpenSSH and certain VPN implementations. In some cases, organizations may be able to gain protection simply by updating software libraries, browsers, servers or network components.
Where native post-quantum support is unavailable, the researchers suggest interim approaches such as routing communications through post-quantum-capable VPNs or secure proxy layers.
The guide concludes that migration to post-quantum cryptography is unavoidable and that the most significant risk is delay. Organizations that start now can spread costs and planning efforts over several years while strengthening overall cybersecurity. Those that wait until quantum computers become operational may find themselves forced into rapid and expensive transitions under significantly greater pressure.
