Two Sectors, One Deadline

Banking, financial services, and insurance (BFSI) and government agencies share a common trait: they protect data that retains value for decades. Financial records, citizen data, intelligence assessments, and transaction histories all carry long confidentiality windows.

Quantum computing threatens every RSA and ECC key protecting that data. NIST finalized three post-quantum standards in 2024 — ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) — and both sectors face binding or de facto deadlines to adopt them.

The migration paths differ. The urgency does not.

BFSI: Compliance Pressure Meets Data Sensitivity

The Regulatory Landscape

Financial services operate under overlapping regulatory frameworks. Each framework will eventually require post-quantum cryptography, but the timelines vary.

PCI DSS: The Payment Card Industry Data Security Standard mandates strong cryptography for cardholder data. PCI DSS v4.0 does not specify post-quantum algorithms yet. PCI SSC has acknowledged the quantum threat and signaled that future guidance will address PQC requirements. Financial institutions should expect PQC-related PCI requirements by 2028–2030.

SOX and GLBA: Sarbanes-Oxley and the Gramm-Leach-Bliley Act require protection of financial records and customer data. Neither specifies algorithms, but both require “reasonable” security measures. As NIST deprecates RSA and ECC, continued use of deprecated algorithms will fail the “reasonable” standard.

Basel III/IV: Banking regulators increasingly factor cyber risk into capital requirements. Quantum vulnerability in cryptographic infrastructure represents a material operational risk that auditors will flag.

SWIFT CSP: The SWIFT Customer Security Programme requires strong encryption for interbank messaging. SWIFT is evaluating PQC integration for its messaging infrastructure. Banks that connect to SWIFT will face partner-driven migration requirements.

BFSI Data at Risk

Financial data faces acute harvest-now-decrypt-later (HNDL) risk. Adversaries capture encrypted financial traffic today for future quantum decryption.

Data Type	Confidentiality Window	HNDL Risk
Customer account records	20+ years	Critical
Transaction histories	10–15 years	High
M&A communications	5–10 years	High
Trading algorithms	3–7 years	Medium
Session tokens	Hours	Low

Customer account data and transaction histories sit squarely in the HNDL danger zone. A quantum computer arriving in 2035 decrypts financial data captured today with ease.

BFSI Migration Priorities

Priority 1: Payment processing channels. TLS connections carrying card data between merchants, processors, and banks. These channels handle the highest-value, highest-volume encrypted traffic. Deploy hybrid TLS (ECDH + ML-KEM) on payment gateways first.

Priority 2: Interbank messaging. SWIFT, FedWire, and CHIPS connections between financial institutions. These channels carry transaction instructions worth trillions daily. Coordinate PQC migration with network operators and counterparties.

Priority 3: Customer-facing applications. Online banking, mobile apps, and API integrations. These endpoints serve millions of users and process sensitive authentication data. Migrate TLS and certificate infrastructure to support ML-KEM key exchange.

Priority 4: Internal infrastructure. Database encryption, backup systems, and inter-service communication. Lower urgency but still within the HNDL window for long-lived data.

QCecuring’s Certificate Lifecycle Management platform provides the foundation for BFSI PQC migration. CLM discovers every certificate across payment networks, cloud infrastructure, and internal systems. Automated renewal ensures certificates rotate to post-quantum algorithm profiles on schedule.

Government: Mandates Drive the Timeline

The Regulatory Landscape

Government agencies face the most prescriptive PQC requirements. Multiple directives create overlapping compliance obligations.

CNSA 2.0: The NSA’s Commercial National Security Algorithm Suite 2.0 sets binding deadlines for National Security Systems. Software signing must use ML-DSA (FIPS 204) by 2025. TLS must support ML-KEM (FIPS 203) by 2025. Networking equipment must comply by 2026. Legacy systems have until 2033.

FISMA: The Federal Information Security Modernization Act requires agencies to follow NIST standards. As NIST deprecates RSA and ECC through SP 800-131A, FISMA compliance will require PQC adoption. Agencies that fail to migrate face audit findings and potential funding impacts.

FedRAMP: Cloud service providers seeking FedRAMP authorization must meet NIST cryptographic requirements. FedRAMP will incorporate PQC requirements as NIST finalizes deprecation timelines. CSPs serving government customers need PQC readiness now.

