In response to this emerging risk, the NIST standardized four\u00a0post-quantum\u00a0asymmetric algorithms in August 2024, specifically designed to withstand attacks from quantum computers.<\/span>\u00a0<\/span><\/p>\n While quantum computers are not yet powerful enough to carry out such attacks, estimates vary as to when this capability will be reached, with many experts\u00a0anticipating\u00a0a\u00a0timeframe\u00a0between 2033 and 2037.<\/span>\u00a0<\/span><\/p>\n Nevertheless, the \u201cHarvest Now, Decrypt Later\u201d (HNDL) threat\u2014where attackers collect encrypted data today with the intent of decrypting it in the future using quantum computers\u2014makes it critical to protect sensitive,\u00a0long-lived\u00a0data well before such machines become operational.<\/span>\u00a0<\/span><\/p>\n While 2024 marked the completion of technical standards with the publication of the NIST specifications, 2025 stands out for the acceleration of institutional and regulatory roadmaps. In recent months, several major stakeholders have released their recommendations:<\/span>\u00a0<\/span><\/p>\n These announcements build on previously communicated timelines: the NIST released a draft targeting 2035, while the Australian Signals Directorate (ASD) set a 2030 deadline. We expect\u00a0additional\u00a0countries to issue similar announcements in the coming months.<\/span>\u00a0<\/span><\/p>\n As a result, the\u00a0post-quantum\u00a0transition is no longer solely a technological challenge. It is becoming a regulatory and institutional imperative, comparable to past largescale digital transformations. Regardless of the exact timeline for the emergence of quantum computers capable of breaking current cryptographic algorithms, a transition is unavoidable.<\/span>\u00a0<\/span><\/p>\n Migrating a complex IT infrastructure is far from trivial. According to a 2022 memorandum, the Biden administration estimated the cost of migrating all U.S. federal agencies at over $7 billion. Such a program spans multiple dimensions\u2014from risk assessment to technical execution\u2014and involves\u00a0numerous\u00a0intermediate steps. Dedicated solutions already exist to support and accelerate each phase of this transition.<\/span>\u00a0<\/span><\/p>\n The 2026\u00a0Wavestone\u00a0Radar of\u00a0post-quantum\u00a0migration solutions provides a visual overview of the leading solutions available on the market to support this transition. It has been\u2014and will continue\u00a0to be\u2014regularly updated and enriched over the coming months.\u00a0Any company that believes it should be featured is encouraged to contact us.<\/span>\u00a0<\/span><\/p>\n The\u00a0objective\u00a0of this radar is not to list solutions that have already completed their\u00a0post-quantum\u00a0transition, but rather to highlight those that actively support and accelerate the migration process.<\/span>\u00a0<\/span><\/p>\n Quantum Key Distribution (QKD) was considered but\u00a0ultimately excluded\u00a0as a category. While QKD is resistant to quantum computers, it is not technically a\u00a0post-quantum\u00a0cryptography technology and is not recommended by regulatory bodies.<\/span>\u00a0<\/span><\/p>\n Our\u00a0initial\u00a0feedback from supporting\u00a0post-quantum\u00a0migration programs highlights a clear reality: it is impossible to plan and budget a migration without visibility into the existing environment.\u00a0<\/span>Concretely,\u00a0organizations\u00a0need\u00a0to\u00a0understand\u00a0:<\/span>\u00a0<\/span><\/p>\n Conducting an exhaustive inventory of a complex IT infrastructure\u00a0represents\u00a0a significant investment. It is therefore critical to prioritize the areas where inventory tools should be deployed first, based on three key criteria: data exposure (data accessible via the internet, exchanged with partners, etc.),\u00a0long-term\u00a0data sensitivity and vulnerability to HNDL attacks, and the technical components used to secure this data. Without this upfront\u00a0visibility\u2014understanding which algorithms are used, for which purposes, and to protect which data-effective migration planning becomes impossible.<\/span>\u00a0<\/span><\/p>\n However, cryptographic inventory cannot rely on\u00a0a single source. Organizations must combine multiple complementary approaches: network probes enable\u00a0real-time\u00a0observation of traffic, code\u00a0analysis\u00a0identifies\u00a0cryptographic usage within applications and internal developments, SaaS\u00a0specific tools and interfaces with external providers reveal\u00a0third-party\u00a0dependencies, while existing CMDBs and reference repositories map the overall infrastructure. This multiplicity of sources creates a new strategic need for tools capable of centralizing heterogeneous information and providing a\u00a0consolidated, actionable view to effectively\u00a0manage\u00a0migration. A trend is\u00a0emerging\u00a0around the CBOM (Cryptography Bill of Materials) format to standardize these inventories, although it is still too early to assess its actual adoption across the market.<\/span>\u00a0<\/span><\/p>\n Inventory thus becomes the foundation of\u00a0post-quantum\u00a0migration governance. Without it, organizations are effectively navigating\u00a0blind.