In July 2025, the Bank for International Settlements (BIS) published Paper number 158, highlighting the urgency of preparing for the quantum threat to maintain the security and credibility of the global financial system.
Although BIS does not have direct regulatory authority over individual banks, it holds significant influence and often shapes the positions of central banks and financial regulators worldwide. Paper number 158 is a prime example of this influence on policy-making. The message is clear: Financial institutions must start migrating to post-quantum cryptography (PQC) now.
Breaking the Current Cryptography
BIS outlines recent quantum computing and cryptography developments, warning that quantum computers will eventually break current cryptographic systems (such as RSA and ECC). The Global Risk Institute annually evaluates the estimated timeline for a Cryptographically Relevant Quantum Computer (CRQC), which will be able to break the currently used algorithms. While no imminent breakthrough is predicted, it is widely agreed that the emergence of such a machine is a matter of "when", not "if."
This creates vulnerabilities even today. One notable example is the "Harvest Now, Decrypt Later" (HNDL) attack strategy, where adversaries collect encrypted data now to decrypt it in the future using quantum computers.
Cryptography Replacement? Not as Simple as It Looks.
BIS states that cryptography that underpins digital security, ensuring confidentiality, integrity, authentication, access control, and non-repudiation, is deeply embedded in IT systems — even in places that are not immediately visible. Upgrading to post-quantum cryptography (PQC) often goes far beyond swapping out certificates or keys. In many cases, applications must be substantially reengineered to support the new cryptographic protocols.
BIS draws the historical parallel by using the example of the transition from SHA1 to SHA2, a relatively simple cryptographic upgrade, which still proved to be a lengthy and challenging.
Market Coordination Is Essential
The financial ecosystem is globally interconnected. No single institution can fully transition to PQC on its own. A coordinated effort across the entire financial system is required. BIS acknowledges this challenge and anticipates lengthy transition periods.
As primary regulators in their respective jurisdictions, central banks will play a crucial coordinating role in this process, essentially mandating the transition to PQC within their jurisdictions.
Guiding Organizations Through Migration
BIS provides practical guidance for institutions preparing for the PQC transition. A critical first step is to create a comprehensive inventory of all cryptographic elements within IT systems. These elements must then be linked to the functions and data they protect.
This allows institutions to:
- Prioritize which systems and data need to be migrated first.
- Develop a plan to upgrade or replace the current cryptography with quantum-resistant alternatives.
- Ensure that third-party systems and vendors are included in this process.
Institutions are also advised to integrate quantum-safe requirements into procurement policies going forward to ensure they do not procure any system that is not quantum safe and will have to be replaced shortly.
Technology Recommendations
The BIS paper thoroughly reviews current technological trends and PQC options. Although there are other ways to make systems quantum safe, most systems, such as QKD or quantum cryptography, are still in the development phase and are not yet standardized. So, BIS recommends that institutions begin implementing PQC algorithms standardized by NIST — possibly in a hybrid model (combining classical and quantum-safe algorithms).
NIST has already standardized the following algorithms:
- ML-DSA (Dilithium) and SLH-DSA (SPHINCS+) for digital signatures.
- ML-KEM (Kyber) for encryption and key encapsulation.
As stated in the paper, this guidance is backed by major financial regulators and central banks globally.
Broader View on Post-Quantum Authentication
BIS adopts a broader understanding of post-quantum authentication than Wultra currently offers. It is not limited to customer logins and signatures but includes authentication of users, devices, and processes to ensure trust in electronic systems.
As the report states:
Cryptographic authentication serves to verify the identity of a user, process or device, often as a prerequisite to allowing access to resources in an information system. Digital signatures, used for authenticating the identity of the signatory, can demonstrate to a third party that a signature was generated by the claimed signatory, thereby providing non-repudiation for electronic documents and contracts.
-- BIS Papers No 158: Quantum-readiness for the financial system: a roadmap (chapter 2.1)
Authentication in this complex view also ensures the security of software updates, protects the integrity of digital documents, and controls authorized access — both internally and externally.
Sending a Clear Message
The BIS report is a timely and comprehensive call to action. It explains the urgency of quantum-readiness, the technical complexity of cryptographic migration, and the importance of coordinated, ecosystem-wide planning.
It sends a clear message: there is no time to wait. Financial institutions, regulators, and technology vendors must start planning and executing their post-quantum cryptography (PQC) migrations today.
.webp)