5 Steps to Crypto-Agility Before PQC Implementation

LinkedIn Article
Written By Kevin Cataldo

Quantum computing is no longer a distant concern. With the European roadmap setting 2030 as the deadline for transitioning high-risk systems to Post-Quantum Cryptography (PQC), organizations need to act now. It's time for all CISOs to proactively address the "quantum shift" and consider a structured, long-term response. Let's explore the possible solutions and understand why crypto-agility is, without a doubt, the mandatory prerequisite, before detailing the steps to becoming a crypto-agile organization.

1.   The Quantum Shift 

The cryptographic landscape is entering an unprecedented shift due to Quantum Computers. The reason?  Quantum computers have the ability to break many of today’s widely used cryptographic methods (ex: RSA, and ECC), rendering them obsolete within the next 10 to 15 years. As a consequence, CISO’s responses are taking shape: Strengthen the Old or Embrace the New.

Strenghten the Old suggests reinforcing what already exists: increasing the length of RSA keys, stretch ECC curves, double down on symmetric cryptography. This buys time, especially against the first (weaker) quantum computers but not long-term certainty. 

Embrace the New calls for a clean transition: adopting new post-quantum protocols, purpose-built to resist quantum attacks, but heavier, more complex, and still maturing. This second approach is indeed strongly recommended and endorsed by the EU commission in the context of their recent publication about transitioning to PQC.

But before even choosing a path, one reality must be faced: many systems today cannot easily change their underlying cryptographic primitives easily. 

2. Crypto-Agility: the non-negotiable prerequisite

 Here's the truth: jumping straight into post-quantum algorithms is not realistic — or even effective — if your systems aren’t cryptographically agile.

Cryptographic agility is the ability to discover, manage, and replace crypto components across the organization, and it’s often lacking. Without it, any transition becomes a high-risk project. This isn’t just a technical problem. It’s a structural one.

 Post-Quantum migration isn’t like applying a simple security patch. New protocols often imply new formats, new handshake logic, new trust models. Even reinforcing existing algorithms with longer keys can exceed system limits or introduce performance bottlenecks. The ability to test, trial, and incrementally deploy these changes depends entirely on how cryptographically agile a system is. 

But achieving crypto-agility is not that easy. In fact, cryptography is hardcoded, undocumented, or fragmented. Generally, no reliable inventory exists. Updates may break dependencies or require full rebuilds. And crypto isn’t even part of the operational risk map… 

We can help by providing a method to guide you through this, so you don't get discouraged.

3.   Steps towards Crypto-Agillity

Crypto-agility gives you the ability to evolve your cryptographic tools and strategies without disrupting your operations. It’s not a product, it’s a capability — and like all capabilities, it must be built step by step.

1.     Create a cryptographic inventory across all layers

Don’t wait for quantum urgency. Discover what’s used, where, and how it’s maintained.

2.     Bring cryptography into governance and risk frameworks

It’s time for crypto to be visible beyond the technical layer and discussed in risk committees.

3.     Ensure every new system is modular and upgradable

Crypto mechanisms must be swappable and updates must be verifiable and secure.

4.     Assess readiness for your possible transition paths

Would current systems tolerate longer keys? New protocols? Hybrid modes? That’s not just a cryptographic question, it’s architectural.

5.     Make crypto a shared responsibility

Architecture, security, engineering, compliance, all must be aligned, because change will affect them all.

After completing these steps, you will be ready to enhance your defenses and begin your journey to PQC resilience.

Conclusion

Europe is urging all organizations to start their PQC journey to confront the quantum threat and achieve quantum readiness by 2030 for critical assets and 2035 for the remaining assets.

However, it's not that simple. Some organizations are rushing into PQC adoption, while others are delaying the transition by simply reinforcing existing cryptography. Ultimately, to be effective, organizations must first enhance their crypto-agility. There's a step-by-step method to achieve this, in order to minimize risks and save time in the transition process to come. It begins with a thorough crypto-inventory and culminates in shared responsibility for cybersecurity enhancement.

The clock is ticking, and the risk isn't just about when quantum computing breaks today's cryptographic tools. It's about whether systems and organizations are prepared to evolve when they have to.

Europe's message is clear: the time is now. You know what needs to be done.

Need help with the process? QuRISK is here to assist you along the way.

Kevin Cataldo

Head of Risk Advisory - Qurisk

https://www.linkedin.com/in/kevin-cataldo/
Previous

The Quantum-Safe Sentinel #1
Next

QKD standards: from Theory to Practice