Do you have a post-quantum cryptography roadmap - Is your encrypted data safe?

16 October 2025

Alexandra Wedutenko
Partner
Sparke Helmore Lawyers

Alexandra Wedutenko
Partner
Sparke Helmore Lawyers
t: +61 2 6263 6378

Alexandra is a member of the Government team and advises on technology, data protection and the acquisition of services where availability and security are critical. She is recognised in Best Lawyers and Chambers for her expertise in government and technology. In these roles Alexandra also advises on governance, performance frameworks and regulatory compliance. Alexandra has particular expertise in negotiating complex contracts and finding solutions to problems.

Adam Payne
Special Counsel
Sparke Helmore Lawyers

Adam Payne
Special Counsel
Sparke Helmore Lawyers
t: +61 2 9260 2410

Adam is an experienced commercial, technology and privacy lawyer.

All.Corporate & Commercial.Technology Cyber and Privacy

The Australian Signals Directorate identified in its Annual Cyber Threat Report 2024-2025 that one of the four ‘big moves’ for organisations is to prepare for post-quantum cryptography. So what is it, and why should you have a plan?

PART A – why (and when) your data may be at risk

Organisations and agencies (referred to as ‘entities’ below) frequently hold significant amounts of data. The data may include personal information, sensitive information, commercially sensitive information and information of national significance. One of the key security measures relied on by these entities to secure the data are encryption algorithms. However, developments in quantum computing will, in the not-too-distant future, result in computers that have the necessary power to break many widely-used algorithms and expose the data.

Most forms of encryption were built around computational assumptions[1]. Often one of those assumptions is the level of computing power that can be applied in efforts to decode the data without using the encryption key (a parcel of data designed to be used with the form of encryption to decipher the encrypted data).

Through anticipated leaps in computing power and the assistance of special algorithms, quantum computing is on the verge of exposing many common encryption algorithms.

In 1994, Peter Shor developed a quantum algorithm (known as ‘Shor’s algorithm’) which, according to Michele Mosca, demonstrated that ‘essentially all the deployed public key cryptography will be completely broken by a quantum computer’. Whereas a regular computer (described as a ‘classical computer’) encodes information in binary bits, a quantum computer uses quantum bits – ‘qubits’ – which behave very differently to ordinary bits. As a result, a quantum computer should be able to perform some tasks significantly faster than a regular computer making it viable to decode many types of algorithms using Shor’s algorithm.

Do quantum computers exist today?

While quantum computers have existed for some time now, they generally have limited use cases, are prone to errors, and utilise far fewer qubits than is believed necessary to break cryptography.[2] The issue is not when will quantum computers exist, but rather when will one exist of sufficient size and sophistication to break encryption algorithms – sometimes referred to as a ‘cryptanalytically relevant quantum computer’ or CRQC.

A number of commentators suggest CRQCs could become available within the next 10 years, others longer (even 30 years).[3] In its December updates to the Commonwealth Information Security Manual (ISM), the Australian Cyber Security Centre (ACSC, the organisation operated by the Australian Signals Directorate to lead the Australian government’s efforts on cyber security[4]) indicated 2030 as a reference point for when Commonwealth agencies should cease using a number of common encryption algorithms. By way of comparison, in its initial public draft of NIST IR 8547 (‘Transition to Post-Quantum Cryptography Standards’), the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has identified 2030 as the date from which a number of these algorithms are no longer recommended for use, and then stating that from 2035 they should not be used.[5]

Development of post-quantum cryptography

In late 2016, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) initiated what was ultimately an eight year long project to produce standards for methods of encryption that are believed to be able to withstand the processing power of quantum computing.[6] In August 2024 they approved three Federal Information Processing Standards (FIPS) for post-quantum cryptography:[7]

FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)

FIPS 204, Module-Lattice-Based Digital Signature Standard (ML-DSA)

FIPS 205, Stateless Hash-Based Digital Signature Standard (SLH-DSA)

In an Australian context, the ACSC has updated the ISM as follows:

March 2024 – introduced Control ISM-1917, requiring that future cryptographic requirements and dependencies are considered.
December 2024 –
- introduced a series of new controls (ISM-1990 to ISM-1995 inclusive) that adopt certain parameter sets of ML-KEM and ML-DSA as approved algorithms, and also certain algorithms of SHA-2 and SHA-3
- revised ISM-1917 to instead require ’The development and procurement of new cryptographic equipment and software ensures support for the use of ML-DSA-87, ML-KEM-1024, SHA-384, SHA-512 and AES-256 by no later than 2030’
- revised the description of a number of existing approved algorithms – such as DH, ECDH, ECDSA, RSA[8] – to note that they will not be approved beyond 2030.

Risks arising from quantum computing

Entities that have significant data holdings need to consider how these data holdings are protected. However, with the advent of cloud computing that data is now commonly held in cloud environments operated by a range of technology companies. As such the data ‘controller’ entity may have little actual control over the encryption that is applied to the different data sets. This can make it challenging to know where the key exposures are particularly if existing internal security documentation doesn’t capture the algorithms that are used.

