The Quantum-Safe Sentinel #3 - December 2025
Welcome to the third edition of our Quantum-Safe Bulletin. At QuRISK, we commit to deliver the latest developments from the quantum-security landscape with clear analysis and actionable insights. Understanding not just the what but the why and sowhat is essential as we navigate this critical transformation together.
This edition maintains our focus on three key pillars that you start to be familiar with: the Quantum cyber threat, Post-Quantum Cybersecurity and Quantum cryptography.
As we close out 2025, this month brings a mix of progress and persistent challenges: successful tests of PQC in critical payment systems, alarming delay in enterprise adoption, and continued evolution of quantum cryptography technologies.
As always, we conclude with a focused awareness topic. This month, we address The Enterprise Readiness Gap, examining why organizations remain unprepared despite growing awareness.
🌟 We wish you a wonderful holiday season.
See you in 2026, year of Quantum-Safe Cybersecurity Planning! 🚀
_Mohamed Bassiouny, Quantum Risk and Cybersecurity Lab lead at QuRISK.
1. The Quantum Cyber Threat: HDNL, Blockchain and Finance
Recent News & Trends
A comprehensive analysis from a16zcrypto - a venture capital fund that invests in crypto and web3 startup - challenges some prevalent quantum threat narratives that exaggerate or misinterpret some advances in quantum hardware, noting that while cryptographically relevant quantum computers remain "far beyond reach", the harvest-now-decrypt-later (HNDL) threat demands immediate action for long-term confidential data. The report emphasizes that timelines vary as different cryptographic primitives have vastly different risk profiles. The report also corrects a significant misconception found even in Federal Reserve's publication (from September 2025): most non-privacy chains like Bitcoin are not vulnerable to HNDL attacks per se, the quantum threat to blockchain is signature forgery (deriving private keys to steal funds), not decrypting already-public transaction data. The analysis concludes with seven recommendations including deploying hybrid encryption immediately, using hash-based signatures where size permits, and advising blockchains to start planning post-quantum transitions now while allowing schemes to mature rather than rushing premature deployment. (Source: a16z crypto)
On December 11, the Forum des Compétences – a French group of experts in information systems security and business continuity within the financial sector – held its Annual Colloquium 2025 at Banque de France, dedicated to “Quantum and Cybersecurity: Risks and Opportunities for the Financial Sector”. This edition brought together leading experts from financial institutions, regulatory authorities, and industry around a shared observation: quantum technologies are no longer a purely forward-looking topic, but a concrete issue of governance, security, and resilience that must be anticipated today. QuRISK contributed to the work of the colloquium and authored a white paper on quantum technologies and cybersecurity. The conclusions and the white paper are available in this article (in French).
QuRISK’s Analyse & Advice
The quantum cyber threat continues to shift from theoretical risk to operational urgency. This shift is demonstrated by the growing engagement from financial institutions: banks, central banks (like the Banque de France), cryptocurrency platforms, and even the U.S. Federal Reserve, which are all actively addressing quantum security.
December 2025 brought nuanced analyses on Bitcoin's quantum vulnerability, clearer perspectives on quantum computing timelines, and heightened focus on the "harvest now, decrypt later" (HNDL) attack vector that makes today's encrypted data vulnerable to tomorrow's quantum capabilities.
Organizations must face two realities:
Cryptographically relevant quantum computers capable of breaking RSA-2048 remain years away, requiring massive improvements in both qubit quantity and quality, however sudden improvement both on the algorithmic side and on the hardware side keep happening. Therefore organizations need to start planning their PQC transition for the upcoming years, but also they need to be able to accelerate their transition plan, depending on advances in the field of quantum computing.
Data encrypted today with classical algorithms may be harvested now and decrypted later, creating immediate risk for long-lived sensitive information (where confidentiality matters in 10+ years).
Our recommendation:
Focus PQC migration efforts on systems protecting data with confidentiality requirements extending beyond 10-15 years, while building crypto-agility across all systems to enable rapid response when quantum capabilities mature.
Don't panic, but don't delay.
