Europe's finance sector must come together to prepare for the era of quantum computing

Security of our data, from medical records to online payments and digital signatures for identity authentication, relies on cryptography. Soon, quantum computers could compromise this time-tested approach.

Quantum computing is developing rapidly, with government and business investment reaching $35.5 billion globally. The technology has not reached maturity yet, but, once available at scale, these machines — which are capable of carrying out far more complicated processing than existing binary computers — must be employed responsibly.

To guarantee this, we need industry-specific frameworks and best practices-based guidelines for the broad adoption of the post quantum cryptography (PQC) algorithms, recently announced by the National Institute of Standards and Technology (NIST).

In Europe, although there is currently no industry-specific framework for financial entities, the European Commission has recommended that EU Member States and their public sectors develop national strategies for the adoption of PQC to ensure coordination across the region. This is an important signal and underscores the urgency for private sectors, including financial entities, to accelerate the adoption of PQC algorithms and to do so collaboratively.

A European consortium needs to bring together companies, banks, brokers, financial market infrastructures, fintech, regulators and government to take practical steps to address the future quantum risk.

By the end of this decade, quantum computers are expected to be able to outperform their classical cousins in specific tasks. When that happens, in addition to bringing a myriad of benefits, quantum computers in the hands of bad actors will also pose a very real threat to the cryptography systems widely used today, including in the financial sector. Bad actors could harvest our sensitive data already today and aim to decrypt it with the help of quantum computers in the future.

The systems currently used for general encryption rely on the difficulty of factoring large numbers or solving discrete logarithms — tricky tasks for a classical machine, but not for quantum algorithms that could accomplish them exponentially faster.

Even before the announcement from NIST, a number of the world’s governments had already been taking proactive measures to start migrating to PQC, looking into regulations and urging businesses to start the transition process. For example, in February this year, the Monetary Authority of Singapore issued an advisory outlining specific measures financial institutions should consider as part of their quantum safe migration strategy. At the industry level, individual companies have also begun exploring the benefits of migration.

But for any enterprise, going it alone to perform such a transition seamlessly and fully may be daunting. While the three new NIST standards are part of the first cryptographic layer that is industry-agnostic, the second layer we need would be industry-specific frameworks with applications and use cases and relevant guidelines having the NIST cryptography algorithms already incorporated, leading to broad adoption.

This is already happening. Take telco, for example. In October 2022, the Global System for Mobile Communications Association (GSMA) created the Post-Quantum Telco Network Taskforce, which has since grown to be a group of over 60 companies from across the global telco supply chain, policymakers and regulators. The task force encourages telecom network operators to develop roadmaps to integrate PQC capabilities into their networks and processes. When industry partners come together for open discussions, the meetings trigger new ideas and help clarify the perspectives of each partner and the specific challenges they face. It helps to establish best practices that others can then follow.

Even industry-agnostic quantum safe consortia like the MITRE PQC Coalition, Linux Foundation PQC Alliance, and the NIST NCCoE are producing technology-related and algorithm adoption-related benefits as well.

In finance, there is already a PQC financial consortium in Asia, dubbed the EPAA Work Group on Quantum Safe. Its members include EPAA (Emerging Payments Association Asia), IBM, HSBC, AP+, PayPal and more. In the US, IBM is collaborating with the National Automated Clearing House Association to launch a work group focused on PQC adoption by payments organizations. But every region deals with financial services differently, so it is essential to have a financial consortium in Europe, too.

The benefits of such a consortium would include institutions pooling resources, expertise and strategic initiatives across Europe to ensure a thought-through, tactical approach to adopting NIST’s PQC standards. The consortium could help navigate the complex web of regulatory requirements by becoming a single unified voice in talks with regulators to advocate for policies in support of the migration to PQC. It could also promote best practices, conduct workshops and share intelligence on emerging threats to enhance the overall security position of Europe’s financial sector.

Without having the industry-specific framework and guidelines for adopting the standard PQC algorithm, one can have the best PQC solution, but the business utility would be sub optimal. And while at the moment the prerogative should be creating regional consortia, eventually there should be global industry-specific frameworks — as the partner institutions will have to collaborate worldwide.

It will take time. Just to develop the algorithms it took cryptographers several years, plus two more for NIST to standardize the first set of selected algorithms. Now more algorithms have been submitted and are being evaluated for further standardization — but the next step of creating industry-specific frameworks is even more complex, with institutions and policymakers in the mix. The amount of work that needs to be accomplished is immense and we must make progress across the entire industry in a collaborative way, learning from each other. Consortia are the best way to accomplish this and help accelerate progress across the entire industry. We need to start now to make sure the financial institutions of Europe, and the world, continue to work even under the threat of quantum attacks.

We should not be merely reactive to the quantum risk — instead, we should be actively shaping the future of our data security. In addition to all the benefits already listed, a financial consortium in Europe could be a demonstration of a commitment to safeguarding financial stability on the continent and preserving European security of the future. And that’s exactly what we, as a society, should strive to achieve.