Trust is the backbone of the financial system. Trust that your savings won’t disappear overnight. Trust that your digital signature on a mortgage is legitimate. Trust that cybercriminals can’t reroute your retirement fund to a crypto wallet in Siberia. That trust relies heavily on cryptography, specifically, public-key encryption.
And quantum computing is about to shake that foundation.
The Bank for International Settlements (BIS) has just released a detailed roadmap urging the financial sector to start preparing now for the post-quantum era.
Why later is too late
While full-scale quantum computers capable of breaking today’s encryption don’t exist yet, they’re not some sci-fi fantasy either. According to recent estimates, we could see a cryptographically relevant quantum computer (CRQC) within the next 10 to 15 years.
But here’s the catch: the threat doesn’t begin when the CRQC turns on. It starts today. Adversaries can already collect encrypted data, your bank records, legal contracts, payment systems, and decrypt it later once they have quantum capabilities. It’s called “harvest now, decrypt later” (HNDL), and it’s a real risk for any data that needs long-term confidentiality.
In short: you don’t have 15 years. You have today.
What the BIS recommends
The BIS roadmap emphasizes that quantum-readiness is not a plug-and-play upgrade. Post-quantum cryptography (PQC) introduces performance, implementation, and governance challenges that require serious planning.
Key recommendations include:
- Build awareness and governance: financial institutions need a C-level owner for quantum-readiness and cross-functional teams to oversee migration strategy.
- Conduct cryptographic inventories: identify where and how cryptography is used in your systems. Spoiler: it’s everywhere.
- Plan a phased migration: Start with systems that store or transmit long-lived sensitive data. Pilot before you scale.
- Adopt cryptographic agility: build the ability to swap out cryptographic algorithms without re-architecting your systems.
- Use hybrid approaches wisely: some regulators advocate for combining classical and quantum-safe algorithms during transition. Others say pick one and go all in. The jury’s still out, but hybridization may help mitigate early implementation risks.
- Coordinate across the ecosystem: a single weak link—like a payments processor still stuck on TLS 1.2—can expose the entire chain. Central banks, regulators, and financial institutions need shared timelines and standards.
What’s realistic today?
Let’s be clear: Quantum Key Distribution (QKD) is not ready for wide deployment. It requires specialized infrastructure and doesn’t scale well.
Instead, Post-Quantum Cryptography (PQC) is the most viable option for now. The first standards were published by NIST in 2024, and global standard-setting bodies are following suit.
But these algorithms are not drop-in replacements. They have larger key sizes, more demanding processing requirements, and often require code-level rewrites. The BIS warns against underestimating this complexity.
What it means for Belgium, and beyond
For Belgium’s financial sector, and really, for every highly connected jurisdiction, this isn’t just about future-proofing your local systems. Brussels sits at the heart of Europe’s regulatory and financial machinery. Delaying action means exposing not just your own infrastructure, but potentially the broader European financial system.
If we wait until quantum threats are “real,” we’ve already lost the race.
TL;DR? Here’s a quick summary
- The quantum threat is not hypothetical—it’s approaching, and the risks are real today.
- Migration to quantum-safe cryptography will be complex and slow—so you better start early.
- BIS lays out a sensible, coordinated roadmap with steps every institution can follow.
- PQC is the go-to solution for now. QKD? Maybe someday.
- Start with awareness, inventories, and strategy—and don’t do it alone.
The time to act is now. Or, as BIS might have said if they weren’t so polite: fix the roof before the quantum storm hits.
👉 Read the BIS roadmap in full.
