How a coordination gap is slowing the shift to quantum-safe security

The transition to quantum-safe security has moved from long-term planning into immediate action. Since the US National Institute of Standards and Technology (NIST) finalized its first post-quantum cryptography (PQC) standards in 2024, organizations have had a clear signal that migration needs to begin.

The UK’s National Cyber Security Centre has set phased migration targets through to 2035, while hyperscalers such as Google have put a 2029 timeline on their own transition. Together, these developments are changing the conversation across government, critical infrastructure and industry.

The pressure is growing because the transition touches every layer of the digital economy. Governments want stronger security and greater assurance in the technologies that underpin essential systems. Industry is working to turn standards into products and services. Operators of critical national infrastructure are making decisions now that will shape resilience for years to come. That is where the real challenge starts.

The transition to post-quantum cryptography runs through a complex global technology supply chain. Standards have to be embedded into semiconductors, integrated into original equipment manufacturer (OEM) products, supported by network and cloud providers and then deployed across the infrastructure societies depend on every day. That process only works when each layer moves with enough clarity and enough alignment.

Across critical national infrastructure, the stakes are higher and the timelines are harder. Energy grids, transport systems, telecoms networks and financial institutions depend on long-lived assets, regulated environments and globally sourced equipment.

Many operators are dealing with a dual challenge: securing new infrastructure while also working out how to upgrade what is already in the field. Procurement decisions made now will shape resilience for years and, in some cases, for decades. If those decisions are taken without a clear path to post-quantum support, the cost and complexity of catching up later will be significant.

PQC should be approached as a global infrastructure upgrade rather than just a routine security update or IT refresh. A device does not become quantum-safe through one isolated change. Its security depends on the chip, the firmware, the operating system, the applications, the cloud services it connects to and the network carrying its traffic. The same applies across enterprise systems, industrial environments and critical infrastructure.

This is why the transition must be thought of as being interdependent. Semiconductor manufacturers are at the start of that chain. Once PQC is built into silicon, OEMs can integrate it into products, network vendors can support it in deployed environments and infrastructure operators can start rolling it out at scale. Every stage depends on the one before it. If one part of the system falls behind, everyone downstream feels it.

This is why the conversation cannot stay inside technical teams. It needs to reach procurement functions, boards, regulators and policymakers. Otherwise, the risk is clear: infrastructure gets deployed that cannot support quantum-safe security within the timelines governments are now setting.

The timing matters because the window for action is narrowing. Google’s 2029 target is already becoming a commercial reference point across the market. When a hyperscaler moves on a technology shift like this, expectations change for suppliers, partners and customers. That pressure then ripples through the entire supply chain.

Governments are mobilizing as well. The UK’s National Quantum Strategy commits £2.5 billion over 10 years to research, innovation and skills, reflecting how strategically important quantum technologies have become.

At the same time, recent research from Google has shown that advances in quantum cryptanalysis are reducing the resources needed to break widely used cryptographic systems, which is one reason organizations that are reassessing how much time they really have.

For critical infrastructure operators, this changes the planning horizon. They are no longer looking at a distant issue with room to wait. They are working inside procurement and refresh cycles that will determine what security their systems can support into the next decade.

There is also a broader cyber resilience opportunity here. Large technology shifts have a way of exposing weaknesses that were already present but had not yet been fully addressed. Post-quantum migration creates a rare chance to strengthen systems more widely while the underlying architecture is being revisited.

We are seeing the same dynamic play out with artificial intelligence (AI). Anthropic says its Claude Mythos Preview has identified vulnerabilities across major software and infrastructure through Project Glasswing, which now includes more than 40 organizations using the model for defensive security work. Mozilla has said Firefox 150 included fixes for 271 vulnerabilities identified with Mythos. These examples show how quickly hidden design and implementation flaws can surface when new capabilities are applied at scale.

This is important in the context of post-quantum cryptography because deployment is never only about the algorithm. It is about implementation quality across real systems. AI can help defenders test, validate and harden those implementations much faster.

That matters because attackers will also use AI to look for the same weaknesses. If security teams do not use these tools to improve resilience during the transition, they will be leaving value on the table at exactly the wrong moment.

One of the clearest lessons from the World Economic Forum’s Cyber Resilience Initiative is that organizations often understand the risk in front of them, yet still struggle to turn that insight into sustained action because of fragmented governance, unclear ownership and competing priorities.

That pattern is now playing out across the post-quantum transition. The standards exist, the technology is moving and the urgency is increasing. The priority now is whether governments, technology providers, standards bodies and infrastructure operators can move in step. That means aligning procurement, assurance and implementation pathways across borders and across supply chains.

This transition will shape how secure critical systems are for decades to come. It is also a chance to build stronger cyber resilience more broadly while those systems are being upgraded. The organizations that treat PQC as a coordinated resilience programme, rather than a narrow compliance exercise, will be the ones best placed to protect essential services, economic stability and trust in the digital systems the world now depends on.