Quantum computing is still years away from breaking current encryption, but many security teams are already worried about what happens when that moment arrives. A new report from the Trusted Computing Group (TCG) shows that most businesses say they grasp the threat, but almost none have the planning or technical groundwork needed to handle a shift to post quantum cryptography.
Confidence rises, preparation stalls
TCG surveyed 1,500 security professionals across the US, UK and Europe. Three quarters of respondents said they feel confident in their understanding of how quantum computing could undermine current cryptographic systems. Sectors that deal with frequent attacks, such as education, legal and healthcare, reported the highest confidence levels.
The report finds that 91 percent of businesses do not have a formal roadmap for migrating to quantum safe algorithms. A small group has draft plans, and a few organizations began early planning years ago, but these are exceptions. Most sectors show very limited progress, including industries that depend heavily on cryptographic integrity.
Belief in quick adoption does not match reality
More than half of respondents expect to have at least one post quantum algorithm protecting production data by 2026. That optimism stands in sharp contrast to the work required. NIST only recently finalized its first set of standards, and the agency notes that the journey from standardization to full integration can take a decade or more.
Many organizations will need to rebuild their public key infrastructure and update systems that rely on strong key management. These long cycles make the 2026 expectation difficult. TCG’s report suggests that businesses may be setting timelines based on external pressure rather than technical readiness.
Core cryptographic systems are not ready
The report highlights one of the toughest challenges. Eighty one percent of respondents said their crypto libraries and hardware security modules are not prepared for post quantum integration. Many use legacy systems that depend on protocols designed long before quantum threats were taken seriously. Retrofitting these systems is not a simple upgrade. It requires changes to how keys are generated, stored and exchanged.
Skills shortages compound the problem. Many security teams lack experience in testing or deploying post quantum algorithms. Vendor dependence also slows progress because businesses often cannot move forward until external suppliers update their own tooling.
Who is driving the work inside organizations
Leadership on post quantum projects varies across industries. CTOs, CIOs and CISOs are the most common internal sponsors, particularly in IT, telecoms and healthcare. In sectors with fewer internal experts, such as architecture, engineering and education, respondents said they rely more on consultants to guide strategy.
This uneven ownership makes it harder to build momentum across an organization. TCG notes that policy milestones in the US, UK and EU have encouraged more planning in recent years, but the level of activity is still far from what migration will require.
Businesses start to rank what they would protect first
When asked which systems they plan to secure first, respondents most often selected identity and access management. Thirty five percent put IAM at the top of the list. These systems rely heavily on public key cryptography, which makes them an early target for quantum capable attacks. Industrial control systems follow closely in several sectors because many run on older infrastructure with long replacement cycles.
Intellectual property and trade secrets remain a priority in the US and UK. Education institutions stand out for giving more attention to blockchain based storage used for student records and credentials. Each of these areas sits on cryptographic foundations that will need to change.
Budgets shift toward post quantum work
Nearly every organization surveyed plans to allocate budget toward post quantum projects within the next two years. Most expect to spend between six and ten percent of their cybersecurity budgets on research, tooling or deployment. Spending levels differ by region. More than half of US organizations plan to invest at least eleven percent, far higher than the UK and Germany.
Even with these plans, a small share of respondents in the UK and US said they do not intend to use any of their available budgets for post quantum work despite believing they will adopt an algorithm by 2026. This reflects an uncertainty about how to scope early investments.
Pressures that could speed up adoption
Contractual requirements from customers and partners are seen as the strongest motivator for adoption. Industry standards rank near the top of the list across most sectors. Many respondents also pointed to upcoming regulations and mandates as drivers. Security incidents ranked surprisingly low in the US, suggesting that market and policy signals hold more influence than hypothetical attack scenarios.
Concerns that keep teams up at night
Integration challenges top the list of worries. Respondents also named security risks, cost pressures, migration complexity and skills gaps. Many described uncertainty around making legacy systems post quantum ready and the difficulty of coordinating between cloud environments and on premises assets.