The Invisible Deadline: Why Post‑Quantum Cryptography Determines Competitive Advantage

The Strategic Challenge: Decisions with an “invisible deadline”

Let’s imagine two fictional board meetings. They both face a common issue: the future security of the company’s assets. Design data must remain1 confidential for another 15 years​. However, digital encryption may only provide protection for another 5 years. New encryption methods such as post-quantum cryptography (PQC) are available, but they consume—in varying degrees—three resources: time, expertise, and money. The quickest way to migrate is using external experts, but this also comes at the highest cost and leaves the company without any in-house expertise. If a company trains the personnel it needs entirely in-house, there are fewer one-time costs, but this extends the project duration noticeably. 

The standard management decision in similar scenarios has typically been: wait and see. “The standards are still settling in; others are doing the same; we’ll respond if necessary.” That leads to the wrong decision. However, it will not become clear until after Q-Day that the decision was wrong.

Scenario 1: The Fictional Pioneering Company

Size: 800–1,200 employees, automotive/aerospace supplier 
Industry: manufacturing industry with long product cycles (15–20 years) 
CEO structure: a leader with a flair for technology, a CFO with a risk-aware mindset, a CTO with a passion for innovation

The numbers make this company’s decision sounds extremely bold: The supplier is seeking to invest 10% of its IT budget—an average of 7 to 10 million euros—in post-quantum security. 

In game-theory terms, this is a clear offensive strategy that is proactive and involves taking calculated risks. After all, there will certainly be objections to this plan. The standards have only been available since 2024 and will not be mandatory until 2026; the business case is “hypothetical,” whereas the costs are substantial and very real. But the company will look to two main arguments:

The CFO’s Risk Assessment: “A breakthrough in quantum computing would be a disaster for us. Our most important digital assets—CAM models, material specifications, and robot programs—are all vulnerable to hacking by quantum computers, which could result in potential damages of 25 to 40 million euros.”

The Strategic Argument: “Crypto-agility will be our core competency for the next phase of digital manufacturing. Those learning this today will be ahead of the competition tomorrow.”

Based on this strategic direction, the company has developed a clear roadmap:

• CBOM (Cryptographic Bill of Materials) is the source of truth at the start of a project: A structured, automated, machine-readable inventory of all cryptographic assets provides clear guidance on what needs to be protected and in what order of priority
• Introduction of a hybrid architecture: Classic and post-quantum encryption are implemented in parallel to ensure seamless digital security
• Pilot projects using NIST standards: Don’t wait passively for commitments to take effect; instead, test, learn, and establish in advance
• Supply chain integration: Suppliers and partners are integrated into the PQC strategy by the pioneering company
• Embedding in governance: PQC is becoming a key topic in board-level reporting, not just an isolated IT task

Scenario 2: The Laggard Company

Size: 1,000–1,500 employees, a long-established company with (up to now) stable markets 
Industry: Manufacturing industry, similar product lifecycles (15–20 years) 
CEO structure comprises traditional manager, CFO focused on cost optimization, CTO with limited influence

This decision of this protagonist is: “Post-quantum cryptography is currently not a priority.” The company’s three counterarguments are reasonable, but short-sighted:

The Technological Argument: “The NIST standards have only been finalized since 2024. We’ll wait until the teething problems have been resolved and the technology matures.”

Budgetary Pressure: “Supply chain bottlenecks, inflation, pressure to digitalize. All that is already costing us over 50 million euros. We don’t have any spare money for hypothetical quantum risks in this cycle.”

The Governance Problem: Like many of her colleagues, the company’s IT director recognizes the risk, but does not have the appropriate level of influence over the decision. She reports to the CTO and does not have direct access to senior management. Consequently, her concerns are treated as an “IT problem” rather than as part of the business strategy.

In short, the tacit decision of the laggard company is: Carry on as before. Specifically, this means that it not only rejects PQC migration, but also fails to create and maintain a properly structured CBOM, and to develop a strategic PQC policy in the first place.

2030 and Beyond: The Theory Becomes a Business Case, and the Paths Diverge

Gartner’s forecast comes true, and our fictional pioneering company’s aggressive strategy pays off in multiple ways. 

