|
||
|
||
A year ago, the quantum-security conversation in policy circles was about persuasion: convincing regulators that “harvest now, decrypt later” was real, and that the threat would not wait for the hardware. That argument is largely won. In June 2026, the United States signed Executive Order 14412, turning years of advisories into dated federal deadlines. The European Union has a coordinated roadmap; China has a decade of state-built quantum infrastructure. The standards are finished.
Which surfaces a harder question—and it is the one regulators now actually face: not whether to act, but how to know who is ready. We have migration guides, algorithm catalogues, and executive orders. What we do not have is a governance instrument: a way for a board to ask “how ready are we?”, an auditor to verify the answer, and a regulator to compare answers across licensees. Closing that gap is the next task.

The premise no longer needs labouring. In 2021, the NSA stated plainly that “adversaries may be collecting encrypted data now, waiting for the day when quantum computers can decrypt it.” The tactic needs no quantum hardware—only interception, cheap storage, and patience—and it targets data whose value outlives its encryption: subscriber identities, location and billing archives, lawful-intercept material, long-horizon intellectual property.
For telecommunications, the calculus is not close. Mosca’s inequality holds that if the years data must stay secret (X) plus the years to migrate (Y) exceed the years to a capable quantum computer (Z), exposure exists now. Telecom data carries confidentiality obligations of a decade or more; enterprise migration realistically takes five to seven years; the prudent horizon sits near 2030—2031. Ten plus five exceeds eight.
The migration start date is set by arithmetic, not by quantum optimism.
And the threat is targeted, not total. Shor’s algorithm breaks the public-key layer—RSA, elliptic-curve, Diffie-Hellman—that performs key exchange, signatures, and certificates: TLS, PKI, DNSSEC, RPKI, SIM authentication. Symmetric cryptography such as AES-256 survives. The remedy is therefore surgical—replace the trust layer, keep the bulk layer—which is precisely why it is tractable, and why intractability is no longer an excuse.
What the past year clarified is that the world is not converging on one way to govern this transition. It is diverging into three, and a regulator now has to read all three.

The United States leads by mandate. EO 14412 sets dated deadlines—post-quantum key establishment by end-2030, signatures by end-2031—plus automated cryptographic inventories and contractor pull-through. Enforceable and concrete; its one notable gap is the absence of an explicit crypto-agility requirement, so systems could meet the deadlines with brittle, hard-coded implementations.
The European Union leads by coordination. The 2024 Commission Recommendation, the 2025 NIS Cooperation Group roadmap, and ENISA guidance align twenty-seven member states on a common direction while leaving instruments national—coherent across a large market, dependent on member-state follow-through.
China leads by building. Rather than mandating migration, it has deployed a quantum-secured national network exceeding twelve thousand kilometres, launched the Micius and Jinan-1 satellites, and backed quantum through successive Five-Year Plans and a 2025 national venture fund with explicit quantum focus—while pursuing an independent post-quantum standardization track. Its strength is execution at scale; its qualifications are a QKD-centric emphasis and a still-pending domestic PQC rollout. The lasting lesson: where migration is treated as a state function, the coordination problem that stalls voluntary adoption simply dissolves.
The implication is uncomfortable for multinational operators: post-quantum standards may not be globally uniform. A framework legible only inside one regulatory tradition will not survive contact with a plural world—the first requirement of the instrument this article proposes.
Two bodies sit between national models and individual operators, and both have done more than they are usually credited for. GSMA has produced the most complete industry corpus in any sector: its Post Quantum Telco Network Task Force has issued guidance from PQ.01 (impact assessment, 2023) through PQ.07 (non-terrestrial networks, February 2026), naming cryptographic discovery—a comprehensive inventory—as the starting point and governance as the element underpinning every phase. Its 2025 analysis flags 5G roaming, the N32 interface, as the ecosystem’s highest-priority exposure.
The ITU holds the standards portfolio for quantum-safe networking—the X.1710 and Y.3800 series, the FG-QIT4N reports—and, through its development arm, the only machinery that reaches most of the world’s regulators. Fittingly, it is an ITU technical report that supplies the clearest statement of why quantum key distribution is not the general answer: QKD “relies on PQC for authentication” and “cannot provide a signature function.” PQC first; QKD as a complement for specific links, never a substitute.
Guidance describes practice; it does not score attainment. That is the gap.
The missing piece is the same for both: a maturity layer. GSMA’s corpus tells an operator what to do, not how far it has got. The ITU’s portfolio serves organizations deploying QKD links, but no operator-facing Recommendation yet addresses PQC migration governance—inventories, classification, agility, supply-chain obligations—for the ordinary licensed operator that will never deploy QKD.
I have been developing a framework to fill precisely that gap, which I call Quantum Readiness Governance (QRG). It is deliberately not a new set of algorithms or another migration checklist. It is a governance instrument: a way to measure, report, and compare readiness.
QRG rests on eight capability dimensions, each assessed on five maturity levels—the familiar Unaware / Initiated / Defined / Managed / Optimized progression that auditors already recognize from CMMI and C2M2. The eight dimensions follow from three properties that make quantum risk unlike its predecessors: the temporal inversion (the harm is collected now but exploited later, so governance must lead, not follow); the invisible asset class (the thing to protect is cryptography embedded everywhere, so inventory precedes everything); and the coordination dependency (no operator migrates alone, so supply-chain and standards alignment are governance disciplines in their own right).

