Most boards have never been asked where their organisation keeps its encryption. In 2026 the question is worth asking, because the answer takes longer to produce than most people expect.
In August 2024 the United States National Institute of Standards and Technology (NIST) published its first three post-quantum cryptography standards, the algorithms designed to resist a future quantum computer. NIST has since set out a transition. The public-key algorithms in wide use today, including RSA and elliptic-curve cryptography, are to be deprecated after 2030 and disallowed after 2035. No quantum computer capable of breaking them exists today, so the deadlines are set in anticipation of one.
While the world waits for that machine, there is an immediate risk. Encrypted data can be captured now and stored until it can be read, an approach known as harvest now, decrypt later. For a bank, an insurer or a healthcare provider, much of what is confidential today will still be confidential in 2035. Data with a long life is already exposed.
The financial system has read the same signals. In July 2025 the Bank for International Settlements published a quantum-readiness roadmap for the sector, and its first instruction was practical: build a cryptographic inventory, and develop crypto-agility, the ability to change algorithms without re-engineering every application that relies on them. SWIFT, the network nearly every regulated institution touches, has said its SwiftNet 8.0 release in 2027 will support post-quantum cryptography. The direction of travel is consistent across standards bodies and market infrastructure.
This is a governance question with a long lead time. The technology purchase comes later. Cryptography sits inside applications, certificates, payment messages and supplier systems, much of it undocumented. Producing a reliable inventory of a complex estate is measured in months, and the migration that follows it in years. The organisations with room to plan are the ones that started while the deadlines were still distant.
For a DIFC institution the exposure is the same as anywhere else, because the data and the plumbing are global. The regulatory direction of travel points the same way.
The board does not need to follow the mathematics. It needs to know that one thing has been done: that someone can say where the organisation uses cryptography, and what that cryptography protects. If you cannot answer that yet, it is the place to begin, and it is work we can take on with you.
References