Quantum computing and the future of cybersecurity

What is quantum computing?

Imagine you're standing at the centre of a huge maze. You need to find the exit. Using a classical computer, you would eventually find the exit by trying each potential path. If one path fails, you turn back and try another.

Quantum computing does not need to follow this same sequential logic. Using a quantum program to escape the maze's pathways is like pouring water into the centre of the maze; the water flows down all possible paths at the same time, seeking out all potential routes. Some ripples reinforce each other on promising paths, while others cancel each other out when they meet a dead end. Eventually, the strongest ripples gather at the exit you have been searching for.

In more technical terms, classical computers – the kind we use every day now – process information using "bits." Each bit is like a light switch: it can be either off (0) or on (1). Every task a computer performs, from sending an email to running a spreadsheet, is ultimately broken down into vast sequences of these zeros and ones.

Quantum computers work in a fundamentally different way. Instead of bits, they use quantum bits, also known as qubits. Thanks to a property of quantum physics called superposition, a qubit can represent 0, 1, or both at the same time. This means that where a traditional computer must work through possibilities one at a time, a quantum computer can process many possibilities simultaneously.

When combined with other quantum properties such as entanglement and interference, this gives quantum computers the potential to solve certain highly complex problems far more quickly than any conventional machine. The "correct" answer is amplified and stands out above the other possibilities.

Are quantum computers better than the highest specification computers available today?

Quantum computers are not merely faster versions of today's computers. They are better suited to particular types of problems, especially those involving very large numbers of variables or combinations.

Three key examples of where quantum computing is going to radically change existing fields are:

1. drug discovery;
2. logistics problems such as traffic and resource allocation; and
3. cryptography.

For everyday tasks like browsing the internet or writing a document, a conventional computer will remain the better choice for the task.

Why does quantum computing affect cybersecurity vulnerabilities?

Much of the security that protects our digital lives, such as online banking, relies on a form of protection called public-key cryptography. The most widely used methods work by presenting a mathematical problem that is extraordinarily difficult for today's computers to solve.

Using a conventional computer, it would take billions of years to crack today's commonly used 256-bit keys used in public-key infrastructure encryption. Using our maze analogy, today's encryption works because attackers only send one person into the maze at a time. Even with very fast computers, it takes an impractical amount of time to explore every route, which means the data remains effectively protected.

Quantum computers change this requirement. When run on a sufficiently powerful quantum computer, the applicable algorithm could crack the same 256-bit key in a matter of hours. This would effectively render the encryption that underpins the world's current digital security useless.

How soon could traditional encryption become obsolete?

A quantum computer powerful enough to break today's encryption does not yet exist. Current quantum systems are still relatively small and prone to errors, but progress is accelerating. Major technology companies and governments worldwide are investing heavily in quantum research, and some expert estimates suggest that a cryptographically relevant quantum computer could emerge within the next decade, with some projections pointing to around 2030-2035.

The threat of "harvest now, decrypt later"

Even though quantum computers cannot yet break encryption, a significant threat already exists today. Malicious actors, including nation-state adversaries, are intercepting and storing encrypted data now with the intention of decrypting it later, once quantum technology matures.

This strategy, known as "harvest now, decrypt later," is particularly dangerous for information that must remain confidential for many years, such as personal data (which can include genetic and other health data); intellectual property and commercial secrets; financial records; passwords; and national security secrets.

What are governments and regulators saying about quantum computing?

Governments and standards bodies around the world are already taking action.

In the UK, the National Cyber Security Centre (NCSC) has set out a phased migration roadmap, asking organisations to complete their transition to these quantum-resistant standards by 2035. Organisations should:

1. complete their discovery and planning by 2028;
2. carry out high-priority migrations by 2031; and
3. achieve full migration to post-quantum cryptography by 2035.

Regulated sectors such as banking, financial services, and telecommunications are expected to prioritise early adoption.

Other countries are also taking action. For example, the US National Institute of Standards and Technology (NIST) has selected and published post-quantum cryptographic algorithms, which are new encryption methods based on mathematical problems that quantum computers are not expected to be able to solve efficiently.

The key message from these bodies is clear: the time to begin preparing is now. When quantum computers arrive, it will already be too late.