• Post-quantum becomes a competitive advantage. Major OEMs explicitly require PQC standards from new suppliers in their requests for proposals
• Market leadership is a reality; many competitors are no longer able to supply products for safety-critical applications
• The company is expanding; international markets, new business areas, and high customer satisfaction are driving record results
• The employer brand appeal: The company is building a reputation among young professionals in the job market for being innovative and forward-thinking 

By the early 2030s, it will already be clear that substantial investments made in 2026 have more than paid for themselves thanks to higher margins, exclusive large-scale contracts, and competitive advantage.

The laggard company, on the other hand, faces the “worst-case scenario,” with the worst fears becoming a business reality: 

• The reality of “Store Now, Decrypt Later” attacks is becoming a fact; data collected between 2025 and 2031 will be systematically released
• Design drawings are appearing on Chinese forums; competitors are copying innovations that have been closely guarded for years
• Customer data is being sold on dark web markets: GDPR violations are becoming evident and public
• The use of internal strategy documents as a subject in investigative journalism will damage trust and reputation

And it’s not just the immediate damage that is weighing on the company. Its consequences and the negative perception in the market also pose significant problems. 

Costly Emergency Migration: What could have been implemented in 2026 for 7–10 million euros is now costing 20–30 million euros as an emergency measure—with less security and under extreme time pressure. 

Terminated Automotive Contracts: Major OEMs cannot work with suppliers that expose their vehicles to the risk of hacking via quantum computers. 

Vehicle Recalls Become Reality: “Quantum hacking incident in OTA update architecture” triggers massive recalls. 

Insurance Coverage Is Reduced: Cyber insurers are invoking quantum exclusions, or premiums are increased by 40–60% 

Regulatory Penalties—for example, for violating data protection requirements, the EU Cyber Resilience Act, or the NIS2 regulation—are taking a heavy toll on already strained finances 

In 2034, after suffering losses, fines, failed contracts, and damage to its reputation, the management of the laggard company must face up to a difficult reality: Their business model is no longer viable.

What Leaders Should Prioritize Now

Does the laggard company’s plight describe your situation? You’re not alone; this applies to many manufacturing companies. It’s not dramatic changes or knee-jerk reactions that are needed now. You just need to take three strategic steps over the next 12 months:

Step 1: The Post-Quantum Assessment

An honest assessment of Quantum’s vulnerabilities as a fact-based foundation for all follow-up measures:

• Which cryptographic assets actually protect me right now (CBOM)?
• Which of your assets will still need to remain confidential in 5+ years?
• How vulnerable is your current cryptographic infrastructure?
• What regulatory requirements will you face? (NIS2, Cyber Resilience Act, etc.)
• How much will emergency migration cost as opposed to planned migration?

Step 2: The PQC Governance Model

Structural embedding at the executive level to ensure smart and, above all, consistent navigation in the PQC era:

• Who decides on the post-quantum strategy? (Should be CFO/CRO or CEO’s office (not just the CTO)
• How is PQC incorporated into board-level reporting?
• What new policies and decision-making criteria are needed?
• How do we communicate this decision to the outside world?

Step 3: The First-Mover Pilot (Q3 2026 — Q1 2027)

First practical PQC implementation aimed at establishing a robust pilot setup that provides insights for company-wide scaling:

• Which critical asset or process will serve as the PQC test environment
• What standards and tools will be used? (NIST ML-KEM, ML-DSA, etc.)
• How will the pilot project be measured, documented, and prepared for scaling?
• How will the organization learn from this pilot?

Conclusion: Two Paths and a Choice

Companies will have to make a decision by 2026. They will not explicitly decide on “post-quantum or not.” They will decide whether post-quantum security is a strategic issue or an IT issue—or whether it is not addressed at all.

This distinction is critical: ​If it remains an IT issue, it will be viewed as just that and evaluated by the same standards: Upskilling is expensive, as is replacing staff, and so on. Then the CFO demands: “Show me the ROI—that seems too hypothetical to me.” Then management decides to wait.

On the other hand, when post-quantum becomes a strategic issue, CEOs take an interest: “Which of our competitors have already understood this?” Then the CFO wants to know: “What new markets or premium positions will open up for us?” Then the CTO asks: “How do we implement this technically to maximize the benefit?” Then they play out the pioneer scenario.