This blog post addresses the practical implications of Post-Quantum Cryptography (PQC). It examines why waiting for vendors is a high-risk strategy and why organizations must assume ownership of their own quantum-readiness efforts. It also introduces a more effective quantum-readiness playbook: a practical, risk-driven approach aimed at reducing exposure early, rather than relying on the commonly adopted inventory-first model.
This is Part 2 of a two-part series and focuses on the practical implications of Post-Quantum Cryptography, including why organizations must take ownership of their own quantum-readiness journey and how a risk-driven approach can support effective migration planning.
If you’re not familiar with PQC, the underlying risk, the core concept and the current state of standards and deployment, please refer to The Road to Post-Quantum Readiness Part 1 of 2: Understanding the Risk.
The first blog post highlighted a significant market development: major technology providers, including Google, AWS, Microsoft, and IBM, have already begun migrating parts of their infrastructure. This development raises an obvious question:
If the hyperscalers are already moving, should individual organizations do anything at all?
The answer is yes, because hyperscaler migration does not equate to enterprise-wide protection. While large cloud and platform providers may be securing parts of their own environments, this does not extend to internal networks, legacy applications, third-party software stacks, backup environments, operational technology, or long-lived sensitive data under organizational responsibility.
This is precisely why the current phase is so important. The algorithms are available, standards are finalized, and the central challenge is no longer understanding PQC in principle, but determining how to approach migration in practice within a specific environment. The relevant questions are:
How should we start migrating to PQC? Which approach is most effective for reducing risk early?
In this blog post, we answer these questions by outlining a clear, risk-driven migration approach that helps organizations prioritize the most critical exposures first and reduce risk early in the PQC transition.
AWS, Azure, Cloudflare, and similar providers are securing their infrastructure, not your entire business environment. The connection from a customer’s browser to a cloud edge service may already support post-quantum or hybrid protection, but the connection from that edge to your origin systems may not. Your internal service-to-service traffic, administrative access paths, CI/CD signing processes, backup encryption, embedded device firmware, operational technology, and third-party software dependencies remain your responsibility. None of that is migrated simply because a cloud provider has upgraded part of its platform.
That is why CISA1, NSA2, and NIST3 are clear that post-quantum migration is not a passive vendor update, but an organization-wide IT and OT modernization effort. In practice, most organizations have far more cryptographic dependencies than anyone can identify from memory alone, especially across legacy systems, supplier products, and long-lived hardware.
There is also a strong business case for acting early. A post-quantum roadmap helps organizations avoid poor procurement decisions by ensuring that new software, hardware, and supplier contracts do not introduce fresh cryptographic debt. It strengthens supply chain management by creating earlier visibility into vendor dependencies and upgrade timelines. It can also become a commercial differentiator, as customers, regulators, and strategic partners increasingly expect evidence that sensitive data and long-term trust relationships are being protected against future cryptographic disruption. Over time, cyber insurers may also view the absence of a credible quantum readiness roadmap as a sign of unmanaged exposure, particularly for organizations that handle long-lived sensitive data or operate critical services.
There is a strong business case for taking early action on post-quantum readiness. Establishing a post-quantum roadmap sooner rather than later allows an organization to make better long-term decisions and reduce future transition risk. In particular, it helps to:
Acting early can also create a commercial advantage. Customers, regulators, and strategic partners increasingly expect organizations to demonstrate that they are protecting sensitive data and preserving long-term trust against future cryptographic disruption. In addition, the absence of a credible quantum-readiness roadmap may, over time, be viewed by cyber insurers as a sign of unmanaged exposure, particularly for organizations that handle long-lived sensitive data or operate critical services.
The cost of waiting is therefore not limited to future technical migration pressure. Delay increases the chance of continued investment in products that will later need premature replacement, extends exposure to harvest now decrypt later (HNDL) risk, and leaves organizations dependent on supplier timelines they have not yet mapped. In other words, waiting does not reduce effort. It usually shifts the effort into a more compressed, more expensive, and less controllable timeframe.