2. PQC: Maturation and Delayed Action
Recent News & Trends
Bank for International Settlements announced on December 11 the successful completion of "Project Leap Phase 2" testing PQC in operational payment systems. The collaboration between BIS Innovation Hub Eurosystem Centre, Banca d'Italia, Banque de France, Deutsche Bundesbank, Nexi-Colt, and Swiftdemonstrated that migration is feasible but revealed significant performance differences between traditional and PQC algorithms, pointing to the need for further testing before transitioning the financial system. (Source: BIS)
A Trusted Computing Group report released in early December reveals alarming enterprise unpreparedness: 91% of businesses lack formal PQC migration roadmaps, despite over 50% expecting to deploy at least one PQC algorithm by 2026. The study found organizations prioritize Identity and Access Management (IAM) systems for initial protection(35%), with budgets ranging from 6-10% of cybersecurity spending, though U.S. organizations lead with 11%+ allocations. (Source: Trusted Computing Group)
Speaking of budget, another study published in October 2025 by Boston Consulting Group, projects the PQC transition costs at 2.5% to 5% of the annual IT budget. (Source: BCG)
F5 and NetApp expanded their partnership to deliver joint AI + PQC solutions, integrating hybrid cryptography and NIST-approved PQC algorithms into high-performance AI workloads. The solution supports incremental transition paths, TLS 1.3 foundations for PQC readiness, and protection against "harvest now, decrypt later" attacks on AI/ML data. (Source: f5)
QuRISK’s Analyse & Advice
December 2025 demonstrates the PQC ecosystem's maturation: successful testing in critical infrastructure, more commercial solutions are being launched, and the market growth is accelerating.
Even though companies are becoming more aware of the quantum emergency, most of them still lack quantum roadmaps. It reveals a dangerous gap between awareness and action.
QuRISK's recommendations:
✅ DON'T WAIT FOR PERFECT READINESS: migration is feasible now, even with performance trade-offs,
✅ BUILD YOUR INVENTORY IMMEDIATELY: most organizations lack visibility into their cryptographic landscape,
✅ SET A REALISTIC PQC TRANSITION BUDGET: 6-10% of security budgets is baseline - complex migrations may require more,
✅ START WITH IAM SYSTEMS: industry consensus prioritizes IAM (Identity and Access Management) as well as HSM/KMS for initial PQC deployment,
✅ INVEST IN CRYPTO-AGILITY: the ability to swap algorithms quickly will be more valuable than picking the "perfect" PQC solution today.
The successful BIS payment system testing proves PQC works in production. The question is no longer "can we?" but "when will we?". Organizations delaying action increase their operational risk and narrow their migration windows.
3. Quantum Cryptography: QKD vs PQC?
Recent News & Trends
Hybrid QKD-PQC system advances: research published in early December from the University of New South Wales demonstrates a system called HOQS+, combining QKD (BBM92 protocol) with Crystals-Kyber PQC. The innovation implements tight finite-key security bounds for QKD deployed in a functioning system for the first time, addressing vulnerabilities when both QKD and PQC face side-channel attacks. HOQS+ is a significant improvement over previous hybrid approaches and enhances QKD systems’ scalability. (Source: Quantum Zeitgeist)
QKD in mobile networks: a comprehensive analysis published December 9 in the Journal of Communications Technology and Electronics explores autonomous QKD implementation in 4G/5G networks, focusing on practical deployment limitations. The research emphasizes integrating PQC and QKD as complementary approaches, examining VPN technologies and QKD systems for secure infrastructure, while comparing international and domestic developments. (Source: Springer)
Academic perspectives on QKD vs. PQC debate: two chapters published in Springer's "Quantum Technologies" book critically examine QKD's challenges and future. One analysis argues PQC is more practical and trusted for most real-world systems than QKD, citing a January 2024 position paper from French, German, Dutch, and Swedish cybersecurity agencies stating QKD is currently viable only for niche use cases. The companion chapter explores paths to overcome QKD's scalability and cost limitations through ongoing research. (Source: Springer)
QuRISK’s Analyse & Advice
December 2025's research reinforces QuRISK's long-held position: QKD and PQC are complementary, not competing technologies. Combining both approaches can address respective weaknesses, while academic analyses clarify QKD's current limitations.
