Post-quantum migration in the financial services industry
With recent publications from the likes of the G7, FS-ISAC, WEF, and the BIS Innovation Hub, there’s been a significant focus on preparing for the quantum threat in the financial sector. In fact in 2025, Europol’s Quantum Safe Financial Forum (QSFF) issued a ‘call to action‘ highlighting key recommendations for quantum resilience – a ‘strategic mandate’ for financial entities.
While the QSFF call to action was high level, Europol’s latest report – in collaboration with FS-ISAC and the Quantum-Readiness Working Group of the Canadian Forum for Digital Infrastructure Resilience – Prioritizing Post-Quantum Cryptography Migration Activities in Financial Services (January 2026) is much closer to an operational integration guide for European authorities and financial institutions. It outlines a prioritization methodology, balancing quantum risk against migration time, and emphasizing cryptographic agility.
There’s little doubt that post-quantum cryptography (PQC) is now moving from a theoretical threat to a critical integration challenge. In the last year in particular, the topic has shifted from ‘why’ and even ‘when’ – to the central question of ‘how’. Financial institutions cannot migrate everything at once, and the focus must be on executing effective migration strategies.
Europol’s report sets out a new prioritization framework that’s been developed by Europol QSFF, FS-ISAC, and the Quantum-Readiness Working Group. Its goal is to help organizations determine migration priority, by considering the Quantum Risk posed to a system, and the Migration Time required to update it. In other words, a calculation based on the severity of an attack on a particular system and the complexity, effort and time required to upgrade it to resilience.
How to prioritize
“A critical first step,” according to the report, “is to inventory all business use cases that rely on public key cryptography.” Europol sets out helpful parameters that help quantify the Quantum Risk:
- Shelf-life: How long does the data remain sensitive?
- Exposure: Is the data publicly accessible?
- Severity: What is the impact of a compromise?
Assessing Migration Time depends on the availability of PQC standards and products, as well as a comprehensive understanding of the systems in question. The report lists these parameters as:
- Solution availability: Readiness of PQC solutions
- Execution cost: Software update or hardware replacement?
- External dependencies: Do you rely on a complex supply chain or third-party vendor?
For PQShield, this is a key point. There can often be a skills or awareness gap when it comes to understanding your ecosystem, and what precisely needs to change. Additionally, it’s vital to bring leadership into the conversation, something that our CEO, Ali discussed in a recent article with Forbes Technology Council, and our Chief Strategy Officer, Ben Packman discussed at the 2025 Web Summit in Lisbon.
The Roadmap
Combining the Quantum Risk with the Migration Time creates a roadmap, and the report outlines how different use cases then fall into a priority list of:
- High (Red) – Immediate action if solutions are available
- Medium (Yellow) – Can be included in BAU (business as usual updates)
- Low (Green) – Address as part of standard modernization
The report goes on to describe two use cases where this methodology might be applied: HNDL attacks on public websites, and the more physical threat of fake cards being used for fraudulent payments. Real-world examples help to crystallize the importance of updating hardware, considering the supply chain, and finding solutions that can be implemented with minimal disruption.
It’s clear that the emphasis in 2026 is that transition to PQC is now a strategic imperative, not just a technical upgrade. Financial entities must start the inventory process, use methodologies such as Europol’s to identify the low-hanging fruit, build momentum and awareness from a boardroom level, and build crypto agility into solutions for the future.
You can read the full report here.