Executive Order 14028: The 2021 executive order on improving cybersecurity directed agencies to adopt zero-trust architectures and modernize encryption. PQC migration aligns directly with this mandate.

OMB M-23-02: This memorandum directed agencies to inventory their cryptographic systems and prepare migration plans for post-quantum cryptography. The inventory deadline has passed. Agencies should be in active migration planning.

Government Data at Risk

Government data carries the longest confidentiality windows of any sector.

Data Type	Confidentiality Window	HNDL Risk
Classified intelligence	50+ years	Critical
Diplomatic communications	25+ years	Critical
Citizen PII (SSN, tax records)	Lifetime	Critical
Law enforcement records	20+ years	High
Procurement data	5–10 years	Medium

Nearly all government data categories fall into the critical HNDL risk tier. State-level adversaries have both the capability and motivation to conduct bulk HNDL collection against government networks.

Government Migration Priorities

Priority 1: National Security Systems. CNSA 2.0 deadlines are already active. Agencies operating NSS must deploy ML-KEM and ML-DSA immediately for software signing and TLS. This is not a planning exercise — it is an active compliance requirement.

Priority 2: Citizen-facing services. Tax filing, benefits administration, healthcare portals, and identity verification systems. These services handle massive volumes of citizen PII. Migrate TLS and authentication infrastructure to hybrid PQC.

Priority 3: Interagency communication. Encrypted channels between agencies, including email gateways, VPN tunnels, and API integrations. Coordinate migration timelines across agency boundaries.

Priority 4: Contractor and supply chain systems. Defense industrial base organizations and federal contractors must align with CNSA 2.0 and FISMA requirements. Code signing for software delivered to government customers must transition to ML-DSA.

QCecuring’s CLM supports government PQC migration with automated certificate discovery, policy enforcement, and multi-algorithm inventory management. Agencies gain visibility into their entire certificate estate and can enforce algorithm compliance across hybrid environments.

Cross-Sector Challenges

Both BFSI and government face common obstacles in PQC migration.

Legacy System Constraints

Both sectors operate legacy systems with 15–20 year lifecycles. Mainframes, SCADA systems, and embedded devices may not support post-quantum algorithms. These systems require either firmware upgrades, cryptographic proxies, or accelerated replacement schedules.

Supply Chain Coordination

Financial networks and government systems depend on partners, vendors, and counterparties. PQC migration requires coordinated timelines across organizational boundaries. A bank cannot migrate its SWIFT connection unilaterally. An agency cannot require PQC from contractors without giving them migration runway.

Performance Impact

ML-KEM key encapsulation adds roughly 1–2 KB to TLS handshakes. ML-DSA signatures are larger than ECDSA signatures. High-throughput systems in both sectors must benchmark PQC performance before production deployment.

Talent Gap

PQC expertise is scarce. Both sectors compete for the same limited pool of cryptographic engineers. Automated tools reduce the talent dependency. QCecuring’s CLM automates the operational complexity of managing multi-algorithm certificate estates, freeing security teams to focus on architecture and policy decisions.

Building a Sector-Specific PQC Roadmap

For BFSI Organizations

1. Inventory all certificates and keys using CLM
2. Classify data flows by HNDL risk using the confidentiality window table above
3. Pilot hybrid TLS on payment processing channels by 2026
4. Coordinate with SWIFT, card networks, and banking partners on PQC timelines
5. Migrate customer-facing applications to hybrid PQC by 2028
6. Complete full PQC migration across all tiers by 2032

For Government Agencies

1. Comply with CNSA 2.0 immediate deadlines for NSS software signing and TLS
2. Complete cryptographic inventory per OMB M-23-02 requirements
3. Deploy hybrid TLS on citizen-facing services by 2026
4. Require PQC compliance from contractors and code signing pipelines by 2027
5. Migrate interagency communication channels by 2028
6. Retire all classical-only cryptography in NSS by 2030

Act on Your Sector’s Timeline

Both BFSI and government face hard deadlines for RSA and ECC deprecation. The compliance drivers differ, but the technical migration is the same: inventory, classify, pilot, and migrate.

QCecuring’s CLM platform provides the automation and visibility both sectors need. Start with a cryptographic inventory and build your migration roadmap from there.

Explore our PQC fundamentals guide for the technical foundation, and review the NIST PQC standards overview for detailed coverage of ML-KEM, ML-DSA, and SLH-DSA.