The data is already gone. The question is what you plan to do about it?

Quantum computing occupies a strange position in most boardroom conversations. It is treated as a future problem: technically serious, strategically important, but not yet urgent enough to displace whatever is burning today. Right now, what is burning is AI. Boards are allocating budget, hiring teams, and restructuring operating models around artificial intelligence. CISOs and CIOs are consumed with securing AI infrastructure, governing model access, and managing data pipelines that did not exist two years ago. Quantum is the thing they will get to once the AI transformation settles down. 

The problem is that the AI transformation is not going to settle down. And while organisations are looking one way, a different threat is accumulating quietly in the other direction. 

Adversaries do not need a quantum computer to benefit from one. For several years, intelligence agencies and private threat actors have been harvesting encrypted data in transit, intercepting it, copying it, and storing it, on the basis that it will become readable when quantum computing capability matures. The NSA, NCSC, and GCHQ have all confirmed this is happening. The NCSC's own guidance states explicitly that organisations should assume sensitive encrypted data has already been collected. The breach, in a meaningful sense, has already occurred. It just has not become visible yet. 

The UK has a clear policy framework for what to do about it. The NCSC's migration roadmap, published in March 2025, sets three milestones: complete cryptographic discovery and build a migration plan by 2028, migrate the highest-priority systems by 2031, and complete the full transition by 2035. The problem is the gap between the framework existing and organisations actually doing anything about it, a gap the current AI investment cycle is making wider. Security teams are not ignoring quantum risk out of ignorance. They simply do not have the bandwidth. A BSI survey found that organisations expect to complete migration to quantum-safe cryptography 6.5 years too late. That is not a finding about technical difficulty. It is a finding about prioritisation. 

The timeline pressure is real. Private consensus among researchers and intelligence community figures puts the arrival of a cryptographically relevant quantum computer earlier than the public estimates most organisations use as their planning assumption. Some credible forecasts point to 2028 or 2029. For organisations with sensitive data that needs protecting for a decade or more, the timelines are already beyond tight. 

There is also an uncomfortable intersection between the two trends consuming security teams right now. AI does not create the quantum exposure problem, but it significantly worsens what happens when quantum decryption arrives. The datasets that have been harvested become dramatically more exploitable when pattern recognition and identity reconstruction can be applied at scale. The AI agenda and the quantum security agenda are not competing for resources. They are describing the same underlying risk from different angles. 

Unlike Y2K, the quantum threat has no fixed date, and the consequences are not operational failures that surface immediately. They are silent. The data that has been harvested will become readable without warning, tracing back to decisions made years earlier. Post the Equifax precedent, regulators and courts will ask what boards knew, when they knew it, and what they did about it. A fiduciary obligation does not go away because the AI roadmap is full. 

For organisations in financial services or payments, there is a compliance dimension that requires no quantum dependency at all. PCI DSS v4.0 is the global security standard governing any organisation that stores, processes, or transmits payment card data, covering retailers, banks, payment processors, and their technology suppliers. Requirement 12.3.3, which came into force in March 2025, requires annual documentation and review of every cryptographic cipher suite and protocol in use. Organisations that cannot produce that inventory are already non-compliant. 

The entry point is not as resource-intensive as the full migration programme. The first priority is discovery: build the cryptographic inventory, understand what is actually running in production, classify it by risk and data sensitivity, and produce a prioritised remediation plan. That work surfaces immediate value, including deprecated protocols, weak keys, and expired certificates that can be fixed now, before quantum migration begins. It is a scoped, time-bounded piece of work that does not require displacing the AI agenda. The NCSC made this concrete for the UK market in September 2025, selecting Arqit to participate in its Post-Quantum Cryptography Pilot under the Assured Cyber Security Consultancy Scheme, specifically to provide discovery and migration planning services to UK organisations. 

The infrastructure for an orderly transition exists. The question is whether organisations will use it while there is still time to be orderly. The AI transformation will not pause to make room for it. That is precisely the point. 

Author 

Sean Carnew

Sean Carnew

Director of Government, Defence and CNI, Arqit

Technology and Innovation programme activities

techUK bring members, industry stakeholders, and UK Government together to champion emerging technologies as an integral part of the UK economy. We help to create an environment where innovation can flourish, helping our members to build relationships, showcase their technology, and grow their business. Visit the programme page here.

 

Upcoming events

Latest news and insights 

Learn more and get involved

 

Sign-up to get the latest updates and opportunities across Technology and Innovation.

 

Here are five reasons to join the Tech and Innovation programme

Download

Join techUK groups

techUK members can get involved in our work by joining our groups, and stay up to date with the latest meetings and opportunities in the programme.

Learn more

Become a techUK member

Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.

Learn more

 

Meet the team 

Sue Daley OBE

Sue Daley OBE

Director, Technology and Innovation

Rory Daniels

Rory Daniels

Head of Emerging Technology and Innovation, techUK

Tess Buckley

Tess Buckley

Senior Programme Manager in Digital Ethics and AI Safety, techUK

Usman Ikhlaq

Usman Ikhlaq

Programme Manager - Artificial Intelligence, techUK

Elis Thomas

Elis Thomas

Programme Manager, Tech and Innovation, techUK

Sara Duodu  ​​​​

Sara Duodu ​​​​

Programme Manager ‑ Quantum and Digital Twins, techUK

Ella Shuter

Ella Shuter

Junior Programme Manager, Emerging Technologies, techUK

Luke Lightowler

Luke Lightowler

Junior Programme Manager - Emerging Technologies & Robotics, techUK