<\/span>\u00a0<\/span><\/p>\n Since 2024, the market for digital asset inventory solutions has experienced\u00a0strong growth, driven by the emergence of highly specialized players focused exclusively on the detection, mapping, and management of IT assets (hardware, software, cryptographic certificates, etc.). These vendors stand out for their deep\u00a0expertise\u00a0and ability to address complex environments.<\/span>\u00a0<\/span><\/p>\n At the same time,\u00a0established\u00a0players in the network and infrastructure space\u00a0\u2013\u00a0such\u00a0as IBM, Samsung, Cisco, and Microsoft\u00a0\u2013\u00a0are\u00a0leveraging\u00a0their\u00a0deep knowledge of IT environments to deliver robust solutions. These offerings increasingly integrate advanced network probes and cryptographic inventory capabilities, with growing attention paid to\u00a0post-quantum\u00a0cryptography challenges.<\/span>\u00a0<\/span><\/p>\n Cryptoagility\u00a0is not merely a technical feature; it is a strategic capability that enables organizations to adapt to cryptographic evolutions without operational disruption. As\u00a0post-quantum\u00a0cryptographic (PQC) algorithms increasingly become a regulatory standard,\u00a0cryptoagility\u00a0allows business logic to be decoupled from the underlying cryptography, thereby\u00a0facilitating\u00a0updates without requiring a complete overhaul of existing infrastructures.<\/span>\u00a0<\/span><\/p>\n To adopt a\u00a0crypto agile\u00a0approach, organizations must embed flexible and scalable mechanisms from the design phase, capable of adapting to cryptographic advances\u2014whether driven by the quantum threat or by the rapid deprecation of algorithms.<\/span>\u00a0<\/span><\/p>\n On the library side, solutions offering a modular approach are now widely available. Tools such as\u00a0<\/span>Open Quantum Safe (OQS)<\/span><\/b>, compatible with OpenSSL and\u00a0BoringSSL, or\u00a0<\/span>liboqs<\/span><\/b>\u00a0(Intel),\u00a0optimized\u00a0for x86 architectures, enable the integration of\u00a0NIST standardized\u00a0post-quantum\u00a0algorithms (Kyber,\u00a0Dilithium, SPHINCS+).\u00a0<\/span>Bouncy Castle<\/span><\/b>, for its part, provides a unified API for Java and C#, easing the transition between classical and\u00a0post-quantum\u00a0cryptography.<\/span>\u00a0<\/span><\/p>\n However, the modular approach offered by these libraries must be integrated into a broader ecosystem of specialized tools. In this context, inventory solutions and cryptographic key and certificate lifecycle management tools play a critical role. They enable the establishment of an exhaustive mapping of the cryptographic environment, providing full visibility into all assets that need to be protected. This comprehensive view forms an essential foundation for ensuring data security and implementing truly effective risk management.<\/span>\u00a0<\/span><\/p>\n Ultimately,\u00a0crypto\u00a0agility\u00a0goes beyond the technical domain. It is a strategic capability that allows organizations to secure their data sustainably, reduce\u00a0quantum related\u00a0risks, and approach the future with greater confidence. The technological building blocks are already in place; what\u00a0remains\u00a0is to integrate them today into cybersecurity strategies.<\/span>\u00a0<\/span><\/p>\n Given the scale and complexity of\u00a0post-quantum\u00a0migration programs, perimeter protection (edge protection) solutions provide a pragmatic and\u00a0fast acting\u00a0approach to reducing exposure across critical data flows.<\/span>\u00a0<\/span><\/p>\n These solutions enable the rapid securing of sensitive communication channels\u2014such as VPNs, email, and file transfers\u00a0\u2013\u00a0by\u00a0encapsulating traffic within a\u00a0post-quantum\u00a0cryptographic layer, without requiring changes to the underlying applications. This makes it possible to deploy wrappers around critical applications without waiting for their full redesign or migration.<\/span>\u00a0<\/span><\/p>\n The primary advantage of this approach lies in the significant time savings it delivers. While a comprehensive application-level migration remains necessary in the medium term and may span several years, perimeter protection offers immediate security for the most exposed assets. This strategy allows organizations to intelligently prioritize the protection of their most sensitive data, while methodically preparing for the broader, long-term migration of their IT infrastructure.<\/span>\u00a0<\/span><\/p>\n In the first version of our radar, we highlighted the lack of certifications for\u00a0post-quantum\u00a0Hardware Security Modules (HSMs), which\u00a0represented\u00a0a major barrier to their deployment in production environments.<\/span>\u00a0<\/span><\/p>\n This situation has since evolved positively. Both the\u00a0<\/span>ANSSI<\/span><\/b><\/a>\u00a0and the\u00a0<\/span>BSI<\/span><\/b><\/a>\u00a0have now issued three Common Criteria certifications for PQC\u00a0compatible HSMs (from\u00a0<\/span>Samsung<\/span><\/b>,\u00a0<\/span>Thales<\/span><\/b>, and\u00a0<\/span>Infineon<\/span><\/b>). These certifications mark a significant turning point and pave the way for\u00a0real-world\u00a0deployments under operational conditions.