It is only a matter of time before quantum computing can break today’s standard encryption (the so-called “Q-Day”). The timeline is uncertain, but the impact will be immediate, especially due to the risk of “store now, decrypt later”: adversaries can collect encrypted data today and decrypt it when quantum technology becomes feasible.
Many organizations must protect sensitive data far beyond traditional risk planning windows. While new post-quantum encryption standards have been approved, some ADC and CDN vendors are now beginning to offer hybrid protection, but the challenges are urgent: the technical debt accumulated in legacy systems will soon come under scrutiny, and pressure from regulators and stakeholders is increasing.
The CISO’s view is that it is time to take action, rather than getting lost in governance, risk, and compliance (GRC) issues. Audits, enhanced reviews, and verification of quantum readiness in the new ecosystem are expected to begin as early as 2026. Security and GRC teams are already facing overwhelming complexity in evaluating vendors, especially for traditional or non-upgradable devices. Having clear information, status, and reporting will serve your organization well in the coming years.
The Future is Now
Although people tend to view quantum risks as a problem for tomorrow, the formal approval of PQC standards marks the beginning of a new era. Gartner predicts that widely used asymmetric encryption methods could be compromised as early as 2029 and completely broken by 2034.
We are closer to 2029 than we were in 2020, and that is not much time for a multi-year project, especially one that has yet to define its scope, priorities, budget, or commitments. As we will see, the scope of legacy technologies and non-upgradable devices will be larger than many realize.
For CISOs, CTOs, and CIOs, failing to proactively prepare for PQC is becoming a critical business resilience risk, and worse, we have seen this risk for over a decade. Delaying action could expose organizations to foreseeable violations, regulatory non-compliance (such as GDPR), and reputational damage.
Now is not the time to panic, but rather to urgently coordinate planning across organizations and supply chains. As you plan for 2026, strategic investments and concrete action plans for PQC will be prerequisites for responsible security leadership in the AI and quantum era.
NIST Standards and Federal Authorization
The National Institute of Standards and Technology (NIST) provides a clear path forward, finalizing PQC algorithms such as ML-KEM (FIPS 203) for key exchange, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) for backup signatures. These tested standards provide a stable technical foundation that transforms PQC from theory into actionable practice. NIST’s guidance is also clear: the standards have been approved, and it is now time to implement the first set of standards.
Since the quantum computers we are defending against have not yet been built, this is the first migration to new encryption. The goal is not a one-time upgrade, but to instill “cryptographic agility” as a core capability of your IT shop and supply chain, as we will need to do this again with the emergence of new quantum threats.
A Fundamental Architectural Shift, Don’t Forget GRC
The initial implementation of PQC standards will largely be a software upgrade. However, achieving cryptographic agility (the ability to rapidly update encryption as standards evolve) requires profound changes in asset management, governance, and IT operations. GRC teams must prepare for a wide range of issues involving inventory, version management, compatibility testing, and risk registration.
Poorly managed transitions will increase the risk of disruptions, operational downtime, and compliance failures, especially in hybrid cloud, multi-cloud, and legacy environments.

However, the quantum transition can serve as a catalyst for long-overdue digital transformation and mainframe retirement, if you can find the right talent and legacy documentation, action must be taken immediately.
Companies outsourcing critical IT functions (especially legacy systems) need to start documenting and truly understanding how these old systems work. Many projects will incur huge costs and schedule overruns due to underestimating the work involved.
The iron triangle of project management is crucial here, as you may encounter multiple business cases and remediation pathways, especially in complex enterprises that have grown through acquisitions.
Applications Under the Quantum Lens
PQC directly impacts applications, not just infrastructure. Adopting quantum-safe encryption means not only changing libraries but may also require significant code revisions in deeply integrated cryptographic components. Given the years of effort, CISOs and GRC leaders should anticipate resistance, complaints about resource shortages, expensive consulting fees for specialized skills, internal pushback, and the sparse documentation on legacy systems that often complicates matters.
Taking action early can mitigate future crises and allow for more thoughtful, less disruptive changes. Most companies still do not know what they do not know, and managing stakeholder expectations on this topic is critical for success and execution.
