Post-quantum cryptography: why a cryptographic inventory belongs on the 2026 board agenda
The standards are set and the financial system has started to move. The first task for 2026 is to find where your organisation already uses the cryptography that quantum computers will eventually break.
Most boards have never been asked where their organisation keeps its encryption. In 2026 the question is worth asking, because the answer takes longer to produce than most people expect.
In August 2024 the United States National Institute of Standards and Technology (NIST) published its first three post-quantum cryptography standards, the algorithms designed to resist a future quantum computer. NIST has since set out a transition. The public-key algorithms in wide use today, including RSA and elliptic-curve cryptography, are to be deprecated after 2030 and disallowed after 2035. No quantum computer capable of breaking them exists today, so the deadlines are set in anticipation of one.
While the world waits for that machine, there is an immediate risk. Encrypted data can be captured now and stored until it can be read, an approach known as harvest now, decrypt later. For a bank, an insurer or a healthcare provider, much of what is confidential today will still be confidential in 2035. Data with a long life is already exposed.
“
Data with a long confidential life is already exposed. The machine that reads it can arrive later.
The financial system has read the same signals. In July 2025 the Bank for International Settlements published a quantum-readiness roadmap for the sector, and its first instruction was practical: build a cryptographic inventory, and develop crypto-agility, the ability to change algorithms without re-engineering every application that relies on them. SWIFT, the network nearly every regulated institution touches, has said its SwiftNet 8.0 release in 2027 will support post-quantum cryptography. The direction of travel is consistent across standards bodies and market infrastructure.
This is a governance question with a long lead time. The technology purchase comes later. Cryptography sits inside applications, certificates, payment messages and supplier systems, much of it undocumented. Producing a reliable inventory of a complex estate is measured in months, and the migration that follows it in years. The organisations with room to plan are the ones that started while the deadlines were still distant.
For a DIFC institution the exposure is the same as anywhere else, because the data and the plumbing are global. The regulatory direction of travel points the same way.
The board does not need to follow the mathematics. It needs to know that one thing has been done: that someone can say where the organisation uses cryptography, and what that cryptography protects. If you cannot answer that yet, it is the place to begin, and it is work we can take on with you.
References
NIST, Federal Information Processing Standards 203, 204 and 205 (post-quantum cryptography standards), 13 August 2024. Primary; linked in-text on first mention.
NIST IR 8547 (initial public draft), Transition to Post-Quantum Cryptography Standards, November 2024. nvlpubs.nist.gov
Bank for International Settlements, BIS Papers No 158, Quantum-readiness for the financial system: a roadmap, 7 July 2025. bis.org
The Quantum Insider, Quantum Security Deadlines are Here – What Happens Next?, 8 May 2026. Secondary.
Hossein Fezzazi
Chief Operating Officer at Penta
Hossein Fezzazi is COO at Penta, where he works closely with financial institutions across Europe and the Middle East to strengthen IT governance, cybersecurity, and compliance frameworks.
He has prepared IT infrastructure audit reports for business in renowned financial centres, with a particular focus on emerging regulatory regimes such as the EU AI Act and the Gulf region’s cybersecurity frameworks. His expertise lies in helping organisations turn regulatory obligations into opportunities to build trust, resilience, and innovation.