The scoring rule matters as much as the dimensions. Posture is reported as an eight-value vector—never an average. Averaging hides exactly the weaknesses that matter: an operator strong on seven dimensions but blind on cryptographic inventory is not “87 percent ready”; it cannot see its own exposure. Three thresholds give the vector meaning—quantum-aware (all dimensions at least Initiated), quantum-ready (all Managed, with inventory and migration evidenced), and quantum-resilient (all Optimized). And evidence, not intention, moves a score: a strategy deck supports “Defined”; only demonstrable deployment supports “Managed.”
A single-author framework deserves scepticism, so the test I find most persuasive is one I did not engineer. When you map GSMA’s independently developed guidance sequence—awareness and governance, then risk assessment, then cryptographic discovery, then use-case migration, then supply-chain verification—onto QRG’s dimensions, it traverses them in essentially the order the framework derives from first principles. Two artifacts, no shared vocabulary, the same path.
Independent convergence between theory and practice is the strongest external evidence a governance model can hope for.
Applied to the early movers, the matrix also behaves the way an instrument should—it locates facts and surfaces gaps. It places EO 14412’s mandates precisely and flags its silence on crypto agility. It scores China’s backbone as exceptional execution while recording that its QKD-centric, trusted-node architecture leaves parts of the trust layer unaddressed. It shows Saudi Arabia’s CST guidance and Oman’s national strategy to be complementary—one deeper on technical dimensions, the other on national capability. A framework that only flattered its examples would be a rhetorical device; one that discriminates is an instrument.
In fairness, QRG has not yet been applied inside a live operator through an audited assessment, and its dimensions have not been ratified by structured expert consensus. Those are the next steps, not reasons to wait—the framework is offered as an input to the standards bodies best placed to test and refine it.
Because every dimension maps to an instrument regulators already operate, the recommendations are concrete rather than aspirational.
For national regulators: make the Cryptographic Bill of Materials a licensing or reporting condition—the single highest-leverage act available, and the sector generalization of what EO 14412 did federally. Then add a retention-based classification duty, and attach crypto-agility and PQC-readiness conditions to network deployment approvals, beginning with satellite and Direct-to-Device authorizations, where on-orbit retrofit is effectively impossible.
For GSMA: add a maturity-assessment layer over the PQ corpus—on the model of the NESAS security-assurance scheme—so that guidance is joined by scoring, and publish an indicative quantum-safe timeline for the N32 roaming interface to anchor bilateral negotiations.
For the ITU: extend the portfolio from QKD networking to an operator-facing Recommendation on PQC migration governance within SG17’s current mandate, and mount a developing-country readiness programme through ITU-D—using the Gulf instruments as adaptable reference material. That constituency, which ITU alone reaches, is the one most exposed to harvesting and least equipped to self-direct a migration.
Step back, and the quantum transition marks something larger than a migration. For four decades the object of technology regulation has climbed a ladder of abstraction—from infrastructure, to information, to location, to behaviour. Quantum adds a new rung: time—the interval between harvesting and decryption. And that rung breaks the profession’s oldest habit.

At every earlier stage, regulation could afford to be reactive: rules followed harm, and the lag, though costly, was survivable because harm and response shared the same present. Harvest-now-decrypt-later ends that. The harm is committed now and detonates later, and by the time it is visible, no rule can reach back and undo the collection.
For the first time, reactive regulation is not merely slow—it is logically incapable of preventing the harm.
That is why the task ahead is not another warning but an instrument—and why the shift it demands is from technology regulation, which writes rules after the fact, to technology governance, which architects trust before it. Digital trust, on examination, is what telecommunications has always sold: the confidence that a message arrives intact, unread, and attributable. Quantum readiness is the first great maintenance programme of that trust infrastructure, and it will not be the last.
The persuasion phase is over; the measurement phase begins. The regulators who move first will not merely have managed a migration—they will have built the next pillar of digital trust, and built it in time.
Key References
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byRadix