Do not look for post-quantum transition plans — none currently exist.
This clear statement comes from the National Cybersecurity Agency of France (ANSSI), based on a survey conducted among its beneficiaries — mainly, regulated entities.
More than half of these organizations appear to be at risk due to threats posed by quantum computing. The agency attributes this vulnerability to insecure practices susceptible to retroactive attacks. For instance, the use of VPNs to transmit sensitive information that must remain confidential for more than ten years, or the reliance on digital certificates with lifespans exceeding that period.
While most surveyed organizations are aware of the quantum threat, they lack understanding of its concrete impact on their IT infrastructure. Consequently, nearly all have not initiated, planned, or allocated budget for risk analysis activities. Urgent use cases are not clearly identified, and cybersecurity managers are uncertain about the timeline for system migrations or the time needed to carry out such transitions.
In the current situation, organizations tend to rely on each other to move forward, summarizes ANSSI. The absence of formal communication from France — such as an official date or an incentivizing schedule — hampers understanding of the overall quantum agenda. Furthermore, there are no regulatory requirements or dedicated support services to encourage proactive measures.
Inertia also prevails among PASSI…
An additional survey, conducted from late 2023 to early 2024, focused on organizations providing support services. The sample consisted of 34 providers, mostly PASSI (Public Assurance of Information Security) organizations. The results, summarized by ANSSI last October, highlighted a weak demand — 70% of providers had not delivered any services related to quantum readiness — alongside an immature market offering, with 70% lacking structured service offerings.
Regulatory mandates (or lack thereof) were already identified as a key obstacle, reinforcing clients’ tendency to remain passive. Regarding service providers, they expressed a greater willingness to be supported in advancing their skills than in undergoing formal evaluations or assessments.
Similarly cautious among solution vendors…
A separate study, carried out between May and July 2023, examined the landscape of companies developing cryptographic components for digital solutions. The sample included 18 firms involved in post-quantum cryptography design.
Implementation barriers highlighted include:
- Only a few specialists possess comprehensive expertise in post-quantum primitives.
- The lack of standards or norms describing algorithms or methods for hybrid cryptographic schemes.
- An absence of reference software modules or best-practice guides for implementation, raising concerns about security lapses or vulnerabilities.
- The need to update existing standards to incorporate post-quantum cryptographic methods.
- Im maturity in hardware implementations, which limits real-world deployment.
- Concerns about potential performance losses, particularly regarding the execution of post-quantum signatures.
