Enterprises face a pressing challenge in safeguarding sensitive information against the growing threat of quantum computing. With new post-quantum cryptography (PQC) standards now formally released, security migration has shifted from a distant consideration to an immediate operational priority.

Craig Farrell, senior manager, client technology, Ernst & Young LLP, cautions that regulatory timelines, such as the UK National Cyber Security Centre’s (NCSC) 2035 migration goal, risk giving organizations a false sense of time.

Cybersecurity leaders are closely examining the deployment of quantum key distribution (QKD) alongside PQC. While QKD offers tamper-proof data transfer through photon-based encryption, its practical adoption is hampered by infrastructure requirements and the absence of built-in authentication.

Farrell pointed to the official UK cybersecurity position: “If you want to use QKD, there are a couple of things — you need the tech on either side, of course, which is important, but you also need the authentication layer on top. Proceed with extreme caution. Don’t use QKD in the military and government space, but if you want to do it in the private sector, then you’ve got to be prepared to invest quite a bit of time and energy into that.”

By contrast, Farrell said the guidance is far more precise on PQC.

“PQC is the gold standard of where we want to go with this,” he noted. “RSA [Rivest, Shamir, and Adleman] will be essentially replaced by Kyber [a key encapsulation mechanism (KEM) adopted by the National Institute of Standards and Technology (NIST)], and ECC [Elliptic Curve Cryptography] will be replaced by dilithium [a post-quantum digital signature algorithm].”

According to Farrell, the market’s response to the new standards has been immediate. “We’re seeing a real uptick in demand. Clients are calling and asking how they can get quantum-ready and what quantum readiness looks like.”

Farrell explained that readiness begins with a detailed mapping of encryption dependencies. Companies are reviewing their systems and identifying where RSA and ECC are used, marking these as risks. He said this process can be a major undertaking, and EY is working directly with clients to conduct readiness assessments and plan migrations.

The scale of change required also explains why the NCSC and other agencies refer to the process as a migration rather than an upgrade.

Farrell noted that replacing cryptographic algorithms affects payload sizes, which in turn can alter performance, storage requirements, and compatibility across interconnected systems. These downstream effects can be significant, particularly in complex IT environments.

Partnerships Accelerate Quantum Readiness

The discussion, held in London during Commercializing Quantum Global 2025, highlighted strategic partnerships as key enablers for scaling quantum initiatives. Farrell said EY maintains strategic alliances with both IBM and Microsoft, and works closely with them on quantum initiatives.

He explained that EY has collaborated with IBM for many years, leveraging its expertise in quantum computing. More recently, Microsoft entered the hardware race with a new quantum chip launched only a few months ago — a development Farrell described as promising for commercial applications.

Hands-on experimentation is also part of EY’s approach. Farrell said he has used Qiskit, IBM’s open-source quantum programming framework, and tested circuits on IBM’s quantum computer — experiences he described as “very exciting.”

EY’s quantum program takes a “two-pronged approach.” Farrell explained: “We’re looking at it internally across all of the service lines, because we feel that there is an impact of quantum coming across a range of services, especially in our forensics and fraud detection department, which is huge. Then we’re also looking externally — how can our clients leverage quantum computing? But more importantly, how can they get protected against the quantum threat?”

Cloud platforms, such as Azure, Google Cloud, and AWS, can handle much of the PQC upgrade process for hosted applications.

Still, Farrell warns that on-premises and custom-built solutions will require more intensive intervention. “In theory, on-premise would be more expensive if you’ve got custom applications running. If you’ve got on-premise custom solutions, that’s where the majority — the bulk — of the work is going to have to be.”

Cryptocurrency Faces Quantum Threat

One of the most urgent quantum security challenges lies in blockchain-based assets. Farrell underscored: “The majority, if not all, of the cryptos are not quantum secure today. In the crypto space, because all the data is public, it’s super easy to harvest. There’s a mad rush at the moment within the space for all of these cryptos to become post-quantum secure.”

Transitioning cryptocurrencies to PQC will be technically demanding and politically fraught. He noted that proposals for a hard fork of Bitcoin — a protocol change incompatible with earlier versions — could affect network performance, storage, and mining.

The decentralized governance structures of specific cryptocurrencies further complicate the timeline.

“There’s nobody at the helm steering the Bitcoin ship. They’ve not got anybody at the top saying, ‘We need to implement post-quantum security within Bitcoin.’ So the question is, what is their timeline to get ready? The data is all open. It’s all public. It’s worth $100,000 per Bitcoin, and it’s floating around — they’re not essentially protected,” he said.

Migration Must Begin Now

The NCSC’s roadmap outlines a staged migration: setting a goal by 2028, initiating priority PQC activities by 2031, and completing migration by 2035.

Farrell, however, views these as the absolute latest deadlines. “The way that I look at it is — the jury’s out on the dates. NIST has released the official standards. I would say the timer starts now, as opposed to these other timelines. It took them around eight years to officially certify these standards. Suddenly they’re released, and at that point, the timer starts.”

Some companies are already using PQC adoption for brand positioning. “If you look at Cloudflare, they came out recently and said, ‘We’ve upgraded to Kyber.’ That becomes a press release. We’re going to see a lot of demand for customers asking, ‘Is my data post-quantum secure?’”

Farrell sees PQC migration evolving into a market expectation. “The migration is inevitable. The sooner organizations engage with the process, the better positioned they’ll be to protect their data, comply with evolving standards, and earn the trust of their customers in the quantum era.”

His first step for any business is simple: “Start now, sit with us, have a conversation, and, more importantly, read the NCSC position. It makes a lot of sense, and it’s in plain English. Start there and talk to us — then start getting ready.”