Key takeaways for organizations:
✅ PQC REMAIS THE PRIORITY: practical, deployable now, and necessary for the vast majority of use cases,
✅ QKD SERVES NICHE APPLICATIONS AND FOR FUTURE-PROOFING: ultra-high-security government/defense communications, long-term key storage, specific financial transactions,
✅ HYBRID APPROACHES SHOW PROMISE: organizations managing extremely sensitive data should monitor QKD-PQC integration research,
✅ INFRASTRUCTURE CONSTRAINTS REMAIN: QKD requires specialized hardware, dedicated fiber, and significant investment—limiting broad deployment.
This Month's Awareness Topic: the Enterprise Readiness Gap
The Trusted Computing Group‘s report (which we discussed in part 2) confirms a stark disconnect we regularly observe at QuRISK: organizations understand the quantum threat conceptually, yet almost all of them (91%!) lack formal migration roadmaps! This "readiness gap" represents one of the most significant obstacles to achieving quantum-safe security.
Generally speaking, surveys show high confidence about quantum threats, yet minimal preparedness: we call it the Awareness Paradox. Organizations acknowledge the risk, many expect to start their PQC transition in 2026, but few have completed the foundational work required for successful migration.
We tried to understand the reasons behind this paradox, before giving you a series of tips to progress and solve this issue.
😮 Why does this Gap exist?
1. Misunderstanding of concepts and implications. Most organizations don't have a full grasp of the basic concepts related to cybersecurity in the Quantum era. We advise you to take a first step by visiting our article regarding Quantum Literacy to understand the concepts, which will help you do your research using the right terms, therefore getting better results and better understanding.
2. Invisible Cryptography. Many organizations don't know where cryptography lives in their infrastructure. Without a comprehensive cryptographic inventory (a CBOM), building realistic roadmaps is impossible.
3. Underestimated Complexity. PQC migration isn't a simple software update, it's a multi-year transformation requiring: legacy system remediation, hardware/firmware updates, third-party vendor coordination, testing and validation, staff training and expertise development
4. Competing Priorities. Quantum threats feel distant compared to daily cybersecurity fires. Organizations struggle to allocate resources to a problem without an immediate deadline.
5. Timeline Confusion. Mixed messages about Q-Day timelines (ranging from 5 to 30+ years) create paralysis. Organizations unsure when to act often choose to wait.
6. Budget Constraints. PQC migration requires 6-10%+ of cybersecurity budgets. Securing funding for multi-year initiatives without immediate ROI challenges many organizations.
7. Skills Shortage. Few security professionals understand PQC algorithms, quantum cryptography, or migration best practices. The Quantum Talent Gap limits organizational capacity. Read our article about this issue.
👉🏽 How to fill the Readiness Gap
Rome wasn’t built in a day, and you have to compose with a lot of constraints. Still, time flies and here are some important guidelines so that you won’t feel overwhelmed.
✅ BUILD ON SOLID FOUNDATION: prepare correctly, secure CTO/CISO-level sponsorship and board awareness. Perform pre-assessments and identify risks early in the process.
✅ START SMALL, BUT START NOW. Pilot projects build expertise and momentum, aim for quick-wins.
✅ FOCUS ON BUSINESS IMPACT: frame PQC migration in terms of data protection and regulatory compliance.
✅ LEVERAGE INDUSTRY RESOURCES. NIST guidance, vendor solutions, and consultant expertise accelerate progress.
✅ EMBRACE INCREMENTAL PROGRESS. Perfect is the enemy of good. Deploy what works today while planning for improvements and scalability tomorrow.
… And keep in mind that you can always seek specialized consultants if needed.
🚨 The Quantum-Safe Sentinel is watching for you, helping you stay secure and a step ahead in the Quantum era.
If you appreciate our work for the community, please like and share our publications, follow our page, and promote it to colleagues who may benefit from these insights.
☎️ If you have any suggestions or comments about our publications, or if you would like to discuss these important topics with one of our experts, feel free to book a meeting at www.qurisk.fr or to contact us contact@qurisk.fr.
🙌🏼 Stay tuned for more to come. Stay healthy, and quantum-safe to you all.
🦉 This bulletin is powered by oQo, QuRISK’s Quantum Virtual Advisor: an AI-driven LLM designed to augment professionals on quantum technology–related themes, including securing adoption, risk management, and cybersecurity. To learn more about oQo, please visit www.myoqo.ai.
It is published by QuRISK - Quantum Risk Advisory, a French firm specialized in Quantum Risk & Cybersecurity.
