Newsletter article for FS-ISAC members, May 2026
In May 2026, the G7 Central Bank Quantum Technologies Working Group, co-chaired by the Banque de France and the Bank of Canada, released Preparing for Quantum Technologies: Key Considerations for Financial Sector Participants. The report builds directly on the G7 Cyber Expert Group’s post-quantum cryptography (PQC) roadmap published in January 2026, but it marks a meaningful shift in scope and framing that financial-sector leaders should take note of.
How the May report differs from the January roadmap
The January 2026 G7 CEG roadmap established the planning horizon for PQC migration, defining phases, timelines, and governance principles. It positioned cryptographic transition as a systemic risk management priority, grounded in the urgency of known vulnerabilities.
The May 2026 report takes a deliberately different posture. Prepared by G7 central banks, it is designed as shared analytical work, with the explicit objective to “clarify impacts, risks and trade-offs” rather than prescribe courses of action. Where the January roadmap set milestones, this report maps the broader terrain.
For financial institutions already engaged in PQC migration planning, this distinction matters. The new document does not revise the January roadmap’s recommendations. It enriches them with a wider analytical context, one that will increasingly shape how boards, risk committees, and regulators think about quantum preparedness.
Three substantive additions
1.PQC confirmed as the primary pathway, with migration requirements clarified
The report reaffirms that PQC is the central, scalable response to the quantum threat, building on the standards finalized by NIST in 2024 and progressively incorporated into cryptographic libraries and security products. It acknowledges that other approaches, such as Quantum Key Distribution and symmetric key distribution architectures, may complement PQC in specific, limited contexts. The document is clear that PQC remains the preferred solution for a broad and coordinated transition across the financial sector.
The report adds a sharper description of what PQC migration entails in practice. Financial infrastructures are highly interconnected, and cryptographic mechanisms are deeply embedded across hardware, software, protocols, and operational processes. Migrating to quantum-resistant algorithms therefore requires inventorying cryptographic dependencies across the entire information system, testing compatibility with existing systems, and coordinating updates with external counterparties and service providers. During transition periods, systems using different cryptographic standards may need to coexist, introducing additional interoperability and operational complexity.
2. Cryptographic agility as the migration objective
One of the most significant framings in the May report is the explicit statement that PQC implementation is “not a simple substitution exercise.” The report describes, in practice, cryptographic agility: the capacity to adapt cryptographic mechanisms over time as standards evolve, new vulnerabilities are identified, or algorithmic choices are revised.
The report underlines that PQC standards themselves will continue to evolve, and that organizations will need the architectural flexibility to update algorithms, parameters, and implementations as the landscape develops. An institution that approaches PQC migration as a bounded project, replacing algorithm A with algorithm B, will face the same challenge again within years. An institution that builds cryptographic agility into its infrastructure will absorb future changes as managed evolutions, with less operational disruption. The G7 central banks are, in effect, asking financial institutions to treat PQC migration as the first iteration of an ongoing governance practice.
3. The skills gap is a structural constraint on migration pace
The report introduces a dimension that the January roadmap addressed only implicitly: the scarcity of interdisciplinary expertise in post-quantum cryptography and cryptographic governance. Differences in skills and resources across institutions are identified as a factor that will directly shape the pace and scope of PQC adoption, and that may widen the gap between institutions that are advancing and those that are not.
For financial institutions, this translates into a concrete question for any migration programme: is there sufficient internal capability to lead cryptographic inventory exercises, evaluate PQC algorithm choices, manage vendor roadmaps, and design for cryptographic agility? Building that capability, or identifying the right partners to support it, is itself a readiness step, and one that the G7 is now naming explicitly.
The roadmap’s structure, reaffirmed
The May 2026 report explicitly reaffirms the January G7 CEG roadmap and the six migration phases it defines. For institutions still calibrating their planning horizon, it is worth restating what those phases involve and when they are expected to be completed.
Phase 1. Awareness and Preparation. Establishing executive-level awareness of quantum risks and defining governance responsibilities. This phase should already be complete or underway for most institutions.
Phase 2. Discovery and Inventory. Building a comprehensive inventory of cryptographic assets, including algorithms, keys, certificates, protocols, and third-party dependencies, across IT and OT environments. This is the phase where most financial institutions currently stand, and it is the prerequisite for every phase that follows.
Phase 3. Risk Assessment and Planning. Developing tailored migration plans based on the criticality of systems and functions, with prioritization across the portfolio and clear metrics for tracking progress.
Phase 4. Migration Execution. Progressively deploying quantum-resistant solutions, starting with the highest-priority systems and functions, with pace adapted to the evolving threat landscape.
Phase 5. Migration Testing. Validating migrated functions and embedding quantum resilience into operational and regulatory testing exercises.
Phase 6. Validation and Monitoring. Continuous improvement, incorporation of new cryptographic standards, and adaptive governance as the threat landscape evolves.
On timelines, the January roadmap established two reference points: critical systems should complete migration by 2030 to 2032, and the broader financial sector should achieve full transition by 2035. The May 2026 report does not revise these horizons. It reinforces the Harvest Now, Decrypt Later (HNDL) dimension. Financial institutions exchange data that must remain confidential for extended periods, sometimes decades, making current exposure a present concern regardless of when a cryptographically relevant quantum computer emerges.
Three implications for your migration programme
Revisit your inventory scope.
The May report’s emphasis on embedded cryptographic dependencies, across hardware, protocols, and third-party relationships, suggests that a comprehensive inventory needs to extend well beyond application-layer encryption. The breadth of what needs to be mapped is one of the defining challenges of Phase 2, and underestimating it is one of the most common reasons migration programmes fall behind.
Frame PQC migration as a crypto-agility programme.
If your current migration plan is structured as a project with an end date, the May report is a prompt to revisit that framing. Cryptographic agility needs to be an architectural outcome of the migration. The institutions that emerge from this transition in the strongest position will be those whose infrastructure can absorb the next standards update without a comparable effort.
Invest in internal PQC capability.
The skills gap the report identifies is a competitive and compliance risk. Institutions that build internal expertise in PQC governance, or secure access to it through trusted partners, will move through the migration phases faster and with greater confidence in the decisions they are making.
A maturing consensus
Taken together, the January roadmap and the May 2026 central bank report represent a maturing G7 consensus on quantum preparedness: start with visibility, build for agility, and treat the transition as a long-term governance commitment. The direction has been consistent. What the May report adds is a sharper acknowledgment of the operational complexity involved, and of the structural factors, including the skills gap and the depth of cryptographic dependencies, that will determine which institutions are ready when the milestones arrive.
At CryptoNext Security, we work with financial institutions on exactly this complexity, from cryptographic discovery through PQC testing and crypto-agile architecture. The organisations that will navigate this transition most effectively are those that understand both what they are migrating from and what they are building toward.
More categories:
