Back to General Resources

Quantum Migration: Mapping the Emerging Landscape

October 23, 2025

The advent of quantum computing represents a paradigm shift for cybersecurity in the financial sector. The potential for existing encryption methods to be compromised within the next 5 – 10 years has already catalysed concern and action across a number of financial entities, global regulatory, and industry bodies. For every financial entity, the threat quantum computers present to encryption raises urgent questions regarding data protection, the risk of disruption to critical operations, and the resilience of the sector overall in an increasingly digitised financial ecosystem. Without action, banks will undoubtedly be caught out by the advent of cryptographically-relevant quantum computers and its inevitable misuse by malicious actors to break encryption to access sensitive data. To mitigate this risk, financial entities must prepare by transitioning to post-quantum cryptography.

In response, GFMA have convened a series of expert-led roundtables, to draw out and map the activities of institutions including the US National Institute of Standards and Technology (NIST), the Financial Conduct Authority (FCA), the World Economic Forum (WEF), the Bank of England’s Cross Market Operational Resilience Group (CMORG), and the Quantum Safe Financial Forum (QSFF). We recognise other bodies, such as FS-ISAC, are also active in this space.

This paper is intended to serve as an educational tool for circulation among non-quantum experts within financial entities. It provides a summary of the emerging landscape and proposes a set of collective next steps as financial entities endeavour to understand, prepare for, and ultimately transition to systems that are resistant to quantum attacks. The recommendations outlined herein reflect both the publicly available guidance, and the industry concerns shared during the GFMA sessions on preparing for quantum readiness.

Summary

Financial services must start preparing for a post-Quantum future now, not when the technology arrives at scale. Multiple authorities signal the 2030–2035 window as the period when Cryptographically Relevant Quantum Computing risk becomes operationally material. For banks, this necessitates that mitigation planning be largely complete within the next 2-3 years to ensure that vulnerable systems are fully upgraded in time, with critical systems transitioned several years earlier. Failure to act promptly risks exposing banks’ digital infrastructures to both future and retrospective breaches.

Positively, although the technology is still evolving, there is increasing clarity on how financial services should approach the transition to post-quantum cryptography. This paper serves as an educational tool to raise internal awareness across banks’ operations, business lines, and management levels. It identifies the key risks that quantum computers could pose to cryptography, the timeframes by which these risks are expected to materialise, and how public sector bodies are collaborating with industry to ensure a successful migration.

Key points include:

  • Quantum technologies are already presenting financial entities with new forms of risk: “Harvest Now, Decrypt Later” attacks are on the rise, putting today’s data at risk of future exposure, and requiring a proactive cryptographic migration.
  • Timelines for quantum transition are tighter than many suspect: Some regulators are warning publicly that firms should have already started their implementation of PQC, with all advising that migration planning should be completed by either 2027 or 2028.
  • Firm’s encryption protections need to be overhauled to remain intact for PQC: A phased, risk-based approach, supported by standards like NIST FIPS 203 – 205 (ML-KEM, ML-DSA and SLH-DSA) and aligned with global protocols, is emerging as the widely accepted best practice across jurisdictions.
  • Financial entities often operate within intricate and multifaceted environments: These environments include a wide array of systems, applications, and platforms, each with its own set of cryptographic protocols and requirements. Mapping out all these components to create a comprehensive inventory is a detailed and labour-intensive task.
  • Many financial entities rely on third party vendors and suppliers for various services: Ensuring that these external partners are aligned with the institution’s cryptographic standards and are prepared for the quantum transition requires
    thorough communication and coordination.
  • There are a number of initiatives supporting industry to put their migration plans into practice: GFMA will continue supporting members by coordinating shared learning, monitoring regulatory developments, and showcasing implementation tools.
  • Regulatory pressure can help drive forward the industry as a whole: we stress however this should not take the form of new regulation, but rather supervisory attention during resilience testing, in IT Questionnaires and in ongoing inspections.

 

Download Report