Businesses across industries remain largely unprepared for the security implications of quantum computing, with 91% of security professionals lacking a formal post-quantum cryptography roadmap, according to new research from the Trusted Computing Group, raising concerns over long-term protection of sensitive and regulated data.
The industry consortium’s State of PQC Readiness report finds that despite growing awareness of quantum threats, concrete planning and technical readiness remain limited among security teams in the United States and Europe.
The report shows that 91% of surveyed cybersecurity professionals currently lack a formal roadmap for adopting post-quantum cryptography (PQC), even as expectations grow that quantum computers capable of breaking widely used encryption schemes could emerge between 2030 and 2035. Compounding the issue, 81% of respondents believe their existing cryptographic libraries and hardware security modules are not prepared for a transition to PQC, leaving organizations exposed to future decryption risks.
While large-scale quantum attacks may still be years away, the threat is already materializing through so-called “harvest now, decrypt later” strategies. In these scenarios, attackers collect encrypted data today with the expectation that it can be decrypted in the future once sufficiently powerful quantum systems become available. This approach poses particular risks for industries that rely on long-term confidentiality, such as healthcare, finance, government, and critical infrastructure.
TCG surveyed 1,500 senior cybersecurity professionals across the US and Europe to assess levels of awareness, preparedness, and investment planning related to PQC. Although 76% of respondents expressed confidence in their understanding of the quantum threat landscape, many cited practical barriers that slow action. Integration challenges, compatibility issues with legacy systems, and the complexity of migrating cryptographic infrastructure were identified as key obstacles.
The findings suggest that regulatory pressure and industry coordination will play a decisive role in accelerating adoption. Contractual requirements, sector-specific standards, and new regulations are expected to be the primary drivers for PQC migration rather than voluntary early adoption. More than half of respondents indicated plans to allocate between 6% and 10% of their IT and security budgets toward quantum-resilient cryptography initiatives, signaling intent but also underscoring competition for limited security funding.
TCG emphasized that preparedness requires more than awareness. As standards bodies such as the National Institute of Standards and Technology (NIST) and national cybersecurity agencies continue to publish approved PQC algorithms and transition guidance, organizations face increasing pressure to move from theoretical understanding to implementation planning. The group is updating its own specifications to align with emerging PQC standards and parameter sets, aiming to provide a consistent foundation for vendors and enterprises preparing for cryptographic migration.
The report highlights a growing disconnect between the pace of quantum computing research and enterprise security readiness. While many organizations acknowledge that current public-key cryptography will not withstand future quantum attacks, most remain in the early stages of planning, leaving a narrowing window to address data protection risks before quantum capabilities mature.
Executive Insights FAQ
What is post-quantum cryptography?
Cryptographic methods designed to remain secure against attacks from quantum computers.
Why is action needed before quantum computers are widely available?
Attackers can steal encrypted data today and decrypt it later using quantum systems.
Which industries face the highest risk?
Sectors requiring long-term data confidentiality, including healthcare, finance, and government.
What is slowing PQC adoption today?
Integration complexity, legacy system compatibility, and limited security budgets.
What will drive PQC migration in the coming years?
Regulatory mandates, contractual obligations, and industry-wide standards.