<\/span>\u00a0<\/span><\/p>\n HSMs play a critical role in the digital trust chain, particularly for:<\/span>\u00a0<\/span><\/p>\n However, even when certified, these HSMs must still address challenges related to\u00a0side channel\u00a0attacks, given the relative immaturity of current implementations of these new algorithms. The scientific community continues to actively assess and analyze these risks.<\/span>\u00a0<\/span><\/p>\n While the market for PQC solutions is progressing rapidly for traditional IT environments, a worrying gap is\u00a0emerging\u00a0for IoT and embedded systems. These devices\u00a0operate\u00a0under severe constraints\u00a0\u2013\u00a0limited power, reduced processing capabilities, and restricted storage\u00a0\u2013\u00a0which directly conflict with the requirements of\u00a0post-quantum\u00a0algorithms, inherently more\u00a0resource intensive\u00a0than their classical counterparts.<\/span>\u00a0<\/span><\/p>\n Deploying PQC on such systems often requires dedicated processors with optimized instruction sets. However, the current hardware ecosystem\u00a0remains\u00a0insufficient: few dedicated PQC hardware accelerators are available on the market, and hardware development cycles typically span several\u00a0years. This technical complexity is compounded by the challenge of upgrading a highly decentralized and heterogeneous device landscape, including widely deployed and\u00a0hard\u00a0to\u00a0access\u00a0connected objects,\u00a0mission critical\u00a0industrial systems where downtime is costly, smart cards with long renewal cycles, and legacy equipment with limited or no update capabilities.<\/span>\u00a0<\/span><\/p>\n The risk is clear: a lasting gap could\u00a0emerge\u00a0between traditional IT environments, which will progressively migrate to PQC, and embedded IoT systems, which may remain vulnerable for a much longer period. Organizations must\u00a0anticipate\u00a0this challenge now by embedding PQC compatibility requirements into their specifications for all new deployments of embedded and connected equipment.<\/span>\u00a0<\/span><\/p>\n The market has now clearly acknowledged that the\u00a0post-quantum\u00a0transition will necessarily begin with a systematic inventory phase and a comprehensive risk assessment, a realization that has reshaped the structure of the ecosystem. This growing awareness is reflected in several encouraging developments: the proliferation of specialized solutions for mapping cryptographic assets; the first official certifications for\u00a0PQC\u00a0compatible\u00a0security modules, confirming their readiness for operational deployment; and the maturity of opensource libraries, now widely supported by the industry. Migration support tools further complement this landscape. In parallel, perimeter security approaches already make it possible to protect sensitive data flows without waiting for a full system overhaul.<\/span>\u00a0<\/span><\/p>\n However, this momentum continues to face persistent challenges. Delays in the development of suitable hardware\u00a0\u2013\u00a0particularly\u00a0for IoT and embedded systems\u00a0\u2013 remain a major obstacle, with a\u00a0still limited\u00a0availability of\u00a0low power, PQC\u00a0compatible processors. Certifications, while promising, remain limited in number and cover only part of the available technological spectrum. Finally, inventory tools, despite becoming increasingly sophisticated, have yet to fully\u00a0demonstrate\u00a0their ability to effectively address the complexity and heterogeneity of large enterprise IT environments.<\/span>\u00a0<\/span><\/p>\n As a result, while the market has clearly oriented its efforts toward inventory and risk analysis as essential prerequisites for migration, technological and industrial challenges continue to slow largescale adoption.<\/span>\u00a0<\/span><\/p>\n \u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":" The Quantum Threat Is Becoming Clearer\u00a0 Quantum computing poses a serious threat to today\u2019s asymmetric cryptography and is expected to\u00a0render\u00a0widely used algorithms such as RSA and ECC obsolete. By contrast,\u00a0symmetric cryptography (such as AES)\u00a0and hash functions,\u00a0maintaining\u00a0an equivalent level of security…<\/p>\n","protected":false},"author":81,"featured_media":29389,"comment_status":"open","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2777,3977],"tags":[],"coauthors":[3789,4477,4612],"class_list":["post-29391","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-digital-trust","category-focus"],"acf":[],"yoast_head":"\n2025: Regulatory Acceleration\u00a0<\/h1>\n
\n
The\u00a0Wavestone\u00a0Radar: A Market Overview of Solutions\u00a0<\/h1>\n
![\"\"](\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/03\/radar_1-1.png\")
<\/p>\nRadar Categories\u00a0<\/h1>\n
\n
Inventory: The Cornerstone of Any Migration\u00a0<\/h1>\n
\n
CryptoAgility: A Long Term Objective of the Post-quantum Transition\u00a0<\/h1>\n
Perimeter Protection: A Rapid Mitigation Strategy\u00a0<\/h1>\n
HSMs and Certifications: A Turning Point in 2025\u00a0<\/h1>\n
\n
IoT and Embedded Systems: The Weak Link\u00a0<\/h1>\n
A Nuanced Market Outlook\u00a0<\/h1>\n