Practical Application Impacts
PQC algorithms typically require larger keys and greater computational demands, which may affect application latency and throughput, especially for time-sensitive workloads.
Modernization efforts to support PQC often expose hidden technical debt, leading to budget overruns, but ultimately will provide resilience and performance advantages in the future.
Expectations must be managed that not all systems can be upgraded; this is not a one-time “set it and forget it” event. Communication with stakeholders must emphasize that ongoing discovery and adaptation is the new normal, and that this transition is expected to face new challenges over time.
Infrastructure Transformation: Network, Cloud, and Edge
PQC will reshape network devices, servers, and cloud services, especially those managing TLS termination and encryption. While many browsers and servers will adapt, many legacy systems will need upgrades or replacements due to increased bandwidth and processing demands.
A strategic insight for security planning is the distinction between the impact of PQC on key exchange mechanisms (KEM) and digital signatures in protocols like TLS. The most urgent priority is to deploy PQC KEMs (such as ML-KEM) to address the “store now, decrypt later” threat, as these threats can protect long-term data currently being collected by adversaries.
The rollout of digital signatures can follow a more cautious, risk-based timeline, as forgery is only possible during active sessions.
Hardware Security Modules (HSM)
HSMs are critical for managing cryptographic keys but face challenges in a PQC world. The larger keys and increased processing demands of quantum-safe algorithms may exceed the capabilities of existing resource-constrained hardware. Techniques like seed-based key generation can help with storage but introduce new computational overhead. Upgrading to PQC-ready HSMs typically increases costs, complexity, and time, but is necessary for ongoing cryptographic integrity.
The Toughest Part: Legacy and Resource-Constrained Devices
Perhaps the most daunting challenge of PQC is its entry into operational technology (OT), the Internet of Things, and other embedded systems not designed for cryptographic agility. These devices often lack the necessary memory, storage, or computational power to handle larger PQC key sizes and increased processing requirements. This situation necessitates cross-functional collaboration across network security, infrastructure, and data management, all under increasingly compressed delivery timelines. These devices may require network segmentation to buy time until replacement or upgrades are feasible.
F5: Your PQC Strategic Partner
F5, with its extensive experience in application delivery and security, is uniquely positioned to help organizations navigate this transition. The F5 Application Delivery and Security Platform (ADSP) has already provided seamless integration of PQC-ready solutions, simplifying application delivery and security across hybrid cloud, multi-cloud, and traditional environments.
As leading industry analyst firm EMA recently noted in its 2025 vendor vision: Black Hat edition: “F5 ADSP is not just a tool for protecting applications; it is a forward-looking solution designed to protect critical assets from emerging threats, including the imminent challenges of quantum computing… F5 has decisively integrated PQC readiness early, setting it apart from competitors still in experimental stages.”
F5’s unified visibility, management, and threat assessment tools make coordinating the quantum-safe transition more practical and less of a burden on business agility. As an intermediary, we can be seen as “your middleman,” helping organizations centralize and automate encryption transitions at the network edge and application front door while providing telemetry and AI-driven insights for ongoing threat management. This approach directly addresses the challenge of “changing the engines of a plane in flight” by decoupling PQC migration from core application development cycles, significantly alleviating immediate operational burdens and disruption risks.
Act Now: A CISO’s Quantum Resilience Handbook
The PQC journey is a multi-year transformation, and security leaders must clarify challenges, set expectations, and plan to adapt timelines as new threats or legacy complexities arise. Proactive preparation can leverage the mission and necessity of PQC into a strategic opportunity to finally address long-standing technical debt, as we will have to do this again. Seize this opportunity for end-to-end visibility, modernize operations, and demonstrate visible leadership in digital resilience.
Successful organizations will be those that view PQC as an ongoing enterprise-wide evolution rather than a one-time upgrade. Take a holistic approach, cascade messaging throughout the organization and supply chain, and invest immediately in foundational work. This is an opportunity to strengthen your organization for a safer, more agile, and resilient future. Your leadership in this era will determine your organization’s continuity, compliance, and reputation in the coming years, and F5 will be there to assist you every step of the way.