Legal compliance risks relating to quantum computing

The advent of quantum computing poses a profound challenge to the legal obligations enshrined across a range of regulatory frameworks.

The original EU Network and Information Systems (NIS) Directive and its successor, the EU NIS 2 Directive, impose cybersecurity risk-management obligations on essential and important entities that explicitly encompass "policies and procedures regarding the use of cryptography and, where appropriate, encryption."

NIS 2 further hardens accountability by requiring management bodies to approve and oversee risk-management measures, with the possibility of personal liability for infringements. This effectively makes board-level ownership of quantum migration planning a mandatory legal requirement backed by the risk of personal liability for non-compliance.

One of the proposed amendments to NIS 2 announced in January 2026 would explicitly require Member States to adopt national policies to cover the transition to post-quantum cryptography.

Other frameworks such as the Cyber Resilience Act, DORA, PCI DSS, and eIDAS will also put pressure on the transition to post-quantum cryptographic standards, conduct quantum-aware risk assessments, and build crypto-agility into existing systems.

Under the UK Data Protection Act 2018 and UK GDPR, organisations are required to ensure the confidentiality, security, and integrity of the personal information they process, and to take "appropriate technical and organisational measures" to protect that information, having regard to the "state of the art." This obligation is not static, and requires that safeguards evolve as new threats emerge.

The UK ICO's position on quantum readiness

The UK ICO has signaled that quantum computing falls squarely within this obligation. In its Tech Horizons Report 2024, the ICO warns that quantum computing has the potential to undermine the specific types of encryption that currently protect most digital communications and personal data.

Critically, the UK ICO's position is for businesses to act now because the transition to post-quantum cryptography is likely to be lengthy and complex for many organisations. The UK ICO's encryption guidance emphasises that organisations should be "crypto-agile": keeping encryption use under regular review and ensuring they remain aware of updates and vulnerabilities.

The implication from the UK ICO is clear: an organisation that is aware of the quantum threat to its cryptographic infrastructure but takes no steps to assess or mitigate that risk may struggle to demonstrate that it has taken "appropriate" measures in line with the state of the art.

In practical terms, organisations should consider incorporating quantum risk into their Data Protection Impact Assessments (DPIAs), identifying systems that rely on current encryption techniques, recording transition plans, and evaluating supplier readiness. Maintaining a comprehensive inventory of algorithms, protocols, and certificates in use will be increasingly important for demonstrating compliance to regulators.

The potential consequences of inaction are significant. The UK and EU GDPR provide for fines of up to GBP17.5 million and EUR20 million respectively, or 4% of annual global turnover for serious infringements.

Further high costs are often attributed to reputational damage and loss of trust if personal data is compromised as a result of a foreseeable vulnerability or a lack of failing of a control that is deemed to form part of the ever-evolving legal standard of care for information security.

There is also the risk of downstream litigation and claims for compensation. The question regulators may ultimately ask is not whether an organisation's encryption was secure solely at the time the data was collected, but whether the organisation took appropriate steps to address known and emerging threats to that security over the full lifecycle of the data it holds.

The compounding threat of AI and quantum computing combined

While the quantum threat to encryption is serious by itself, an increasingly urgent concern is its convergence with advances in AI. Individually, each technology poses distinct risks to cybersecurity; together, they threaten to create a compounding effect that could overwhelm current defences far more quickly than either could alone.

AI is already transforming the cyber threat landscape. Threat actors are using machine learning models to automate vulnerability discovery in software code, identifying weaknesses far more rapidly than manual methods allow and enabling vulnerabilities currently deemed to be less serious to be exploited collectively to enable access to applications and networks.

AI-driven tools can also craft highly convincing phishing emails and deepfake audio or video for impersonation attacks, reducing the skill barrier for sophisticated social engineering campaigns. AI also enables malware to adapt in real time, evading detection systems by learning from the defences it encounters.

Quantum computing could significantly amplify these AI capabilities. A key limitation of today's AI systems is the time and computational power required to train complex models. Quantum machine learning algorithms could dramatically accelerate model training and optimisation, enabling attackers to develop more effective and more targeted attack tools at a fraction of the current cost and time. Quantum-enhanced AI could sift through massive datasets to identify previously undetectable patterns and vulnerabilities.

