I write for board-level readers. The technical literature on quantum computing and quantum cryptography is extensive, rigorous, and largely impenetrable to anyone who is not a quantum physicist. I have linked the relevant research papers at the bottom of this article for colleagues who want the science.
This briefing covers what a director needs to understand, what decisions they need to make, and what the governance failure modes look like — without requiring a PhD in quantum information science to act on it.
The core governance fact
Quantum computing will, within the current decade or shortly after, be capable of breaking the encryption standards that protect virtually all sensitive digital communications. The timeline is uncertain — estimates from the quantum research community range from 2028 to beyond 2035 for cryptographically relevant quantum computers. But the HNDL (Harvest Now, Decrypt Later) threat means that the governance-relevant timeline is shorter than the technical one: adversaries are collecting encrypted data today with the intention of decrypting it when quantum computers become capable.
For most organisations, this means: if you are transmitting sensitive information today — intellectual property, commercially sensitive communications, financial records, health data — that information may be readable by adversaries within the decade, using quantum decryption of data captured now.
The governance decision this requires is not “when should we respond to quantum computing.” It is “what is the sensitivity horizon of our most important data, and what encryption should protect it.”
Three things that have changed in the last eighteen months
NIST finalised its PQC standards in August 2024. The algorithms that will replace RSA and ECC are no longer draft proposals — they are federal standards (FIPS 203, 204, and 205). The technical uncertainty about which post-quantum algorithms to migrate to has been resolved. The governance uncertainty about whether to begin planning has also been resolved, by the standards’ existence.
The NCSC and ENISA published PQC migration guidance. The UK’s National Cyber Security Centre and the EU Agency for Cybersecurity have both published practical migration guidance for organisations. The NCSC recommends that UK organisations in critical sectors have migration plans by 2028. These are not targets organisations can easily dismiss.
NIS2 personal liability is now in force. From October 2024, directors of essential and important entities in the EU are personally liable for cybersecurity governance failures. The management body’s obligation to approve and oversee cybersecurity risk management measures — including the organisation’s approach to the quantum transition — now carries personal liability rather than just regulatory liability for the company.
These three developments, in combination, changed the governance position for boards. Before August 2024, a board could reasonably describe PQC migration as “on the watchlist.” After August 2024, a board of an organisation in scope for NIS2 that has not begun migration planning has a governance gap that carries personal liability.
The risk categories directors need to understand
Risk category 1: Direct business data exposure
The first question for any director: which of our data categories is sensitive over a five-plus year horizon? Candidates include:
- Intellectual property, R&D data, proprietary algorithms
- Merger and acquisition negotiations and strategy
- Long-term legal and contractual communications
- Patient and health data (long privacy obligation horizon)
- Financial records subject to long retention requirements
For each category that meets the five-plus year sensitivity test, the data transmitted today is within the HNDL threat horizon. This is the risk that most immediately justifies migration prioritisation.
Risk category 2: Supply chain and third-party exposure
The organisation’s encryption is only as strong as the weakest cryptographic link in its supply chain. The payment processor, the cloud provider, the HR system vendor — each carries cryptographic implementations that may or may not be on a PQC migration path. If a critical supplier’s data is harvested and decrypted, the contractual and reputational consequences may fall on your organisation as much as theirs.
Risk category 3: Regulatory exposure
For organisations in NIS2 scope, the personal liability dimension makes quantum risk a director-level concern rather than just a CISO concern. For organisations subject to DORA, the ICT third-party risk requirements extend to the quantum readiness of critical ICT suppliers. The EU AI Act’s Article 9 risk management requirements for high-risk AI systems include security requirements that are relevant to the cryptographic protection of those systems.
The combined regulatory exposure for a mid-sized financial services company operating in the EU — NIS2, DORA, EU AI Act — creates a governance obligation for quantum risk that is direct and specific.
What the board needs to decide before 2030
Four governance decisions, in order of priority:
Decision 1 — Commit to a cryptographic inventory. The board cannot govern a risk it has not measured. Commission the CISO or CTO to deliver a cryptographic inventory — a written assessment of which systems use which cryptographic standards — within a defined timeframe. This is the prerequisite for every subsequent decision.
Decision 2 — Classify long-lived sensitive data. Confirm which data categories in the organisation have a sensitivity horizon beyond five years. This decision determines the urgency of the migration for those specific data categories, separate from the general migration timeline.
Decision 3 — Approve a phased migration plan. Once the inventory is complete, the board should receive and approve a phased migration plan: which systems migrate first, in what order, against what timeline, with what resource requirement. The plan should include the third-party dependency assessment — which vendors’ migration timelines are critical to the organisation’s own.
Decision 4 — Establish board-level quantum risk reporting. Quantum risk is material enough, and the regulatory environment specific enough, to warrant a standing quarterly item in board reporting. The format: progress against migration milestones, status of critical third-party dependencies, any new quantum research developments that change the threat timeline assessment.
The timeline question
“When will quantum computers be capable of breaking RSA-2048?”
This is the question boards most often ask, and it is the question that most frustrates the quantum security community because the honest answer is: uncertain, but probably within this decade, and definitely within the planning horizon for long-lived sensitive data.
The governance-relevant observation is that the uncertainty itself is the governance challenge. An organisation that waits for certainty about the quantum timeline before beginning migration planning will be late. The migration is complex, the supply chain dependencies are long, and the remediation for having-migrated-too-early is negligible compared to the remediation for having-migrated-too-late.
The NCSC’s recommendation — begin planning now, migrate highest-priority systems first — is the right governance response to the uncertainty.
The question boards are not asking
Most boards that receive quantum risk briefings focus on the timeline question: when does this become critical? The question they are not asking is more immediately relevant: have any of our AI or data systems processed sensitive data in the last twelve months that would be valuable to a state-level adversary with quantum capability in 2030?
If the answer is yes — and for most organisations in financial services, healthcare, defence supply chain, or professional services, it probably is — the HNDL threat is already active. The decision about migration planning is not a future governance question. It is a present one.
The Quantum Risk: What Directors Need to Know is an executive briefing document that covers the full quantum risk picture for directors: the HNDL threat, the NIST standards, NIS2 personal liability, the four board governance decisions, and what a proportionate migration plan looks like for a mid-sized company. It is not a technical paper. It is a governance resource written for the director who needs to ask the right questions.
For independent advisory support on quantum risk governance, visit Quantum Security Defence or contact Steven directly.