Changing encryption can be very time consuming. The NIST notes that, historically:

the journey from algorithm standardization to full integration into information systems can take 10 to 20 years. This timeline reflects the complexity of companies building the algorithms into products and services, procuring those products and services, and integrating those products and services into technology infrastructures.[9]

Another problem is that, if encrypted data can be unencrypted without the encryption key, it becomes attractive for adverse actors to steal encrypted data, warehousing it, and then decoding it and exploiting it later once CRQC becomes available. This is referred to as a ‘harvest now, decrypt later’ (or ‘HNDL’) attack.

PART B – what does this mean for you?

While the ISM and other ACSC recommendations are not mandatory outside the Federal government,[10] any entity should be guided by these dates and decision points.

Taking a prudent, planned approach to post-quantum cryptography is critical for entities. For instance:

In many circumstances, effective encryption will form a critical part of the ‘reasonable’ steps that need to be taken – or have been taken, in the case of existing practices - to protect personal information held by an entity to comply with Australian Privacy Principle 11.
Commonwealth entities need to comply with the ISM including being in a position of using approved post-quantum algorithms by 2030.
APRA-regulated entities must identify, assess and manage operational risks – which is a broad term that includes risks to the security of their data – pursuant to Prudential Standard CPS 230 (Operational Risk Management).

Below we have briefly captured some of the key activities entities can take in terms of security governance and IT procurements, and the implications of quantum computing for eligible data breach assessments under the Privacy Act 1988 (Cth).

Security governance

In general:

Engage with your suppliers: Reach out to suppliers to understand how your data is protected and the supplier’s road map for adoption of post-quantum cryptography. There may not be immediate solutions. Changes can take time. Post-quantum algorithms generally have higher computational requirements which may affect performance for systems such as IoT and real-time systems[11] and the understanding of the risks arising from quantum computing is evolving. Some suppliers will resist disclosure but given recent cyber activity the pressure will be on the supplier to ensure their platforms securely protect the data stored in them. Suppliers will likely need to roll out changes in stages across different products (or parts of products), and it is for the customer, having regard to the specific risks relating to its own data, to determine whether progress is sufficient, or if it needs to take other actions (which could ultimately be ceasing use of the relevant solution or supplier).
Inventory: As part of documenting and managing an entity’s data storage, the entity should to the extent possible clearly document the methods of encryption it has in place for its systems, infrastructure and communication channels. This project should be driven with a risk lens – focussing on more critical data stores and systems. One aspect of the risk assessment for an HNDL attack is considering the estimated time by which CRQC will be available, the likely period over which the relevant data will be sensitive, and the likely amount of time it would take to transition that data set to post-quantum cryptography. For example, if an organisation had a commercially sensitive data set that would be stale and of low sensitivity / risk after 10 years, and the organisation took the view that CRQC would become available on or before 2035, the organisation would want to protect that data set with post-quantum cryptology from 2025. A key component of the inventory project is documenting where encryption keys are stored / managed, and the level of encryption that applies to that system/repository.[12]
Transition to post-quantum cryptography: Having regard to the areas of greatest risk (such as data sets which attract the greatest concern in terms of a HDNL attack), create and execute a plan to transition to post-quantum cryptography. There is guidance available on how to do this, including guidance issued by the ASD and the Canadian Forum for Digital Infrastructure Resilience.[13] This may be challenging for many organisations, noting the likelihood of competing technology priorities, such as keeping pace with the adoption and governance of AI.

New IT procurements

Due diligence

For new IT procurements, include consideration of post-quantum cryptography in your security due diligence processes. For Commonwealth agencies and organisations that are required to comply with the ISM (including, for example, major technology providers to the Commonwealth), this has been a requirement since March 2024.

Requiring compliance with existing standards likely not sufficient

If the outcome of the due diligence is that a specific post-quantum algorithm is or will be implemented, include this specifically in the service requirements / security requirements in the contract.

Entities should be aware that merely requiring that your supplier comply with relevant technical industry standards may not provide sufficient coverage for the risk posed by a HNDL attack. Until the risks of quantum computing and the efficacy of existing post-quantum cryptography is clearer, standards may not be able to prescribe clear compliance requirements which provide coverage that is sufficient for this risk in the context of a particular organisations data and operations.

For example, whilst Commonwealth agencies will generally mandate ISM compliance in their technology contracts, the ISM does not require the implementation of approved post-quantum algorithm’s today – only from 2030 (and you don’t want to read in a software EULA in 2029 from the supplier noting ‘we aren’t ready to switch’ – contractual protection alone doesn’t solve the problem).

In an APRA regulated context, post-quantum cryptography doesn’t feature specifically in Prudential Standard CPS 234 (Information Security) or Prudential Standard CPS 230 (Operational Risk Management). Unlike the ISM, these standards are both principle-based, outcomes focussed standards. This makes them flexible and helps support APRA’s goal of being able to hold larger organisations to a higher standard, but the downside is that it means that a contract passing through these requirements leaves, in the context of post-quantum cryptography, a lot of ambiguity as to what is required of the vendor in the transition. What standard must they implement? By when?

If the expectation is that the supplier will implement a specific post-quantum algorithm from day 1 or by day 100, it is better to include that rather than relying solely on an ISM or CPS 234 compliance obligation.

