Get the basics on PQC and how to begin preparing for the emerging threats posed by post-quantum computing. Read more.
Post-quantum computing is no longer a distant theory; it’s on its way to becoming a real-world threat. Quantum computers are expected to have the power to break the encryption that we have employed for years, which protects everything from financial transactions to personal data and critical infrastructure. According to a 2024 survey, most businesses surveyed are extremely concerned about quantum computing’s potential to break through their data encryption. 60% in Canada and 73% in the US believe it’s only a matter of time before cybercriminals are using the power of quantum to decrypt and disrupt today’s cybersecurity protocols.1
This risk is amplified for organizations that have not yet implemented network-level zero trust. Without least privileged access and continuous verification, the network becomes vulnerable to attackers who can harvest encrypted data today and decrypt it later when quantum technology matures. The solution is post-quantum cryptography (PQC), a new generation of encryption designed to withstand quantum attacks. However, the transition to PQC requires intentional planning. Updating global systems, ensuring compatibility, and replacing deeply embedded cryptographic protocols could take years. Organizations that start planning now will be ready for the quantum era; those that wait could find themselves exposed when the shift happens.
What is post-quantum cryptography (PQC)?
PQC, sometimes called quantum-safe cryptography or quantum-resistant algorithms, refers to new cryptographic methods designed to resist attacks from both classical and quantum computers.
Most of the internet’s current security relies on Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithms. These are mathematically strong against today’s attackers, but a sufficiently powerful quantum computer could crack them in hours. That means sensitive data encrypted today—financial records, personal health information, or long-term government secrets—could be harvested now and decrypted later in what experts call the harvest-now, decrypt-later threat model.
The U.S. National Institute of Standards and Technology (NIST) has already selected its first NIST PQC Standards. In August 2024, NIST published the following PQC standards: FIPS-203 ML-KEM, FIPS-204 ML-DSA, and FIPS-205 SLH-DSA. These will form the backbone of secure communication in the quantum era.
The conversation about PQC is evolving
HPE teams analyzed published articles to examine how discussions around PQC have evolved over the past year.
Research revealed that PQC is shifting from a niche security concern to a regulatory, strategic, and economic imperative. Vendors and regulators are driving hybrid cryptography, crypto agility, and zero trust pilots to protect long-lived data and critical systems. Enterprises that build quantum-ready, quantum-safe infrastructure are positioning PQC as both a security cornerstone and a competitive advantage while nations view them as a lever for geopolitical advantage.
QUID narrative analysis of media articles on PQC for October 2024–October 2025. Several common topics on
PQC emerged, including migration and crypto agility
Why must organizations act now on PQC?
Analysts and regulators are clear: Enterprises must prepare for PQC adoption. Here’s why:
- Compliance pressure is mounting: Regulators from Europol, the G7, and the UAE Central Bank have warned banks and critical industries to prepare. According to Forrester, many governments have established a deadline of 2035 for full migration to use postquantum cryptography.2 In financial services, regulators are treating PQC as a systemic risk. Enterprises that fail to act risk being out of compliance with upcoming mandates.
- Seamless PQC transition requires crypto agility: Crypto agility is the ability to swap in new algorithms and adopt hybrid cryptography solutions that combine classical and quantum-resistant approaches. According to McKinsey, “Businesses can mitigate quantum cybersecurity threats by adopting a safer, modular approach called crypto agility.”3
- Workforce readiness is a long-term process: PQC is not only a technology shift, but a people shift. A recent Capgemini survey noted that most organizations understood PQC was the most viable path to quantum safety, but the skills gap was limiting progress.4 Enterprises need to build a PQC-ready workforce to address cryptographic migration mandates and counter harvest now, decrypt later risks. Upskilling ensures a smoother transition, reduces compliance risk, and builds internal capability before PQC standards become mandatory.
How can companies prepare for PQC?
Successfully navigating PQC adoption requires organizations to take a multifaceted approach.
- Understand your quantum threat model: Inventory where cryptography is used across your enterprise and identify long-lived sensitive data. Evaluate the potential impact of a cryptographic compromise across different data types and systems and prioritize assets that demand long-term confidentiality. NIST National Cybersecurity Center of Excellence (NCCoE)’s PQC migration project makes cryptographic discovery/inventory the very first workstream, stating, “It is critical to begin planning for replacement of hardware, software, and services that use public-key algorithms now so that the information is protected from future attacks.”5
- Assess compliance requirements and readiness: In highly regulated sectors, it is a requirement that organizations must demonstrate post-quantum readiness by showing where they are exposed, outlining investment plans, and estimating timelines for full PQC adoption. If immediate adoption is not feasible, whether on the supplier or customer side, exceptions may be part of the compliance journey.
- Plan for hybrid (classic + PQC) deployments: Begin introducing hybrid RSA/PQC algorithms so you can strengthen encryption against quantum threats without disrupting existing systems. For example, test hybrid RSA/PQC solutions in Transport Layer Security (TLS), firewalls, and VPN gateways because they protect most enterprise traffic. NIST and the Internet Engineering Task Force (IETF) recommend hybrid approaches in these foundational layers as the pragmatic first step before wider application-level adoption.
- Adopt crypto agility: Ensure systems allow algorithm swaps so you can comply quickly with newer standards. NIST emphasizes crypto agility as a core requirement for PQC migration because standards and best practices will continue to evolve over the next decade.
- Prioritize PQC key management: Modernize public key infrastructure (PKI), automate key management and rotation, and adopt PQC key management frameworks. Without PQC-ready key management, hybrid or PQC deployments can’t scale securely or reliably.
- Train your workforce: Upskill staff on PQC, quantum-safe cloud security, and hybrid deployments. NIST / Cybersecurity and Infrastructure Security Agency (CISA) / National Security Agency (NSA) call for organizational road maps and preparedness (which includes staff readiness).
How can HPE help with PQC readiness?
HPE strives to provide customers with the most secure products and services possible, and starting January 1st, 2027, these algorithms will become the subject of mandatory requirements for certain government customers. Therefore, HPE requires all products and services to be PQC-capable by January 1, 2027, using approved quantum-resistant algorithms for all cryptographic functions, especially firmware and software signing. During the transition, both PQC and classical algorithms (such as RSA/ECDSA) will be supported for robustness and interoperability.
With these targets, HPE is guiding organizations through the post-quantum transition with a comprehensive, multi-layered approach. HPE is focused on enabling systems to adopt new encryption methods without major redesign, so organizations can embrace an agile cryptography approach. In addition, HPE embraces standards alignment, ensuring timely compliance with evolving NIST and global PQC requirements. HPE also integrates post-quantum protections across the supply chain, from hardware and firmware attestation to lifecycle management, strengthening the security foundation of enterprise infrastructure. For example, HPE iLO 7 incorporates an embedded ASIC with built-in post-quantum cryptography features, providing resilient remote management and protecting critical infrastructure from future quantum-era threats.
Learn more about HPE post-quantum cryptography
Visit the HPE Cybersecurity Awareness Month page for more information on how HPE can help you prepare defenses against post-quantum threats.
1 “Quantum is coming — and bringing new cybersecurity threats with it,” KPMG.
2 “It’s Time To Start Planning Your Postquantum Migration,” Forrester.
3 “Enabling the next frontier of quantum computing,” McKinsey.
4 “Future encrypted: Why post-quantum cryptography tops the new cybersecurity agenda,” Capgemini.
5 “Migration to Post-Quantum Cryptography,” NIST.
Meet the author