The broader market is still behind. A 2024 Bain & Co survey4 found that only about 9% of organizations have a post-quantum roadmap, while reporting from PwC and Microsoft suggests that most remain in an evaluation phase. Many still assume they are not a likely target. Under a harvest now decrypt later threat model, that is a dangerous assumption, because an adversary does not need to single out one organization in advance to collect encrypted traffic or stolen data that may retain value for years. The good news is that the path forward is becoming clearer.
The core frameworks remain largely unchanged, including crypto-agility models such as CARAF5. However, public-sector guidance and industry standards have become increasingly practical in recent years, translating high-level concepts into more actionable migration guidance. There are many guidance documents to start your migration, such as CISA’s quantum-readiness factsheet6, NIST’s NCCoE migration project (SP 1800-38)7, NIST CSWP 39 on crypto agility8, and NSA’s CNSA 2.0 timeline9, among many others. While these sources provide a strong foundation, they are often applied in an overly waterfall-oriented manner, causing organizations to focus heavily on cryptographic inventory efforts while delaying action on the systems, assets, and dependencies that are already at risk.
Instead, organizations should adopt a risk-driven approach from the outset. That means identifying the highest-risk systems, the most sensitive data, and the assets most exposed to harvest now decrypt later (HNDL) threats first. Based on that prioritization, teams can build a focused cryptographic inventory for the areas that matter most, begin mitigating urgent risks immediately, and continue developing the full enterprise-wide inventory in parallel. This approach is described below.

This is not an IT task that a single team can run on the side. A migration program affects procurement, vendor management, legal, compliance, software engineering, infrastructure, and security operations. CISA explicitly recommends establishing executive sponsorship, a dedicated project team, and committed resources before any technical work begins. In some organizations, it may even be appropriate to appoint a CQRO, or Chief Quantum Readiness Officer, to own the program end to end. That role would coordinate stakeholders across business and technical functions, set priorities and timelines, manage dependencies and risk, and maintain top-down sponsorship. Without clear ownership, progress often slows because of organizational friction. Funding matters just as much: when migration is treated as a standalone IT project, the funding and governance are often too limited for an effort of this scale. That approach often leads to failure mid-migration, when the program encounters its first serious resource conflict, budget constraint, or political obstacle. According to Marin Ivezic’s PQC framework10, these efforts frequently stall within 6 to 12 months because the work is misunderstood as a simple technology upgrade rather than the enterprise-wide transformation it actually is. Let it be clear: this is a multi-year enterprise transformation program, not an IT project.
A common mistake is to treat quantum readiness as a purely linear discovery exercise: first inventory everything, then assess risk, then decide what to do. In practice, that is often too slow. By the time a complete enterprise-wide inventory is finished, the organization may still have left its most sensitive systems exposed.
A stronger approach is to begin by identifying the systems, data, and business processes where the impact of quantum compromise would be highest. That means focusing first on long-lived sensitive data, externally exposed systems, and critical trust anchors. It also means explicitly considering harvest now decrypt later risk, where encrypted data stolen today may still be valuable once a cryptographically relevant quantum computer becomes available.
Mosca’s x + y > q model remains useful in this context. For each high-value system, the assessment should consider three factors: how long the data must remain confidential or the trust relationship must remain valid; how long migration is expected to take for that specific system; and how long it may plausibly take before a capable adversary can exploit quantum attacks against it.
Where the combined duration of confidentiality or trust requirements (X) and migration time (Y) exceeds the estimated time to quantum-relevant exploitation (Q), action should begin early. This makes it possible to prioritize actual business risk rather than waiting for perfect visibility before taking any meaningful steps.

A cryptographic inventory is still essential, but it should not be treated as a gate that blocks all other progress. Instead, start with a focused inventory of the highest-risk systems and use that to drive immediate mitigation. Build the broader enterprise inventory in parallel.
