Sharon Ginga | Director of Product Marketing
More About This Author >
Sharon Ginga | Director of Product Marketing
More About This Author >
The quantum market is having a very real investment moment. Government-backed initiatives, large private funding commitments, and accelerating infrastructure roadmaps all point in the same direction: quantum is moving from research ambition to engineered reality. For financial services, that changes the urgency. Post Quantum Cryptography (PQC) can no longer sit in a “monitor and revisit later” category. 2026 needs to be the year organizations move from PQC awareness to action.
What has changed is not just the timeline - it is the expectation. Regulators, auditors, and boards are no longer asking if quantum risk matters; they are asking what evidence exists today that institutions are preparing. Organizations that cannot demonstrate progress risk falling behind not just technically, but in governance, auditability, and customer trust, aligned with emerging regulatory expectations.
That does not mean every organization will complete its migration this year, or that every application, partner, or ecosystem will be ready at the same time. But it does mean the conversation has changed. For financial services and other regulated industries, post-quantum cryptography is now an execution question: where to start, what to prioritize, which systems to test, which vendors to engage, and what evidence to build - based on current industry transition guidance. Many financial institutions are now asking: where do we start, and what does meaningful progress look like in the first 90 days?
The risk is twofold: sensitive financial data with long confidentiality horizons may be harvested today and decrypted later, while institutions that wait too long may be forced to compress discovery, testing, vendor engagement, architecture decisions, and remediation into an unsafe window. That is why the first 90 days matter.
2030 is not the start date
Financial services run on cryptography: customer authentication, mobile banking, payment rails, trading systems, APIs, cloud connectivity, PKI, code signing, certificates, backups, archives, partner networks, and high-value data flows. The challenge is that much of this cryptography was never designed to be inventoried, governed, tested, and changed at enterprise scale.
Changing that cryptographic foundation is not a simple upgrade. It is a multi-year operational resilience program. With PQC standards now in place, financial-sector guidance emerging, and governments publishing transition roadmaps, organizations have a clearer foundation for action. But standards and roadmaps do not create readiness by themselves. Readiness comes from control, testing, ownership, and evidence.
A common risk is treating PQC as a future migration rather than a present-day operational program. By the time full migration is required, institutions that have not established inventory, ownership, and testing discipline will face compressed timelines, uncontrolled dependencies, and increased operational risk.
That is why we created The Quantum-Safe Financial Enterprise: a practical Thales blueprint to help financial institutions operationalize crypto-agility, reduce Harvest Now, Decrypt Later (HNDL) exposure, and produce audit-ready evidence by 2030. It is built for the questions financial institutions are asking now: where do we start, what can we protect first, which systems need testing, which vendors do we need to engage, and what evidence will we need to show progress. The goal is to move PQC from a technical workstream into a governed resilience program, aligned with emerging regulatory expectations.
The first 90 days should prove the path
No one needs to migrate the entire enterprise in the first 90 days. But financial institutions do need to establish control, identify where to start, and begin building evidence. Start with a focused scope. Build an initial crypto system of record that captures where cryptography is used, who owns it, what data or processes it protects, what the change constraints are, and which systems have long confidentiality horizons.
From there, identify dependencies. Financial institutions rely on payment networks, market infrastructure, cloud providers, SaaS platforms, third-party vendors, partner networks, and customer channels. An interoperability register helps document where hybrid approaches may be needed and where external readiness will affect timing.
Then select one or two controlled starting points. The most useful pilots are not abstract lab exercises. They should be close enough to real architecture to teach the organization something useful about performance, interoperability, operations, monitoring, rollback, and evidence.
For many financial institutions, the practical first step is to start where they have control: one internal trust path such as PKI, signing, TLS, or code signing, and one critical network encryption route where both endpoints are under their operating model. That is where PQC starts to move from strategy to execution. The point is not to finish everything. The point is to build the operating muscle the broader migration will require.
Run two tracks in parallel
The guide recommends a two-track model because financial services environments are too complex for a single linear migration plan.
Track 1 focuses on data, identities, transactions, and critical applications.
This includes standardizing how applications consume cryptographic services, anchoring key custody and signing in HSM-rooted trust, and building crypto-agility into documented, repeatable change packages. For many financial institutions, that starts with the HSM infrastructure they already rely on for high-assurance key protection, PKI, TLS, signing, and code signing. Thales Luna HSMs provide a practical foundation for introducing quantum-safe and hybrid cryptography in a governed way. This is not just about introducing new algorithms - it is about maintaining continuity of trust in key management and signing workflows, ensuring that high-assurance key custody and compliance posture are preserved during transition.
Track 2 focuses on data in motion across critical interconnects the organization controls.
This is where institutions can often reduce HNDL exposure sooner, especially across inter-site, inter-data center, cloud, backup, disaster recovery, and selected partner connectivity. For these controlled network routes, Thales High Speed Encryptors help organizations protect sensitive traffic without waiting for every application, SaaS provider, or external ecosystem to be ready. This allows organizations to begin reducing exposure earlier, while broader application and PKI migration work continues.
Migration will not happen in a neat sequence. Systems will mature at different speeds. Hybrid operation may be needed for a limited time. Partners and vendors may take longer. Dependencies can become blockers. Waiting for the entire ecosystem to be ready delays progress. Start where you have control, build evidence, and use that evidence to expand.
Discovery should lead to action
Cryptographic discovery is essential. No serious PQC program can succeed without understanding where cryptography is used, what protects which data, who owns the systems, and where change will be difficult. But discovery should be treated as an on-ramp to migration, not a reason to pause everything else.
In the first 90 days, discovery should inform prioritization. It should help identify high-value data, exposed trust paths, long confidentiality horizons, and systems where vendor engagement needs to begin. It should feed the crypto system of record and help shape pilot scope. At the same time, organizations should move forward with architecture assessment, vendor discussions, controlled testing, remediation planning, and protection of critical links where possible. The goal is a living cryptographic view that supports continuous decision-making, not a one-time inventory that becomes stale as systems change.
Make evidence part of the work
One of the most useful shifts is to treat evidence as something created during the program, not assembled after the fact. By the end of the first 90 days, a financial institution should be able to show real progress: a defined scope, accountable owners, an initial crypto system of record, an interoperability register, selected pilot candidates, early vendor engagement, pilot criteria, and an evidence pack that grows as the program expands.
This is what regulators and stakeholders will ultimately assess: not whether the migration is complete, but whether progress is structured, governed, and measurable, in line with emerging expectations. That is not the full migration. It is the foundation for one. It also creates value now. The same work needed for PQC readiness strengthens the foundations of digital trust today: better cryptographic visibility, stronger key management, more resilient certificate lifecycle management, improved data protection, and clearer operational control.
The organizations that start now will not have all the answers on day one. But they will have something more valuable: a way to prioritize, test, engage vendors, protect what they control, and prove progress as the market evolves. The message is clear: take action now.
Learn how with The Quantum-Safe Financial Enterprise - a practical blueprint to help financial institutions move from strategy to execution-establishing control, prioritizing action, and demonstrating measurable progress toward quantum-safe readiness.
You can also join our upcoming PQC Thales Trust Horizon session for a discussion on how financial institutions are approaching this challenge, including common starting points, key decisions, and early lessons from the field.