03 September 2025

Simon Dumbleton, UK CTO at World Wide Technology

Whilst AI continues to dominate headlines, the past few years have seen a quiet but equally significant leap forward with tech giants including Google, Microsoft, Amazon, many venture capital backed startups, and nation-states making rapid strides in quantum technology.

But like the internet and AI, the influx of new technology is not only an invaluable vehicle in spurring human progress; it can also introduce new threats. The most prominent of those threats with quantum computing is ‘harvest now, decrypt later’ where adversarial nation-states are harvesting and storing today’s encrypted communications, with the intention of breaking the encryption once practical quantum computing becomes a reality. For the telecoms industry, which ranked in the top three most vulnerable sectors for cyberattacks, this is a very real threat and standardisation agencies are moving quickly to introduce remediations, most notably post quantum cryptography (PQC).

With the expectation from shareholders, potential investors, and executives to focus on more urgent challenges and other technologies such as AI, the migration to PQC is taking a back seat. As such, telcos must urgently address their preparedness for a quantum future or risk the integrity of their networks and the sensitive data they hold.

Prepare now to protect later

‘Q-Day’, the point when quantum computers can break current encryption, may come sooner than many expect. Quantum computers capable of this are known as Cryptographically Relevant Quantum Computers (CRQC). We’ve known for some time that attackers are already harvesting sensitive data, once quantum capabilities mature, customer information could be at risk.

It’s worth noting that data, like anything else, has a lifespan. Your credit card information for example, may be sensitive today, but in five years when the card has expired or been deactivated, it’s no longer useful to anyone. As the development of CRQCs progresses, the likelihood increases that data currently being collected will remain relevant when Q-day arrives.

While other time-sensitive matters exist, this transition will ensure critical futureproofing for telco businesses; those that delay may find themselves exposed to further regulatory pressure and large-scale reputational damage.

TSA compliance & quantum threats

Telcos have traditionally taken a risk-based approach to security, but with the introduction of the Telecommunications Security Act (TSA), the consequences of not doing something now are significantly more severe than ever before. The TSA is vague in its definition of ‘secure’ and ‘best practice’, particularly around the topic of encryption.
The CoP consistently references the National Cyber Security Centre (NCSC) and National Institute of Standards and Technology (NIST) websites when talking about ‘secure’ encryption. Both agencies, and others around the world, are relatively aligned on PQC deadlines, some more aggressive than others. Due to this vagueness, starting the transition to PQC sooner rather than later reduces the risk of a rushed and badly implemented PQC migration which could cause more challenges than it solves in the future.

Many major economies have an executive order or legislation mandating migration to PQC. The EU, for example, have mandated that all member states must start transitioning in 2026 and complete migration no later than 2030. This is well in advance of NIST/NCSC timelines. The TSA highlights ‘best practice’ for cryptography, so migration timelines will become mandatory for adherence. It’s likely only a matter of time before the UK, like its allies, introduces explicit mandates for PQC migration.

Futureproofing starts now

While debate continues about exactly when Q-day will arrive, expert consensus is that it is inevitable. It’s not a question of if but when and CISOs can no longer afford a ‘wait and see’ approach.

At the present time, telecom providers and operators should view the TSA as a catalyst to proactively prepare for this transition. This means preparing for change, new partnerships, and introducing in-house expertise to address both current and future threats. By implementing quantum-resistant encryption now, telcos can protect their data, customers, and reputation.

However, given telcos typically operate on a five-year procurement cycle, their current strategies are at risk of being unable to keep up with a technology which will increasingly undergo rapid change. With this in mind, as post-quantum cryptography emerges as a mission-critical technology with accelerating development timelines, telcos must decide: can they develop the necessary expertise internally to properly assess vendor PQC solutions, or will independent validation be essential to ensure quantum resilience and compliance?

Ultimately, whatever decision they do take, it must be met with immediate and proactive action, as any delays risks a slow but certain slide towards severe penalties for non-compliance and major vulnerabilities to cybercriminals both now and in the future.