Securing the Quantum Future: Why Post-Quantum Cryptography Cannot Wait

Quantum computing is no longer a theoretical curiosity. With steady progress in error correction and algorithm development, machines capable of breaking today’s encryption may arrive within one or two decades – perhaps sooner. For organizations that depend on digital trust, this is an existential risk. The practice known as “harvest now, decrypt later” means sensitive data intercepted today could be exposed when quantum computers mature. Europe, facing hybrid threats and new regulatory requirements, must prepare quickly. The transition to Post-Quantum Cryptography (PQC) is not simply a technical upgrade; it is a matter of digital sovereignty and long-term business survival.

The Quantum Threat: Why Today’s Security Will Not Last

Public key cryptography underpins modern digital life, from secure messaging to software licensing. Yet algorithms like RSA and elliptic curve cryptography, once thought robust, will eventually fall to quantum techniques such as Shor’s algorithm.

Prof. Dr. Joern Mueller-Quade of Karlsruhe Institute for Technology (KIT) explained at this year’s Wibu-Systems INNO DAYS roundtable: “We cannot just assume quantum computers will arrive late. Even if the probability is small in the next 10–15 years, the risk is real because secrets harvested today can be decrypted tomorrow.”

The implication is clear: migration to PQC must begin now, not when quantum hardware becomes mainstream.

Hybrid Threats and the Geopolitical Dimension

Cybersecurity is no longer only about criminal activity; it is inseparable from geopolitics. The Charter of Trust, a publication authored by AES, Allianz, Atos, Bosch, Danfoss, IBM, Infineon, Siemens, and TÜV SÜD and presented at the Munich Security Conference (MSC) in February 2025, underlined the rise of hybrid threats – subtle combinations of cyber, physical, and psychological tactics used by state and non-state actors.

Infineon’s CISO Raphael Otto noted: “The distinction between financially motivated cybercrime and nation-state actors is blurring. Both increasingly collaborate, making attribution and defense harder.”

Hybrid threats show why PQC cannot be addressed in isolation. As Ursula von der Leyen famously said already in 2021: “Any thing which is connected can be hacked.” In a world where digital supply chains, healthcare, and even energy grids are targets, stronger cryptography is part of a wider resilience strategy.

AI and Quantum Computing as Game-Changers

Hybrid threats are not only about blurred lines between war and peace. They increasingly exploit the twin forces of artificial intelligence (AI) and quantum computing (QC). AI is already transforming cyber offense and defense: anomaly detection can protect networks, but adversaries use AI to generate malware, automate disinformation, or probe industrial systems. As Dr. Detlef Houdeau of Infineon pointed out, “Cybersecurity for AI, with AI, and against AI are now parallel challenges – from protecting models and training data to defending against AI-driven attacks.” Quantum computing, meanwhile, poses an even more structural threat. Once operationally relevant, it will undermine today’s cryptography. The transition will not be a clean cut: Europe’s own roadmap foresees hybrid approaches, combining conventional and PQC algorithms to ensure continuity. The challenge is as much organizational as it is technical: companies must rethink lifecycles, supply chains, and certification strategies in the face of AI- and QC-enabled hybrid threats.

Europe’s Roadmap: Regulation, Sovereignty, and Opportunity

Europe is not blind to the challenge. The EU’s Cyber Resilience Act, the Coordinated Implementation Roadmap for PQC, and programs like EuroQCI set ambitious deadlines. High-risk areas must be quantum-secure by 2030, medium risk by 2035.

Dr. Houdeau emphasized: “For critical infrastructure, procurement deadlines start as early as 2027 in the United States. Europe must move in sync – otherwise certified secure products will no longer be marketable.”

For Wibu-Systems, this is also a chance for Europe to lead. “With the European Acts, sometimes seen as a burden, we have an enormous opportunity to raise the security baseline and build trust in Europe-made solutions,” said Oliver Winzenried, CEO of Wibu-Systems.

Crypto-Agility: From Brownfield Reality to Practical Migration

The transition to PQC is not a greenfield project. Most infrastructures must migrate while keeping existing systems active. This requires crypto-agility: the ability to swap algorithms without redesigning entire ecosystems. Mueller-Quade explained: “We have to design products in a way that crypto can be safely exchanged. Digital signatures used for updates, for example, must be quantum-safe as soon as possible.”

For industry, the challenge is compounded by performance and hardware constraints. PQC keys are often ten times larger than today’s ECC keys, stressing chips in passports, secure elements, and IoT devices. As Dr. Houdeau cautioned: “The performance impact can double transaction times at border control or point-of-sale terminals.”

Protecting the Digital Economy: Software, Licensing, and AI Models

PQC is not only about securing state secrets; it protects the fabric of the digital economy. Software vendors, device manufacturers, and AI providers face the same risk: counterfeit licenses and tampered applications if cryptography is broken.

Oliver Winzenried stressed: “Licensing only makes sense if the deployed licenses are secure. Otherwise, illegal third parties can generate valid licenses, and the entire monetization model collapses.”

This is especially urgent in areas like AI-driven medical devices, where models are “frozen” under regulatory certification. PQC-based protection is required not only to prevent piracy, but to ensure the integrity and safety of critical AI models.

Preparing for Tomorrow: The Role of Industry Collaboration

No single actor can solve PQC migration alone. Hardware vendors, software companies, regulators, and research institutions must coordinate. Initiatives like the Charter of Trust demonstrate the value of cross-industry collaboration, fostering shared standards and best practices.

Thomas Depeweg, SAP’s Chief Product Manager, explained how entitlement management ties into this ecosystem: “Entitlements are rights – whether for licenses, services, or data. By combining SAP’s Entitlement Management System (EMS) with Wibu-Systems’ secure licensing, companies can ensure those rights are enforced all the way to the last mile.”

At Wibu-Systems, we recognize our responsibility in this chain. Both our hardware and software tools are being redeveloped to meet PQC standards – from dongles with PQC-ready security controllers to CodeMeter Protection Suite, CodeMeter License Central, and CmCloud with updated key management. The transition is already in motion, laying the foundation for a more secure digital future.

A Call to Action

The quantum era is not a distant prospect. Between hybrid threats, regulatory deadlines, and accelerating technical progress, the timeline for action is measured in years, not decades. Europe has the chance to turn compliance into leadership by embedding PQC into its digital backbone.

Companies cannot afford to wait. The first step is simple but critical: run an inventory, understand where your cryptography is, and prepare a migration plan. The second step is collaboration – with regulators, industry peers, and technology providers.

At Wibu-Systems, we are committed to this transition. By rebuilding our hardware and software with PQC in mind, we ensure that the licenses, applications, and digital assets our customers depend on will remain secure – not just today, but in the post-quantum tomorrow.

Quantum computing will break today’s cryptography sooner than many expect, and adversaries are already harvesting encrypted data to decrypt later. Postquantum cryptography is therefore not optional but essential. Migration must start now: run a cryptographic inventory, map product lifecycles, and plan upgrades. With crypto-agility, cross-industry collaboration, and PQC-ready solutions from partners like Wibu-Systems, organizations can secure their licenses, applications, and digital assets against tomorrow’s threats.

 

KEYnote 50 - Edition Fall/Winter 2025