At EuroDIG 2026 in Brussels, a workshop was organized with the title ‘Q-Day Countdown: No More Privacy?’. The workshop was structured around three questions. 1) To show, (i) the importance of encryption in safeguarding personal data; (ii) how powerful quantum machines will challenge digital security. 2) How to prepare for a quantum future by deploying stronger protections? 3) Who should bear the responsibility for ensuring Post-Quantum Cryptography security? My personal conviction is that the challenge to protect society before Q-Day takes so many different actors that a multistakeholder solution is the only sensible way forward.

The scene was set by people being asked to imagine how they would react to an invention that would make all the locks in the world useless because someone could open them all at once. This is what will happen in the digital realm when the first powerful enough quantum computer starts operating. It will be able to crack all existing codes protecting our data, bank accounts, devices, etc. That is, should we not have updated our digital locks, i.e., encryption, to post-quantum levels (PQC) before that date. Unfortunately, at this point in time, this does not seem the likely outcome. Fortunately, we most likely still have time to prevent this from happening and prepare for PQC deployment.

Examples were provided about the necessity to upscale encryption on internet systems, such as DNS and routing. This includes updating the systems and routing connections to the current best practices, DNSSEC and RPKI, as otherwise, despite PQC, the underlying systems remain vulnerable to attacks from nefarious actors. Like they are today. It was pointed out that developments are moving at a fast pace. Billions are poured into research, the first quantum products have already entered the market, AI and quantum are being combined to speed up development, and a quantum computer has hacked current encryption for the first time, albeit at a low, yet surprising level. The world is waiting for that eureka moment changing everything, but who will have control over that power? Will it be benign, nefarious or somewhere in the middle? We don’t know, but can’t afford to wait it out.

Literally everything on and connected to the internet will need an update to PQC. From your TV (setup box) to software, from IoT to nuclear plants, from banking systems to privacy protection in the cloud, the “117” systems “phoning home” information from cars to manufacturers to connected coffee machines, all internet standards that make the internet function, etc. The task is beyond gargantuan, but needs to be done, if we want to protect our (personal) data. Someone in the audience asked: “What can I do”? The answer provided was “nearly nothing”. It is the service providers, hosters, manufacturers of ICT(-components), email providers, software developers, DNS providers, large organisations, data processors, etc., etc., that need to deploy, who bear responsibility. However, as an end user, you can look at what you buy or subscribe to. Is this up to date compared to other providers or products, and decide accordingly. But what is the role of governments, industry, large corporations, etc.? Will they start procuring ICTs secure by design? Will governments legislate or provide advice? Here is where coordination comes in, to prevent a multitude of, perhaps conflicting measures, which happened, e.g., with IoT roadmaps.

The workshop led to so many questions from the audience, showing that the topic deserves and is slowly drawing more attention, also because of recent news events surrounding quantum and AI.

What to do and where to start? If anything, the initiative needs to be multistakeholder, as PQC is not a topic that can be dealt with in isolation. So many different organisations need to act that it is inevitable to involve them and create roadmaps they can follow. The Internet Standards, Security and Safety Coalition is a Dynamic Coalition recognised by the United Nations’ Internet Governance Forum’s (IGF) secretariat. We are multistakeholder and have assembled senior experts from different stakeholder communities, planning to address the topic of PQC transition from a practical, deployment angle. Based on research we already conducted in 2025, we are ready to work with the organisations that need to deploy, so that a roadmap is created towards deployment covering all angles and all can use. This allows organisations to plan towards a timely and coordinated transition.. Only then, processes can be streamlined and coordinated among organisations and across borders. The IGF is the ideal place to coordinate, as all stakeholders meet there on an equal footing, allowing them to be heard and their views taken into account.

You are invited to join this body of work and to co-support the professionals carrying out the reporting and organisational work. If you are interested, send me a message for more information. We can only get this right once, and the time to act in a coordinated way is now.

Finally, let me share the messages of the EuroDIG workshop drawn up by rapporteur Nicolas Zahn:

“1. Loss of privacy is seen as the most pressing concern regarding digital security in the post-quantum world by the workshop participants. Q-Day is not a far-distant threat but already a partial reality, as the first successful breaks of encryption using Quantum computers show. And since post-quantum effects almost every aspect of our digital lives, we need to start today. For organisations (public and private) more clarity is needed on where encryption is currently used.

4. Organisations must not wait and start their preparations for the PQC-transition now. Tomorrow might be too late.”