Key Points
- Cryptography underpins trust in the digital economy through authentication, digital signatures, and encryption that protects against tampering and unauthorized access. Post-Quantum Cryptography, or PQC, is intended to preserve these functions in an era when future quantum computers may weaken some of today’s widely used public-key cryptographic systems.
- The implications extend beyond confidential data. If the cryptographic mechanisms that support authentication, secure communications, software updates, electronic contracts, and system connectivity are weakened, the reliability of business transactions and critical infrastructure may also be affected.
- Migration will take time and should be treated as a management issue. Organizations need to understand where cryptography is used, which information requires long-term protection, and which vendors, cloud services, suppliers, and external connections are involved. If PQC readiness becomes a condition for procurement, international system connectivity, or trusted supply chains, delays may create operational and competitive disadvantages.
New Risks in the Quantum Computing Era
Imagine a company’s R&D records, unpublished design information, or other critical technology data being stolen in encrypted form through a cyberattack, only to become readable years later. Similar concerns apply to diplomatic, defense-related, and other strategically sensitive information. If the authentication systems that support critical infrastructure are weakened, the issue may extend beyond data leakage and affect the safe operation of essential services.
These scenarios remain hypothetical, but they are sufficiently plausible to warrant preparation. For companies holding R&D data or intellectual property that must remain confidential for many years, organizations operating critical infrastructure, and government agencies handling classified information, quantum computing is already becoming relevant to today’s risk management. The key question is whether current protections will remain reliable for as long as the information, systems, and services they protect continue to matter.
The reason is that sufficiently powerful quantum computers could alter the security assumptions behind some public-key cryptographic systems that are widely used today. These systems are currently considered secure because conventional computers cannot break them within a practical timeframe. That assumption may change once large-scale quantum computers become available. One recent estimate suggests that, under specific assumptions, a sufficiently powerful quantum computer could factor 2048-bit RSA integers in a matter of days to about a week. The concern is broader than the exposure of confidential information. Cryptography quietly underpins many of the digital mechanisms that make modern life and business possible.
Everyday business operations, including web conferencing, cloud services, remote access, data exchange with business partners, and electronic contracts, depend on cryptographic mechanisms that help keep communications private, verify counterparties, and prevent data tampering.
If these mechanisms are weakened, confidence in online business processes, system connectivity, and digital transactions may also be undermined. Preparing for the quantum computing era therefore means preserving the trust base on which business continuity depends. This is the practical context in which PQC migration should be understood.
What Is Post-Quantum Cryptography?
Post-Quantum Cryptography refers to cryptographic algorithms designed to remain secure against attacks by future quantum computers while running on today’s conventional systems. It is intended to preserve the trust functions that support today’s digital society if some of today’s public-key cryptographic systems become vulnerable in the quantum era. These functions are especially important in three areas: authentication, digital signatures, and encryption.
The first is authentication. Authentication confirms whether a person logging in is genuinely who they claim to be. It also helps determine whether a business partner, service, or system is legitimate rather than fraudulent.
The second is digital signatures. Digital signatures help verify that electronic documents, software updates, contracts, administrative records, and data have not been altered and that they were issued by a legitimate party.
The third is encryption. Encryption protects information from eavesdropping and unauthorized access. It prevents third parties from reading information exchanged between companies and systems and helps preserve the confidentiality of sensitive information stored over time.
These functions are basic infrastructure for organizations, products, and services around the world. Because they are widely shared, no single organization can solve the problem alone. Common technical standards are necessary.
In August 2024, the U.S. National Institute of Standards and Technology finalized three post-quantum cryptography standards. This marked a shift from research to implementation, signaling that PQC is no longer only a theoretical concern but an emerging requirement for real-world systems. PQC is now becoming a practical issue for product design, service architecture, procurement requirements, and interoperability with other systems.
Why Action Is Needed Before Quantum Computers Are Fully Practical
One major reason to begin preparing now is the risk known as Harvest Now, Decrypt Later, or HNDL. The idea is simple: attackers steal encrypted data today and store it, planning to unlock it once sufficiently capable quantum computers become available. In other words, even before practical quantum computers arrive, confidential information stolen today may become exposed years later.
