Martin Hořický
Partner • Digital Services
How to prepare for the quantum threat before it becomes an operational problem?
Post-quantum cryptography (PQC) is a set of cryptographic methods designed to withstand attacks carried out using future quantum computers.
For organizations, this is not just a theoretical topic. Today, cryptography protects communication, authentication, electronic signatures, VPNs, PKI, API communication, data archiving, and the trustworthiness of system identities. These are precisely the areas that will come under pressure as quantum technologies evolve.
What is a quantum computer?
A quantum computer is a type of computing device that works with qubits instead of classical bits. Thanks to principles such as superposition and interference, it can solve certain tasks far more efficiently than conventional computers. This does not mean that it will replace today’s infrastructure, but rather that for selected problems it may fundamentally change the security assumptions on which current asymmetric cryptography is based.
It is also important to note that full PQC implementation is not appropriate everywhere.
In some environments, it makes more sense to:
increase symmetric key lengths
shorten certificate lifetimes
move to newer protocols
prepare the architecture for future cryptographic replacement
Standard vs. quantum-resistant cryptography
What is the difference between the cryptography used today and quantum-resistant cryptography?
| Area | Standard cryptography | Post-quantum cryptography |
|---|---|---|
| Main risk | Some asymmetric algorithms are vulnerable in the future | Designed to resist quantum attacks |
| Typical use | TLS, VPN, PKI, signatures, key exchange | Gradual replacement or supplementation in high-risk areas |
| Impact on symmetric ciphers | Strengthening parameters is often sufficient | Full PQC migration is not always necessary |
| Practical approach | Proven and compatible | Proven and compatible |
Why address quantum resilience today?
The key risk is the Harvest Now, Decrypt Later attack ➜ An attacker captures encrypted communication or steals encrypted data today and stores it. Decryption then takes place in the future, once sufficiently powerful quantum technology becomes available.
The most exposed areas typically include:
- long-term sensitive information,
- contracts and technical documentation,
- personal data and know-how,
- PKI infrastructure and system identities,
- electronic signatures and their trustworthiness over time,
- OT environments with a long device lifecycle
Why not wait until “later”?:
- migration is often time-consuming and technically demanding,
- organizations frequently do not have a clear overview of where cryptography is used,
- dependency on vendors and third parties can slow down the transition,
- regulatory and ecosystem pressure is steadily increasing.
Timeline and regulatory milestones
We are working with a European roadmap for the transition to PQC, which lists the following indicative milestones:
| Milestone | Expected content |
|---|---|
| 11. 6. 2025 | publication of the European roadmap for the transition to PQC |
| do 31. 12. 2026 | transition plans, awareness and education, first hardening measures |
| do 31. 12. 2030 |
completion of plans, pilot deployments, development of crypto agility,
preparation of quantum-safe upgrades |
| do 31. 12. 2035 | completion of migration according to the risk profile of target environments |
How can we help you with this?
Map the current state
We identify the cryptographic mechanisms, protocols, and services used across your environment.
Assess the relevance of PQC
We determine which systems and data are genuinely a priority from the perspective of the quantum threat.
Propose where PQC should be implemented
We distinguish where PQC implementation is appropriate and where strengthening existing cryptography is sufficient.
Prepare a migration roadmap
We design a practical transition plan, including priorities and concrete steps.
Assess feasibility and impacts
We evaluate compatibility, operational impacts, and the most suitable transition model.
Deliver a clear output
We provide clear recommendations for both management and technical teams.
Why work with BDO?
BDO provides advisory services in the area of quantum-resistant cryptography as part of a comprehensive security strategy. We help organizations identify risks in their digital footprint, monitor current threats, and make informed decisions based on relevant data.
01 Understanding of the regulatory framework
We understand the requirements of DORA and NIS2 and can tailor our work so that the outputs are usable for both supervisory review and audit purposes. We help define the strategy and ensure alignment with other types of testing, including audit, TLPT, and penetration testing.
02 Independence and credibility
As an independent advisory firm, we do not promote our own technologies and provide genuinely objective assessments. Working with BDO is a clear signal of quality and trust for both regulators and clients.
03 Certified team with expert experience
Our specialists hold certifications such as C|CISO, CISSP, CISM, CISA, C|OSINT, C|TIA, OSCP, CRTP, eCPPT, BSCP, CEH, CRT, CPSA, and others. They have experience working in the environments of large banks, insurance companies, and ICT providers.
Main contact persons
View bio
Marek Kovalčík
Chief Information Security Officer • Digital Services