Post quantum cryptography migration must start now.
“Don’t panic. Plan.” That closing remark at the 8th Post Quantum Network Seminar at MWC Barcelona captured the mood of the discussion. Quantum computers capable of breaking today’s cryptography do not yet exist. However, the transition to post-quantum cryptography will be one of the most complex security migrations the mobile industry has faced. Operators, vendors and regulators must therefore begin preparing well before quantum computers reach the scale needed to break current encryption systems.
For decades, the internet and mobile networks have relied on public-key cryptography to secure authentication, encryption and digital identity. These systems depend on mathematical problems that classical computers struggle to solve. Quantum computers could eventually break those protections using algorithms such as Shor’s algorithm. Professor Michele Mosca, CEO of evolutionQ and Professor at the University of Waterloo, told attendees that expert assessments now point to a “material risk of a cryptographically relevant quantum computer within five to ten years.” That estimate does not mean a sudden collapse of security. Instead, it highlights how little time remains for industries that must upgrade complex global infrastructure.
Early preparation is essential to avert the so-called ‘harvest now, decrypt later’ risk. Attackers can capture encrypted data today and store it for future decryption once quantum computers become powerful enough. For organisations handling sensitive information with long confidentiality lifetimes, this creates an immediate exposure. Even if quantum computers take another decade to mature, data intercepted today could still be compromised in the future.
Yet cryptographic transitions move slowly. Network equipment, devices and standards evolve over many years. As a result, mobile network operators cannot wait for certainty about quantum computing timelines. The migration must begin long before the threat becomes immediate. The seminar therefore focused less on speculation about quantum breakthroughs and more on how the industry can coordinate a gradual transition toward quantum-safe systems.
Standards are driving the post-quantum cryptography migration timetable
While the arrival of powerful quantum computers remains uncertain, the regulatory and standards landscape is already moving forward. Governments and standards organisations have begun defining the roadmap for replacing vulnerable cryptographic methods. For companies operating large digital systems, those milestones may prove more decisive than the technology itself.
Jaime Gómez García, Global Head of Quantum Threat Program at Santander, emphasised that organisations should pay close attention to the regulatory horizon. According to current planning, legacy cryptographic methods will gradually be phased out over the next decade. Current projections suggest vulnerable cryptography may be deprecated after 2030 and disallowed in many systems by 2035. As García explained, organisations that continue using outdated encryption could eventually lose the ability to interoperate with partners and suppliers. In other words, the risk is not only technical. It is also commercial.
The transition therefore depends heavily on global coordination. Ultan Mulligan, Chief Services Officer at the European Telecommunications Standards Institute (ETSI), described standards as essential infrastructure for international technology markets. “Standards are effectively a lubricant in global trade,” he noted, because they allow systems built in different countries to work together reliably.
In practice, several organisations share responsibility for the migration. The US National Institute of Standards and Technology (NIST) is standardising new post-quantum algorithms. The Internet Engineering Task Force (IETF) is beginning to integrate those algorithms into internet protocols. Meanwhile, the 3rd Generation Partnership Project (3GPP) is studying how they will be adapted for mobile network security. ETSI supports the transition with migration guidance and technical reports. Together, these organisations form the backbone of the global effort to move toward quantum-safe infrastructure.
Mapping cryptography across networks
For mobile network operators, the first challenge is understanding where cryptography is used across their infrastructure. Mobile networks depend on encryption in many different layers, including subscriber authentication, signalling protocols, network management and device communication. As a result, replacing vulnerable algorithms requires careful analysis before any upgrades begin.
Stavros Orkopoulos, Senior Staff Standardisation Specialist at Nokia and contributor to 3GPP security work, explained that the industry has begun building an inventory of cryptographic systems across telecom networks. This process identifies where existing algorithms appear and which components will need to migrate first. It also highlights systems that may require significant redesign rather than simple software updates.
This work is already feeding into the 3GPP security roadmap. Current studies examine how post-quantum cryptographic algorithms could integrate into future network architectures, including later phases of 5G and the emerging 6G standards programme. The transition will therefore unfold gradually through successive technology generations rather than through a single network upgrade.
Operators are also conducting their own assessments. Jinglei Liu, Vice President at China Mobile Hong Kong Research Institute, described how the company is reviewing cryptographic usage across its network infrastructure. The goal is to prioritise the most critical systems and begin migration strategies with technology partners. These early studies allow operators to understand both the technical challenges and the operational impact of large-scale cryptographic change.
Collaboration across industry and government
Because mobile infrastructure operates within a global ecosystem, no organisation can complete the transition alone. Operators rely on equipment vendors, software providers and device manufacturers, while governments often shape national security strategies and regulatory frameworks. The success of post-quantum cryptography migration therefore depends on close coordination across the entire digital ecosystem.
Wee Sain Koh, Cluster Director of Engineering at the Infocomm Media Development Authority of Singapore, described how governments can help align this ecosystem. Public agencies can encourage industry collaboration, support pilot deployments and ensure that national policies remain consistent with global standards. This approach reduces uncertainty for operators while helping local industries prepare for the transition.
Singapore has already taken steps in that direction. Operators in the country are beginning to incorporate quantum-safe capabilities into their service offerings, giving enterprises a way to adopt them without building their own infrastructure. By providing managed services, MNOs can lower barriers for companies that lack specialised cryptographic expertise.
Vendors must also work closely with operators and standards bodies to ensure compatibility. Faye Liu, Chief Researcher of 6G Security at Huawei International, emphasised that equipment manufacturers depend heavily on international standardisation work when designing new security features. Hardware, software and protocols must evolve together to ensure that network upgrades remain interoperable across global markets.
Post-quantum cryptography migration turns risk into long-term resilience
Although the quantum threat triggered the conversation, several speakers argued that the migration offers broader benefits for digital security. Many organisations still rely on outdated cryptographic systems that have accumulated over decades of technological change. Preparing for quantum-safe encryption therefore forces companies to modernise their security architecture and gain better visibility into how cryptography is used.
Professor Mosca suggested that this shift represents a deeper change in mindset. Rather than responding only to known vulnerabilities, organisations should design systems that remain resilient even when cryptographic assumptions change. “We have to switch from a security-against-known-threats mindset to a resilience mindset,” he told the audience.
In practice, that resilience will depend on several emerging techniques. Crypto-agility allows systems to replace algorithms quickly when vulnerabilities appear. Hybrid encryption schemes combine classical and post-quantum algorithms, and are one approach being explored during the transition. Meanwhile, diversified security architectures reduce reliance on any single cryptographic approach. These techniques do more than prepare networks for quantum computing. They also improve the industry’s ability to respond to future security challenges.
A long transition that must start now
The post-quantum transition will unfold over many years. However, the seminar’s central message was consistent across all participants: the industry must begin planning post-quantum cryptography migration today. Large-scale infrastructure upgrades cannot be rushed, and organisations that delay preparation risk facing compressed migration programmes later in the decade.
For mobile operators, the challenge is therefore strategic rather than purely technical. They must track evolving standards, analyse their existing infrastructure and collaborate closely with vendors and regulators. By starting early, they can migrate gradually while maintaining operational stability.
The discussion at MWC Barcelona ultimately returned to the simple advice that framed the session. Quantum computing may still be developing, but the transition it requires has already begun. As summed up by Zygmunt Lozinski, IBM’s Senior Technical Staff Member and Quantum Ambassador, the industry therefore faces a clear instruction: Don’t panic. Plan.
For more information on post quantum cryptography, please visit the GSMA’s Post Quantum Cryptography Programme or join the GSMA Post Quantum Telco Network Task Force to get involve.