Organizations therefore need to identify which types of information they currently store must remain protected into the future. HNDL risk is particularly serious when the information will still have value or sensitivity at the time it may eventually be decrypted. Examples include diplomatic and defense-related government secrets, R&D data, intellectual property, and medical information. For companies, unpublished design information or testing data may be protected today because it is encrypted. If that information becomes readable years later, however, it may damage competitiveness. In the case of dual-use technologies with potential military applications, leakage to foreign actors may also become a national security concern.
The Japanese government has also indicated the importance of considering earlier PQC migration for information that is highly sensitive or requires very long-term protection. The practical task for organizations is to clarify what information they hold, how long its confidentiality must be maintained, and which measures should begin at an early stage.
Migration Will Take Time
PQC migration is likely to be more complex and time-consuming than simply replacing one algorithm with another, because cryptography is embedded across systems, services, contracts, vendors, and business processes.
The first step is visibility. Before organizations can migrate, they first need to know what cryptographic technologies they use, where they are embedded, and what information or systems they protect. They then need to determine which information requires long-term protection, which systems should be prioritized, and which external parties must be involved.
Reliance on cloud services does not eliminate this responsibility. Cloud providers may continue to improve their own PQC readiness, but user companies still need to understand what remains within their own scope. Authentication settings, key management, external service connections, dedicated network links between sites such as site-to-site VPNs, on-premises business systems, and data links with partners may still require review. These components may follow different update timelines depending on vendor readiness, legacy system constraints, and coordination with external partners, making PQC migration a practical challenge.
This distinction matters because gaps between provider-side readiness and user-side operations can become weak points. Information with long-term value may still be stolen and stored if the surrounding systems, connections, or operational practices remain exposed.
For this reason, companies need to separate what cloud providers and vendors are expected to address from what must be confirmed, updated, or governed internally. Waiting until the quantum threat becomes more immediate may leave too little time for inventory work, prioritization, system updates, procurement coordination, and partner alignment.
Why PQC Is an Economic Security Issue
PQC readiness does not turn every cryptographic update into an economic security issue. The economic security dimension arises when delayed migration affects long-term protection of strategic information, critical infrastructure, supply chain participation, or national and industrial autonomy.
There are four main reasons.
First, delays increase the risk that sensitive information requiring long-term protection will be exposed domestically or internationally. This includes defense and diplomatic information held by governments, as well as R&D data and intellectual property held by companies.
Second, if confidence in authentication, digital signatures, and encryption is weakened, the safety and reliability of critical infrastructure may be affected. Finance, electricity, telecommunications, healthcare, and public administration all rely on these mechanisms to operate securely.
Third, PQC readiness may become a condition for government procurement, critical infrastructure projects, international system connectivity, or transactions with overseas companies and locations. Organizations that are not prepared may face disadvantages or, in some cases, exclusion from trusted supply chains.
Fourth, the ability to plan and implement this transition autonomously is connected to whether a country can independently maintain and operate critical infrastructure while avoiding excessive dependence on specific foreign technologies or vendors.
These risks place PQC at the intersection of cybersecurity and economic security, with implications for industrial competitiveness, infrastructure resilience, and the conditions under which digital systems can remain trusted across borders and supply chains.
Table 1. Major Risks If Quantum Computing Advances and PQC Readiness Falls Behind
| Risk Area | What Could Happen | Economic Security Implication |
|---|---|---|
| Critical infrastructure disruption | Authentication systems used in electricity, telecommunications, finance, transport, ports, healthcare, water supply, and other critical infrastructure may become vulnerable to unauthorized access, spoofed commands, or data tampering. | Disruption may spread to economic and social activity, including supply chains. |
| Supply chain exposure | Sensitive information collected to strengthen supply chain resilience, such as country-level dependencies, alternative procurement options, and inventory conditions, may be stolen and later decrypted. | Such information may be misused for economic coercion or to identify supply chain weaknesses. |
| Leakage of advanced technologies | R&D data, design drawings, source code, manufacturing know-how, and pre-patent information in fields such as semiconductors, AI, materials, and defense equipment may be stolen and later decrypted. | Corporate competitiveness, industrial foundations, and defense capabilities may be harmed. |
| Leakage of sensitive strategic information | Diplomatic cables, command-and-control information, intelligence communications, R&D data, technical know-how, and other strategically valuable information may be exposed. | Government sources and methods, defense or operational advantages, and industrial competitiveness may be compromised. |
| Disruption of administrative procedures and exposure of personal information | Trust infrastructure for national ID-related procedures, electronic certificates, electronic applications, and digital signatures for administrative documents may be weakened. | Risks of document tampering, impersonation, administrative disruption, and future exposure of personal data may increase. |
PQC Policy Status in Japan
Japan has started laying the institutional foundations for its PQC transition.
According to the 2025 interim report by the Cabinet Secretariat on the transition to PQC for government agencies and related entities, Japan aims, in principle, to complete the migration of government agencies and related organizations by 2035. This reflects the recognition that many countries and regions, including the United States, the European Union, the United Kingdom, and Canada, have set migration timelines targeting 2035. If Japan’s transition falls behind, international information sharing and system connectivity that assume comparable levels of security may be affected.
The same document states that a roadmap will be developed in fiscal year 2026, with relevant ministries and agencies working together to support a smooth transition.
On the technical evaluation side, Japan’s Cryptography Research and Evaluation Committees, or CRYPTREC, published its 2024 guideline on post-quantum cryptography in March 2025. The guideline organizes key issues related to the need for PQC, its use, and migration. CRYPTREC has also begun conducting security and implementation performance evaluations for the three algorithms published as NIST standards. In Japan as well, PQC is moving beyond research and becoming the subject of technical evaluation for implementation decisions.
Industry-facing initiatives have also started. According to materials published by Japan’s Ministry of Economy, Trade and Industry in 2026, pilot projects have begun to help companies identify the cryptographic technologies applied to their own information and systems. These projects are expected to examine which systems use which cryptographic technologies and, in cooperation with vendors, consider where PQC migration should begin. Based on the results, guidelines outlining migration steps and information on PQC-ready products are expected to be released around April 2027.
Overall, Japan has not yet entered a full-scale migration phase. However, government policy, technical evaluation, roadmap development, and industry-oriented demonstration support are beginning to move in parallel. PQC is already shifting from a preparation-stage issue to a matter of migration planning and implementation.
Implications for Companies
For companies, the realistic starting point is not to immediately replace all cryptographic systems. It is to build a clear inventory of where cryptographic technologies are used, which information requires long-term protection, and which vendors, cloud services, and external connections they depend on.
This also requires looking beyond cryptographic algorithms themselves. Advances in generative AI are making it increasingly possible to identify software and system vulnerabilities more efficiently. In the context of HNDL, the concern is that encrypted data may be stolen and stored today for future decryption. If attackers become better at finding system weaknesses and intrusion routes, they may also become better at reaching information with long-term value.
PQC readiness should therefore be treated as a broader review of information management and system operations. Companies need to ask which information will retain value over many years, through which systems and business processes it could be accessed, which external parties are involved, and how current controls should be improved.
The immediate task is to make this trust infrastructure visible enough to plan the transition in a realistic and prioritized way.
Conclusion
PQC migration raises a fundamental question: how can society preserve the mechanisms that support digital trust in the quantum computing era?
Authentication, digital signatures, and encryption have long supported business transactions, system connectivity, administrative procedures, and critical infrastructure. If the security assumptions behind these mechanisms change, the consequences would extend beyond cybersecurity, affecting business continuity, industrial competitiveness, infrastructure resilience, and economic security.
Because the risk of Harvest Now, Decrypt Later cannot be dismissed, this issue should not wait until quantum computers are fully realized. Public- and private-sector organizations should begin by identifying the information, systems, vendors, and connections that matter most.
Ultimately, PQC readiness is part of the broader task of adapting digital trust infrastructure to the quantum era.
(c) Alamy/amanaimages
