Insider Brief
- The G7’s Cyber Expert Group issued a nonbinding roadmap urging financial institutions and authorities to coordinate an early, risk-based transition to post-quantum cryptography to protect financial systems from future quantum-enabled attacks.
- The paper outlines phased migration activities — from inventory and risk assessment to deployment, testing and continuous monitoring — emphasizing flexibility, standards-based approaches and cross-border collaboration.
- The roadmap aligns around the mid-2030s as a general planning horizon, with critical financial systems encouraged to migrate earlier, reflecting long transition timelines and the risk of data being harvested today for future decryption.
- Photo by TheDigitalArtist on Pixabay
The Group of Seven’s (G7) top cyber advisers has released a coordinated, nonbinding roadmap urging banks, insurers, exchanges and regulators to accelerate preparations for a shift to post-quantum cryptography, warning that the long lead times required for cryptographic change mean financial institutions must act well before quantum computers are capable of breaking today’s encryption.
In a policy paper published recently, the G7 Cyber Expert Group said the financial sector faces a narrow window to migrate away from cryptographic methods that could be rendered obsolete by future quantum machines, even though the precise timing of that threat remains uncertain. The document stops short of setting regulatory mandates, but it aligns G7 authorities around a shared planning horizon and a risk-based approach that treats quantum-safe migration as a core resilience issue rather than a niche technology upgrade.
The statement reflects a growing consensus among governments and industry that the transition to post-quantum cryptography — encryption designed to resist attacks from quantum computers — will be complex, costly and slow. As a result, waiting for a clear signal that quantum computers can crack existing systems could leave critical financial infrastructure exposed.
The roadmap is aimed at senior executives and public officials responsible for safeguarding the stability of payment systems, clearing and settlement platforms, trading venues and the data that underpins them. It emphasizes coordination across borders and institutions to avoid fragmented approaches that could weaken interoperability in a sector that depends on shared standards and trusted connections.
Quantum Risk Moves From Theory to Planning
The G7 paper builds on a 2024 statement in which the Cyber Expert Group assessed both the promise and the peril of quantum computing. While quantum machines could eventually deliver powerful tools for optimization, risk modeling and other financial uses, sufficiently advanced systems would also be able to defeat widely used public-key cryptography that protects communications, transactions and stored data.
That risk is uneven because not all cryptographic algorithms are equally vulnerable and not all systems carry the same systemic importance. But the group stressed that the most commonly used public-key methods, which underpin secure internet traffic and digital identity, are among those most exposed in a post-quantum world.
The recommended response is a transition to quantum-resistant algorithms that can run on today’s computers but are designed to withstand attacks from future quantum systems. Such algorithms already exist and some organizations have begun experimenting with them. Still, the paper notes that cryptographic migration is rarely straightforward. It often requires reengineering software, updating hardware, coordinating with vendors and testing for unexpected failures—steps that can stretch over many years.
A Phased Roadmap
To manage that complexity, the Cyber Expert Group outlined a six-phase framework intended to give financial institutions and regulators a common reference point for planning. The phases range from early awareness and inventory-building to execution, testing and continuous validation.
The first stages focus on governance and visibility. Institutions are encouraged to elevate quantum-related cyber risk to the executive level, define clear roles and responsibilities and map critical systems, sensitive data and communication protocols. That work feeds into a comprehensive inventory of cryptographic assets and third-party dependencies, an exercise that many organizations have never completed in full.
Later phases shift toward tailored risk assessment and migration planning. Rather than prescribing a single timeline, the roadmap urges institutions to prioritize based on exposure and systemic importance. Critical functions may warrant accelerated timelines, while less sensitive systems could be used as pilots to build experience.
Execution and testing are framed as iterative processes, not one-off projects. Quantum-resistant solutions are expected to be deployed gradually, starting with priority systems and adapting as the perceived threat evolves. Testing extends beyond individual firms to ecosystem-level exercises designed to assess resilience across interconnected institutions.
Public authorities have a parallel role throughout the process. The roadmap calls on regulators and central banks to communicate risks clearly, promote consistent approaches across jurisdictions, monitor progress and remove barriers that could slow adoption, particularly for smaller firms that rely heavily on third-party technology providers.
Standards and Vendors
A recurring theme in the G7 paper is the financial sector’s dependence on shared standards and external vendors. Banks and market utilities often rely on the same cloud platforms, software libraries and cryptographic services, meaning weaknesses or delays in one part of the supply chain can ripple outward.
To address that risk, the roadmap encourages a standards-based approach that leverages existing information security frameworks and emerging post-quantum specifications. It highlights the value of measurable milestones that allow both institutions and authorities to track readiness and recalibrate plans as conditions change.
The paper also underscores the need for close collaboration with technology providers. Limited transparency into vendor roadmaps, particularly for cloud and cryptographic services, is identified as a potential bottleneck. Without clear insight into when quantum-resistant options will be available and supported, financial institutions may struggle to plan their own migrations.
Stakeholder dialogue is therefore positioned as a continuous activity, alongside governance and risk management. The Cyber Expert Group said structured engagement can help surface practical obstacles, share lessons learned and reduce the risk that different jurisdictions move at incompatible speeds.
Target Dates
Although the roadmap avoids setting binding deadlines, it does converge on a broad planning horizon. Drawing on guidance from multiple jurisdictions and standard-setting bodies, the Cyber Expert Group said 2035 is widely cited as a reasonable target for completing the transition to quantum-resistant cryptography across government and private-sector systems.
That date reflects several considerations. One consideration is the possibility of “harvest now, decrypt later” attacks, in which adversaries collect encrypted data today with the expectation that it can be deciphered once quantum capabilities mature. Another is the long lead time required to update complex financial systems safely, especially those that cannot tolerate downtime or errors.
The paper also points to a more aggressive window—roughly 2030 to 2032—for addressing the most critical systems. Prioritizing those assets earlier is seen as a way to limit downside risk if quantum capabilities advance faster than expected.
At the same time, the group emphasized that all timelines are subject to revision. Advances in quantum hardware, changes in the threat environment, or delays in standardization could all shift the calculus. Institutions are urged to design migration plans that can adapt, rather than locking themselves into rigid schedules.
The Cyber Expert Group was explicit that its roadmap does not establish regulatory expectations. Instead, it is meant to inform and align planning across the G7, providing context for decisions that will ultimately be made by individual firms and national authorities.
Still, the breadth of the document signals a shift in how quantum risk is being framed at the policy level. Rather than a distant, speculative concern, post-quantum cryptography is treated as an operational challenge that must be integrated into existing governance, risk management and technology strategies.
The group said it will continue to monitor progress, share information across jurisdictions and coordinate with standard-setting bodies and other stakeholders. As understanding of quantum threats evolves, the roadmap itself may be updated.