Other contractual protections

Apart from the standard general security provisions, useful obligations to consider include:

continuous improvement (including, for larger / higher risk procurements, provision of forward planning documentation and end of period reviews)
vendor to conduct periodic reviews of its security posture
provision of information and materials about security arrangements
provision of and compliance with a client approved security uplift plan.

Implications of quantum computing for eligible data breach assessments

Under Part IIIC of the Privacy Act 1988 (Cth), an agency or organisation covered by the Act must notify the OAIC and affected individuals where a data breach is likely to result in serious harm to an individual. Affected data being encrypted can reduce the likelihood that encrypted personal information which is lost is subject to unauthorised access or disclosure, or that access or disclosure would likely result in serious harm to individuals to whom the information relates.

In each case, this leads to a judgment about the likelihood of encryption being breached. OAIC guidance notes:[14]

Is the personal information adequately encrypted, anonymised, or otherwise not easily accessible? A relevant consideration is whether the information is rendered unreadable through the use of security measures to protect the stored information, or if it is stored in such a way so that it cannot be used if breached. In considering whether security measures (such as encryption) applied to compromised data are adequate, the entity should consider whether the method of encryption is an industry-recognised secure standard at the time the entity is assessing the likelihood of risk. Additionally, an entity should have regard to whether the unauthorised recipients of the personal information would have the capability to circumvent these safeguards. For example, if an attacker holds both encrypted data and the encryption key needed to decrypt that data, the entity should not assume the data is secure.

While an entity may decide that current encryption algorithms still work to protect entity data, the lifespan of these algorithms is limited. Further:

The risk of the breach being / becoming an HNDL attack needs to be considered. This may be seen as more likely if the attack is highly motivated / funded, and if the nature of the data makes it valuable even after it has been held for some years.
The evolving understanding of the quantum computing risk, including the possible timing of it becoming available (and not only available, but available to the person who holds the data – if anything is known about them).

Your move

With AI continuing to own the spotlight – which makes sense, given it is ‘now’ – it can be hard to find space for discussion of technologies that are still on the horizon. However, entities can’t afford to wait until a CRQC exists. Entities need to plan now for post-quantum cryptography, and in particular consider what encryption tools protect their data now and what their Suppliers are doing to prepare for post-quantum cryptography.

[1] Michele Mosca, ‘Cybersecurity in an era with quantum computers: will we be ready?’ (2015), available online: https://eprint.iacr.org/2015/1075.pdf.

[2] https://www.kaspersky.com.au/blog/quantum-cryptography-2024-hype/34541/

[3] Even once it is possible, there would likely be a further lag before those computers become more available and are used outside of the domain of nation-states and very large organisations. A 2023 study estimated just the electricity cost of breaking a single public key at $64,000: Parker & Vermeer, Estimating the Energy Requirements to Operate a Cryptanalytically Relevant Quantum Computer (April 2023), available online: https://arxiv.org/pdf/2304.14344

[4] https://www.asd.gov.au/about/what-we-do/cyber-security

[5] https://csrc.nist.gov/pubs/ir/8547/ipd.

[6] https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information.

[7] https://csrc.nist.gov/projects/post-quantum-cryptography.

[8] The list also includes certain of the lower security parameter versions of other algorithms, such as ML-KEM and ML-DSA.

[9] NIST Internal Report 8547, Transition to Post-Quantum Cryptography Standards (November 2024) [at https://doi.org/10.6028/NIST.IR.8547.ipd].

[10] Putting aside contractual obligations, for example. Service providers to the Federal Government will frequently be required under their contract to implement the ISM in relation to relevant systems/solutions.

[11] Marin Ivezic, Post-Quantum Cryptography PQC Challenges (1 June 2023), available online: https://postquantum.com/post-quantum/post-quantum-pqc-challenges/.

[12] For example, in April 2025 Amazon Web Services (AWS) announced it has deployed post-quantum encryption to three AWS services, including its Key Management Service: https://aws.amazon.com/blogs/security/ml-kem-post-quantum-tls-now-supported-in-aws-kms-acm-and-secrets-manager/.

[13] ASD guidance (https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/planning-post-quantum-cryptography); Canadian Forum for Digital Infrastructure Resilience, Canadian National Quantum-Readiness Best Practices And Guidelines (2023) (https://ised-isde.canada.ca/site/spectrum-management-telecommunications/sites/default/files/attachments/2023/cfdir-quantum-readiness-best-practices-v03.pdf)

[14] https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response/part-4-notifiable-data-breach-ndb-scheme

16-10-2025 | Sparke Helmore's MAD (Motor Accidents Division) - Issue 143

15-10-2025 | Inquiry into quality of governance of higher education providers

15-10-2025 | The test to set aside a previous settlement agreement - State of New South Wales v LSR3

07-10-2025 | ACCC waiver application process consultation - A new pathway for M&A from 2026

07-10-2025 | ACCC waiver applications - A new pathway for M&A from January 2026

02-10-2025 | Sparke Helmore's MAD (Motor Accidents Division) - Issue 142

Media room