For the prioritized systems, the goal is to establish an honest, current view of where cryptography is used, how it is implemented, and what depends on it. This includes applications, vendor software, hardware, certificates, SSH keys, VPNs, TLS configurations, encryption at rest, backups, signing systems, and service-to-service communications. According to Marin Ivezic’s PQC framework, an inventory should at least contain the fields listed in the table below. Anything less is not actionable.
| Field | Example |
| System/Asset ID | APP-0142 |
| Cryptographic Function | Server authentication |
| Algorithm | RSA-2048 |
| Key Size | 2048 |
| Protocol | TLS 1.2 |
| Library/Implementation | OpenSSL 3.0.12 |
| Certificate Details | DigiCert G2 |
| Key Lifetime | 1 year |
| Data Sensitivity | Confidential |
| Quantum Vulnerability | Shor |
| Owner | J. Smith |
| Vendor Dependency | No |
| Control Posture | Full control |
The cryptographic inventory should then be formalized into a Cryptographic Bill of Materials, or CBOM. A cryptographic inventory identifies where cryptography is used across the environment; a CBOM builds on that inventory by turning those findings into a structured, standardized, and queryable record. Its added value is that it converts scattered scan results, spreadsheets, and team knowledge into a single source of truth that supports planning, prioritization, auditing, automation, and supply-chain visibility. Where possible, organizations should use a standardized format rather than an ad hoc structure. CycloneDX12 is a strong option for CBOM standardization because it aligns well with existing SBOM, CI/CD, and reporting practices. An example of a CycloneDX CBOM entry is shown below.
{
"type": "cryptographic-asset",
"name": "RSA-PKCS1-1.5-SHA-256-2048",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "signature",
"algorithmFamily": "RSASSA-PKCS1",
"parameterSetIdentifier": "2048"
}
}JSON
Automated cryptographic discovery tools can accelerate this significantly. Vendors such as IBM, PQShield, SandboxAQ, Keyfactor, and DigiCert offer tooling that can scan source code, binaries, traffic, and running systems for cryptographic use. That said, tooling will never be enough on its own. Automated discovery often misses proprietary implementations, legacy environments, custom protocols, and cryptography embedded in unexpected places. The inventory must therefore be tool-assisted, but expert-curated.
The key difference in this approach is that mitigation begins as soon as the highest-risk systems are understood well enough to act. You do not wait for a perfect global inventory before reducing urgent exposure.
This is the step most organizations underemphasize. Quantum readiness should deliver measurable risk reduction before the full migration plan is complete. Once high-risk systems are identified and partially inventoried, organizations should already begin mitigating the most urgent exposures.
That can include prioritizing protections for long-lived sensitive data, accelerating remediation of vulnerable trust anchors, introducing hybrid cryptography in external-facing systems where feasible, isolating or segmenting systems with long migration timelines, and identifying applications that require significant rewrite work. In some cases, the immediate action may not be a cryptographic replacement at all, but a compensating control that reduces exposure while the long-term migration path is prepared.
This is also where the return on investment becomes tangible. Instead of spending months or years on discovery with little visible outcome, the organization can show early progress by protecting high-value assets first. That helps sustain executive support, secure continued funding, and reduce the risk that the program is dismissed as theoretical or premature.
No organization controls its quantum migration end to end. A large share of enterprise cryptography sits inside third-party software, cloud platforms, hardware, appliances, managed services, and embedded systems. That means vendor readiness is not a side issue, it is often one of the main constraints on migration speed.
Vendor engagement should therefore start early, not after the internal inventory is complete. For every critical supplier, the organization should ask at minimum:
A supplier without a roadmap is a supplier that may later become a bottleneck. For that reason, supplier quantum roadmap tracking should be integrated into procurement, third-party risk management, and ongoing governance from the start. This is especially important for commercial off-the-shelf products, cloud-hosted services, industrial systems, and long-lived hardware platforms where the organization has little direct control over embedded cryptography.
Once the highest-risk systems are understood and urgent mitigation is underway, the organization can expand into a full cryptographic inventory and a broader migration plan. At this stage, the objective is not just to replace vulnerable algorithms, but to build crypto agility as a permanent architectural capability.
That means treating cryptography as an abstraction layer rather than something hardcoded into applications and protocols. In practice, this includes:
The goal is to create an architecture that allows flexibly exchanging algorithms, without ever again touching the applications themselves.This is where NIST’s more recent framing of crypto agility is especially important. The post-quantum transition is not the last algorithm transition organizations will face. It is simply the largest one now in view. Any architecture built today should assume future cryptographic change.
