For businesses still working to get across the elevated cybersecurity risk in an AI and post-Mythos era (see our articles here and here), the prospect of a cryptographically relevant quantum computer, i.e. one capable of breaking current encryption standards, might seem like a poorly-timed joke. But technology isn’t known for its wry sense of humour. For governments and technology giants, the possibilities and threats posed by quantum computing are shifting up the agenda. As such, any business relying on digital infrastructure would be well-advised to understand the threat and act as soon as possible.
What is the threat?
Most modern encryption relies on mathematical problems that “classical” (i.e. the powerful ones we use today) computers cannot solve within any practical timeframe, such as factoring extremely large numbers. Quantum computers, however, have the potential to crack widely used protocols such as RSA and elliptic curve cryptography in a matter of hours. This is because quantum computers use ‘qubits’ (quantum bits), which can exist in multiple states simultaneously, enabling them to solve mathematical problems far more quickly than traditional binary systems.
The implications are stark: confidential communications, digitally signed contracts, financial transactions, and personal data could all become vulnerable. Another issue is the "harvest now, decrypt later" risk, where malicious actors are collecting encrypted data today with the intention of decrypting it once quantum capabilities mature. This is a particular concern for organisations handling sensitive or enduring commercial or personal information (like trade secrets or medical histories).
The regulatory landscape
The UK's National Cyber Security Centre (NCSC) has published guidance urging all organisations, particularly commercial enterprises, public sector organisations and critical national infrastructure, to begin planning their migration to quantum-safe algorithms. While relevant to all entities, the NCSC’s guidance is especially relevant for companies with bespoke IT. The EU's Cyber Resilience Act and the updated Network and Information Security Directive (NIS2) both place emphasis on cryptographic resilience as part of broader cybersecurity obligations. Businesses operating across jurisdictions must therefore consider an increasingly complex patchwork of requirements relating to encryption standards, data protection, and supply chain security.
Contractual implications
From a commercial contracting perspective, post-quantum cryptography raises multiple practical issues including:
- Existing technology agreements: technology procurement agreements and outsourcing contracts, in particular, should be reviewed to determine whether they impose obligations regarding encryption standards and, critically, whether those obligations are future-proofed. A contract that mandates "industry-standard encryption" may prove inadequate if it does not contemplate the transition to post-quantum algorithms. Parties should consider including specific provisions requiring vendors to adopt NIST-approved post-quantum standards (which have been endorsed by the UK’s NCSC) within defined timeframes, along with clear allocation of the costs of migration.
- New long-term agreements: long-term commercial agreements,such as joint ventures, licensing arrangements, or infrastructure contracts with durations of ten years or more,require particular scrutiny. Data encrypted today under these arrangements may still be sensitive when quantum decryption becomes feasible. Parties should consider how confidentiality obligations, data retention provisions, and security schedules will operate over the full life of the agreement.
- Protection of personal data: data processing agreements under UK GDPR and equivalent frameworks already require "appropriate technical measures" to protect personal data. As quantum threats become better understood, what constitutes "appropriate" will evolve. Organisations that fail to plan for cryptographic migration may find themselves exposed to regulatory enforcement or civil claims on the basis that their security measures were no longer fit for purpose.
Practical steps
Whilst there is no suggestion that current encryption models are not fit for today’s standards, organisations should seek to address the quantum threat before it materialises.
A sensible, forward-looking approach to mitigating future problems now includes taking (at least) the following preparatory actions:
- conducting an inventory of all assets protected by cryptography to identify where vulnerable algorithms are deployed;
- ensuring all protections and patching regimes are up to date and actioned (to better protect encrypted data from being collected in the first instance);
- engaging with your technology providers on their quantum readiness roadmaps and, to the extent possible, knowledge-sharing organisations and competitors about steps that are being taken today;
- reviewing vendor contracts for gaps in encryption and security obligations to the extent that these are not tied to current legislative requirements and appropriate technological standards; and
- ensuring that board-level governance frameworks recognise quantum risk as part of broader cyber resilience planning.
The next decade is expected to be critical in the development of quantum computing. The NCSC have earmarked 2035 as the key milestone by which all relevant systems should have completed the migration to post-quantum cryptography. While it may not be perfectly possible to protect technical systems and infrastructure now, legal protections for tomorrow’s threats can, and should be, remedied today to minimise disruption in what is expected to be a technically tumultuous decade.
If you would like to chat about these developments and what they could mean for your business, feel free to get in touch with Ben Milloy or Edward Robinson.
