Post-quantum security is an urgent challenge facing the mobile industry in preparation for ‘Q-Day’. As quantum computing inches closer to cryptographic relevance, the security models underpinning banking, telecommunications, and digital infrastructure could buckle under the weight of quantum decryption—making immediate preparation essential.
At the 6th Post-Quantum Network Seminar in MWC25 Barcelona, industry leaders, policymakers, and cryptography experts discussed the looming threats, the industry’s response, and the need for an immediate migration to quantum-safe cryptographic solutions. As Luke Ibbetson, Head of Group R&D at Vodafone, put it, “The complexity of the ecosystem in which we need to upgrade cryptography is such that we need to start planning for this today.”
The quantum threat: why act now?
Once powerful enough, quantum computers will shatter today’s encryption standards, rendering sensitive data vulnerable. The ‘store now, decrypt later’ attack model is a particular concern: attackers are already harvesting encrypted data, waiting for the day quantum computing allows them to break it. Mark Carney, Head of Quantum for Cybersecurity Research at Santander, highlighted this stark reality: “If decrypt that data in ten years, I’ve got a data lake that a quantum computer doesn’t help me with. A smart attacker will know that. They’ll be targeting the right data now.”
But this isn’t just about encryption—quantum computers could undermine digital signatures, authentication mechanisms, and even network integrity. Bad actors could rewrite transaction histories, impersonate institutions, and systematically dismantle trust in digital systems.
The financial sector, which operates under strict regulatory oversight, is particularly concerned. Anne Leslie, Cloud Risk Leader at IBM Cloud Financial Services, explained that “The challenge isn’t just technical. It’s human. We’re already dealing with regulatory overload, operational resilience, and cyber threats. Adding quantum risk to that mix means prioritising what must be tackled first.”
The estimated timeline for ‘Q-Day’, when quantum computers reach cryptographic relevance, varies—but many experts predict it could arrive as early as 2030. Given the time required for global cryptographic migration, the industry must act now.
Post-quantum security relies on industry collaboration
With mobile networks so crucial to digital infrastructure, the telecoms industry is at the centre of post-quantum security. Networks must transition to quantum-resistant encryption, but the task is immense. With security deeply embedded across supply chains, legacy infrastructure, and IoT ecosystems, the migration must be coordinated across sectors.
Lory Thorpe, Chair of the GSMA Post-Quantum Telco Network Task Force and Senior Strategy Advisor at IBM, emphasised that “The telco industry doesn’t work in isolation. We need collaboration across vendors, regulators, and enterprises. This is a security upgrade at an unprecedented scale.”
One key challenge is interoperability—ensuring that quantum-safe cryptographic standards work seamlessly across global networks. While organisations like NIST, IETF, and 3GPP are leading standardisation efforts, different countries are pursuing their own quantum security strategies. Laura Iglesias, Head of Cybersecurity for European Markets at Vodafone, acknowledged the challenge: “We do need interoperability. We need an agreement between the different agents in the ecosystem—telcos, vendors, software providers—so we can all move in sync.”
Regulation is also shaping this transition. The Digital Operational Resilience Act (DORA) in Europe and U.S. federal mandates are forcing enterprise to confront post-quantum security. As Anne Leslie noted: “regulation is painful, but necessary. If we’d all been following best practices, we wouldn’t need it. The reality is, companies aren’t securing their cryptography fast enough.”
Challenges in implementation: IoT, legacy systems, and energy constraints
The IoT represents a particularly difficult security challenge for post-quantum security. IoT devices often have limited processing power, long lifespans, and no straightforward upgrade path—yet they are critical to industries like energy, transportation, and healthcare. Simon Bryden, Consulting Engineer at Fortinet, warned: “IoT is where quantum security gets tricky. These devices are deployed for 10–15 years, sometimes longer. If we don’t build quantum resilience into them today, we’re setting ourselves up for massive security failures in the future.”
Legacy infrastructure compounds the problem. Telecom networks, financial institutions, and governments must phase out outdated encryption across thousands of suppliers and generations of hardware. This is neither quick nor cheap.
At the same time, post-quantum encryption demands more processing power, which affects energy efficiency—especially in battery-powered IoT devices. This creates a trade-off between security and sustainability.
Regulatory landscape and standardisation efforts
Global cryptographic standardisation remains a moving target. NIST’s selection of post-quantum cryptographic algorithms is a major milestone, but competing approaches exist. For example, countries like China and South Korea are pursuing their own quantum security strategies, creating uncertainty for global enterprises. Patricia Díez Muñoz, Global Security Director for Networks & Systems at Telefónica, stressed that “the explosion of IoT devices means we need harmonised global security standards. Otherwise, manufacturers will be stuck following conflicting regulations in different regions.”
For MNOs this fragmentation poses a serious risk. Without unified standards, networks will be forced to juggle multiple cryptographic frameworks, increasing complexity and cost.
The road ahead for post-quantum security
The consensus at the seminar was clear: organisations must act now to avoid ominous security gaps in the near future. Post-quantum security is not a one-time upgrade but an ongoing process. Enterprises must follow a three-phase approach:
- Discovery and inventory: identify cryptographic dependencies across networks, software, and supply chains.
- Migration and testing: implement hybrid cryptographic solutions to transition gradually while ensuring resilience.
- Continuous monitoring and adaptation: maintain cryptographic agility to accommodate future advancements.
The shift will require cross-sector cooperation. As Maxime Flament, CTO of the 5G Automotive Association, pointed out: “Quantum threats don’t respect industry boundaries. Whether it’s telecom, banking, or automotive, we all need a shared security roadmap.” The organisations that take quantum security seriously today will be the ones best positioned to protect their infrastructure, data, and customers tomorrow. The transition to post-quantum security is one of the most complex challenges in cybersecurity history. The threat is real, the timeline is short, and the industry must act before it’s too late.
The GSMA Post Quantum Telco Network Task Force will continue to work with its members to help resolve the Post-quantum cryptography implementation challenges faced by the mobile industry.
Please click here to download the presentation of the 6th Post Quantum Network Seminar.
Watch on-demand