Execution should remain phased and risk-based. In many organizations, practical migration sequencing will still begin with external-facing TLS, long-lived signing systems, and high-value service-to-service communications, before moving deeper into data-at-rest use cases, legacy applications, embedded platforms, and hard-to-upgrade environments.
Post-quantum readiness is often described as a future problem, but that framing is becoming increasingly unhelpful. For many organizations, the real challenge has already begun: not because a cryptographically relevant quantum computer exists today, but because the systems, suppliers, contracts, and architectural choices being made now will determine how painful or manageable the eventual transition becomes.
That is why quantum readiness should not start as a slow, purely linear discovery exercise. It should start where good security strategy always starts: with risk. Organizations that begin by identifying their most critical business processes, most sensitive data, most exposed systems, and most important suppliers can reduce meaningful risk much earlier and build momentum while the broader migration effort takes shape.
The value of the six-phase approach outlined here is precisely that it makes the problem actionable. It helps organizations move from abstract concern to practical execution. It creates early visibility into cryptographic exposure, supports better procurement and supplier decisions, and enables short- to medium-term risk reduction while laying the foundation for long-term crypto agility. Most importantly, it turns quantum readiness from a theoretical discussion into a business-led transformation program with measurable outcomes.
In our view, that is the mindset organizations need now. Do not wait for a perfect inventory. Do not wait for vendors to solve the problem for you. And do not assume that delaying reduces effort. In most cases, it only compresses the work into a narrower, more expensive, and less controllable timeframe.
The organizations that start early will not necessarily be the ones that move fastest everywhere, but they will be the ones that move deliberately where it matters most. And in a transition as complex and far-reaching as this one, that may prove to be the most important advantage of all.
| Acronym | Meaning | Why it matters here |
|---|---|---|
| PQC | Post-Quantum Cryptography | This is the central topic of the blog: the migration from quantum-vulnerable cryptography to algorithms designed to remain secure in a post-quantum world. |
| CISA | Cybersecurity and Infrastructure Security Agency | CISA is cited as a key authority making clear that quantum readiness is not just a vendor update, but an organization-wide transformation effort. |
| NSA | National Security Agency | The NSA is referenced as one of the major public-sector bodies providing guidance and timelines that organizations should take seriously when planning migration. |
| NIST | National Institute of Standards and Technology | NIST is essential here because it has finalized the main PQC standards and published practical migration and crypto-agility guidance. |
| HNDL | Harvest Now, Decrypt Later | The risk that encrypted data stolen today may be decrypted in the future. |
| CARAF | Cryptographic Agility Risk Assessment Framework | CARAF is mentioned as an example of an existing crypto-agility framework that still remains relevant in the 2026 quantum-readiness playbook. |
| NCCoE | National Cybersecurity Center of Excellence | NIST’s NCCoE migration project is referenced as a practical source of implementation-oriented guidance for post-quantum migration. |
| CSWP | Cybersecurity White Paper | This appears in “NIST CSWP 39” and is referenced in the context of NIST guidance on crypto agility. |
| CNSA | Commercial National Security Algorithm Suite | The NSA’s CNSA 2.0 timeline is mentioned as an important reference point for planning migration and understanding expected cryptographic transition direction. |
| CQRO | Chief Quantum Readiness Officer | The blog proposes this as a possible leadership role to coordinate the program across business and technical functions and prevent migration efforts from stalling. |
| CBOM | Cryptographic Bill of Materials | The CBOM is presented as the structured, queryable output of a cryptographic inventory, helping organizations plan, prioritize, and govern migration. |
| FIPS | Federal Information Processing Standards | FIPS 203, 204, and 205 are mentioned as concrete post-quantum standards that vendors should support as part of their roadmap. |
Senior Cyber Strategy & Architecture Consultant MSc
Milan Velle is a Senior Consultant within NVISO's Cyber Strategy & Architecture team. His work focuses on GRC, architectural design reviews, incident readiness, and ongoing research into quantum readiness and its implications for cybersecurity.
Senior Consultant Security Operations Engineering
Sven-Christian Kruse is a Senior Consultant within NVISO’s Security Operations Engineering team. His work focuses on the design and implementation of practical security engineering capabilities, supported by his background in cryptography-related roles. He also maintains an interest in quantum computing and post-quantum cryptography.