Practical implications of the combined advancement of quantum computing and AI

For businesses, this convergence has several practical implications.

1. The timeframe in which current defences become inadequate may be shorter than quantum computing progress alone would suggest. AI is already eroding the effectiveness of existing security measures today.
2. Organisations cannot treat quantum readiness and AI security as separate workstreams. A holistic approach is needed to address both algorithm-level and implementation-level vulnerabilities.
3. These two technologies that empower attackers can and should also be harnessed defensively. Quantum-enhanced AI promises to improve threat detection, identify vulnerabilities before they are exploited, and strengthen risk analysis.

What should my business be doing now about the threat of quantum computing?

Delaying action to quantum-safe cryptography methods risks compressing a complex migration into a dangerously short window. Here's what you should do now.

1. Conduct a comprehensive cryptographic inventory. Organisations need to understand where and how encryption is used across their systems, applications, devices and data flows, and how it is stored and processed within third-party integrations. This includes network security (such as VPNs, HTTPS, and secure file transfers), authentication systems (such as digital certificates and email encryption), and any embedded cryptography within applications and connected devices.

   Once the inventory is complete, organisations should classify and prioritise their assets based on risk. Not all data carries the same level of sensitivity or requires the same urgency of action so start with the data which carries the highest risk.

2. Build internal quantum resistant measures into your technology environment. This means ensuring that systems deployed today can be updated to support post-quantum algorithms when they are finalised, without requiring wholesale replacement.
3. Update procurement policies and vendor contracts. Documentation should require demonstrated plans for quantum-safe security and timelines for adoption in third party systems that handle your data.
4. Engage management personnel. Educating management in quantum risk is essential. Quantum risk should be treated as a current strategic cybersecurity risk, not solely a future technical concern. Clear ownership (typically assigned to the CISO or CTO), and board-level awareness are necessary to ensure adequate resourcing over long-term programme and for many organisations is also a legal requirement (both for the organisation itself and for individual members of its management body) – for example, where organisations fall within scope of the EU NIS2 Directive as transposed into domestic EU Member State laws.
5. Review data retention practices. Reducing the volume of sensitive data your organization holds will limit what could be exposed in the event of a future quantum-enabled breach. For data that must be retained, organisations should consider strengthening existing encryption and isolating the most sensitive information where possible.
6. Incorporate quantum risk into your data protection impact assessment and wider risk assessment workstreams. Consider your current encryption inventory and ways to mitigate these risks. Consider how quantum risks affect your current personal and non-personal data processing activities and what changes you can make now.
7. Demonstrate accountability. Accountability is a common requirement in data protection and cybersecurity laws. Organisations need to be able to demonstrate that they have appropriate controls in place. These include:
   • ongoing monitoring of emerging threats and risks, (such as quantum computing and AI);
   • documenting these threats and the controls and mitigations implemented across the organisation to counter them; and
   • keeping risk assessments (including DPIAs) under ongoing review to reflect continuously evolving technology and the risk landscape.

This is critical to be able to defend positions taken in the event of regulatory investigations or litigation.

What are experts concluding about quantum computing?

This shift in mindset mirrors the message set out by the NCSC’s Chief Executive, Richard Horne, in his CyberUK 2026 keynote. Speaking about the coming decade, Horne described organisations as operating in a “perfect storm” driven by rapid technological change combined with heightened geopolitical risk.

While Horne acknowledged that no one can predict precisely when quantum computers will be able to break today’s widely used cryptography, he was clear that readiness is “in our gift.” Horne stated the focus should be on fundamentals: understand where cryptography is used, address legacy systems, and plan now for migration to post‑quantum cryptography.

Let's end with the maze analogy we began with. Horne’s warning is not that the maze disappears overnight, but that the conditions around it are changing fast. Organisations that continue to rely on the assumption that attackers must navigate slowly and sequentially risk being caught out.

Instead of reinforcing walls of the maze that will eventually be flooded by waves in the quantum computing age, businesses should redesign the maze. This means adopting cryptography methods that remains hard to traverse even when quantum techniques are applied.

Organisations that delay action while quantum computing is still an abstract threat risk waking up to find the maze they rely on has already been flooded. Those that act early can make deliberate progress to quantum readiness as part of their ongoing long-term security programme.