The World Federation of Exchanges (WFE) has called on regulators to balance long-term quantum computing risks against more immediate operational challenges in the financial sector. The association’s press release highlights a substantial gap between regulatory expectations for early preparation and the industry’s current prioritisation of nearer-term threats such as generative artificial intelligence (GenAI) and cyber resilience.
According to the WFE Global Cybersecurity Working Group’s preliminary survey, most member organisations view quantum computing as a longer-term threat with a multi-year horizon. Respondents estimate that cryptographically relevant quantum computers (CRQCs) could emerge in 5–10+ years, consistent with public guidance from the U.S. National Institute of Standards and Technology (NIST).As a result, WFE members emphasise that planning and preparatory work – including regulatory monitoring, risk assessments, vendor engagement and cryptographic asset mapping – should be paced appropriately and not come at the expense of more immediate operational challenges. The association’s chief executive officer, Nandini Sukumar, urged supervisors to recognise practical constraints on resources and implementation timelines.
Regulatory and policy discourse on quantum risk has centred on two primary challenges. First, the lead times required to upgrade cryptographic systems across complex financial infrastructures are measured in years, not months. Second, authorities have highlighted the so-called “harvest now, decrypt later” threat where malicious actors could capture encrypted data today with the intent to decrypt it in the future once quantum capabilities mature. These factors collectively have pushed regulators to emphasise preparedness planning.
Quantum-resistant, or post-quantum, cryptographic algorithms are designed to secure communications and transactions against both classical and quantum computing attacks. They move away from mathematical problems such as integer factorisation and elliptic-curve discrete logarithms, which would be vulnerable to sufficiently powerful quantum computers, and instead rely on alternative constructions that are not known to be efficiently solvable using quantum techniques. For regulators and market infrastructures, their importance lies not only in future-proofing confidentiality and authentication, but also in managing long transition cycles across complex systems where cryptography is deeply embedded.
Two of the most widely referenced post-quantum approaches are lattice-based and hash-based algorithms. Lattice-based schemes, such as Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) for key establishment and ML-DSA for digital signatures, are built on hard lattice problems and are intended to support secure key exchange and transaction authorisation in environments such as payments and post-trade processing. Hash-based signature schemes, such as Stateless Hash-based Digital Signature Standard (SLH-DSA), rely on the security of cryptographic hash functions and are often cited for use cases that require long-term verification, including regulatory records and archival data.
While these algorithms introduce larger keys and additional processing overhead, they provide a practical foundation for staged, hybrid adoption, allowing financial institutions and market infrastructures to strengthen resilience while standards and operational practices continue to mature.
The WFE’s Quantum Preparedness report situates quantum risk within established operational risk frameworks. A recurrent theme is the expectation gap between regulatory urgency and industry timelines. While public authorities and standards bodies are issuing guidance and urging early action, many exchanges and central counterparties (CCPs) continue to rank GenAI and broader cyber resilience risks above quantum as priority resilience investments.
The report also notes that post-quantum cryptographic (PQC) solutions are not simple upgrades. Encryption is often embedded within legacy platforms and vendor products, making discovery and inventory a necessary first step in any transition. Third-party dependencies – including cloud services, market data providers and software vendors – can complicate readiness efforts. As a result, industry respondents highlight governance structures, asset mapping and staged planning as foundational preparedness activities.
Several members have begun laying groundwork by incorporating quantum topics into internal risk committees, conducting early risk assessments, and adopting quantum-safe encryption criteria in procurement and vendor evaluation processes. Work within the WFE to develop a best-practice guide and structured roadmap for market infrastructures is also underway.
On the regulatory front, the Bank for International Settlements (BIS) Innovation Hub has undertaken empirical experimentation through Project Leap to explore integration of PQC into core financial systems.
Project Leap’s first phase tested hybrid cryptography – combining classical public-key algorithms with quantum-resistant schemes – to establish secure communications between central bank systems. This demonstrated technical feasibility while underscoring performance and integration complexities. Subsequent phases tested post-quantum digital signatures within a payment system’s liquidity transfers, revealing computational overhead, interoperability considerations and the importance of cryptographic agility as standards evolve.
The finalisation of PQC standards by NIST in 2024, included algorithms for key exchange and digital signatures that are designed to resist both classical and quantum attacks. These standards provide a stable reference point for preparedness discussions, even in the absence of binding implementation deadlines.
In addition to the BIS initiatives, the G7 Cyber Expert Group recently published a roadmap to support financial sector transitions to PQC, emphasising planning, information sharing and cross-border alignment. Although this roadmap does not impose regulatory requirements, it underscores the importance of harmonised transition frameworks for cross-jurisdictional infrastructures.
Security and law-enforcement bodies have also entered the discourse. Europol has convened discussions on quantum risk within the financial sector, highlighting long-term data confidentiality and integrity concerns. These engagements reinforce the connection between quantum preparedness and broader resilience objectives.
Across Europe and the United Kingdom, authorities have outlined indicative migration horizons that prioritise early identification of cryptographic dependencies, staged assessment of critical systems, and long-term planning aligned with international standards.
The WFE’s emphasis on balance – acknowledging the long-term nature of quantum risk while underscoring more immediate operational challenges – reflects the dual pressures facing supervised entities: demonstrate visibility and planning for future threats, while managing current, material risks such as AI-enabled cyber-attacks and systemic resilience.
Subscribe to our newsletter
