The quantum clock is ticking – A Swedish regulatory perspective

Quantum computers capable of breaking today's widely used public-key cryptography do not exist yet. However, the relevant question is not when a cryptographically relevant quantum computer will exist — it is how long it will take to migrate cryptographic infrastructures once organizations know it is a must.

For most organisations, particularly those in regulated sectors with complex, distributed infrastructure — the answer is probably years. PKI hierarchies, certificate lifecycles, hardware security modules, and the dozens of systems that depend on them do not get replaced quickly. Migration at scale requires careful planning, prioritisation, and significant programme investment.

This is why national cybersecurity agencies have been issuing guidance already. NIST finalised its first post-quantum cryptographic standards in 2024 — FIPS 203, 204, and 205 — providing organisations with algorithms designed to resist future attacks by quantum computers.

And then there is the harvest now, decrypt later threat. State-level actors are almost certainly harvesting encrypted data today — data that is currently unreadable, but which will become readable once quantum capability matures. For any organisation handling sensitive data with a long confidentiality horizon, this is not a future risk, this could be organisations in the government, defense, financial services and energy sectors.

The Swedish regulatory landscape: A more direct obligation than you may think

Swedish organisations subject to NIS2 have a more immediate and specific regulatory reference point than many of their European peers and it points directly at post-quantum cryptography.

The draft Swedish NIS2 transposition (3 kap. Tekniska och driftrelaterade säkerhetsåtgärder, 30 §, Förslag till Myndighetens för samhällsskydd och beredskaps föreskrifter och allmänna råd om säkerhetsåtgärder och utbildning) references national recommendations from the Swedish National Cyber Security Centre (NCSC) as a compliance standard for organisations implementing the Article 21 security measures related to cryptography. NCSC has already published initial recommendations on quantum-safe cryptography — “Rekommendationer för övergången till kvantsäker kryptografi“, which sets out recommendations for how organisations should approach PQC readiness. New and updated national recommendations are expected to be published in 2026, which will bring further details on what quantum-safe cryptography means in practice for Swedish essential and important entities.

The regulatory chain this creates is clear. NIS2 Article 21 requires appropriate cryptographic measures. The Swedish transposition references NCSC recommendations as a compliance standard. NCSC has published and is updating recommendations that explicitly address post-quantum cryptography. For organisations within scope of the Swedish Cyber Security Act, PQC readiness is not background reading or a future consideration - it is a compliance reference point that supervisory authorities will be able to point to when assessing the adequacy of an organisation's cryptographic posture.

Many organisations are probably not yet aware of this connection. Organisations that begin their PQC assessment now will already have a view of their exposure and a plan in place, and will be in a position to engage their regulators from a position of credibility rather than catching up.

The challenges organisations face in practice

Understanding that PQC migration is necessary is one thing, executing it is another. In practice, organisations consistently encounter the same set of challenges and knowing what they are in advance is the first step to managing them.

Discovery and visibility is almost always the first challenge. Many organisations have surprisingly low visibility into where cryptography is actually used across their estate. Cryptographic dependencies are embedded in applications, middleware, hardware, supplier connections, and legacy systems — often undocumented. You cannot migrate what you cannot find, and building a comprehensive cryptographic inventory is harder and more time-consuming than most organisations anticipate.

Supply chain and third-party dependencies compound this. An organisation cannot complete its own PQC migration if its critical suppliers and partners have not done theirs. Cryptographic interoperability across organisational boundaries is essential, and many organisations have limited visibility or leverage over their supply chain's cryptographic posture.

Hybrid transition complexity is a further challenge that is often underestimated. During the migration period, organisations will need to run classical and post-quantum algorithms simultaneously — so-called hybrid schemes. Managing that complexity across diverse infrastructure, while maintaining interoperability with counterparties at different stages of their own migration, adds significant operational burden and requires careful sequencing.

Skills and awareness remain in short supply. PQC is a specialist area, and there is a significant shortage of people who understand both the mathematical foundations and the practical implementation implications. Awareness at board and senior leadership level is also typically limited, which makes it difficult and potentially time consuming to secure the investment and prioritisation that a programme of this scale requires.

Finally, PQC competes for priority against a packed agenda. Most organisations are simultaneously managing regulatory compliance (NIS2, DORA, CRA, AI, and more), cloud transformation, AI adoption, and a range of other security programmes. Without an immediate regulatory trigger, PQC tends to lose that prioritisation contest even when the long-term risk is well understood. The organisations that solve this challenge are those that frame PQC not as a standalone technical programme but as an integral part of their broader regulatory and risk management agenda. For Swedish entities the Swedish Cyber Security Act could be leveraged to get the necessary awareness and attention that PQC requires.

What organisations can do now

The goal at this stage is not to immediately complete a migration, it is to understand the exposure and build a credible plan. There are three things every organisation in a regulated or critical sector should be doing today:

• The first is a cryptographic inventory. Organisations typically have limited visibility into where and how cryptography is used across their systems, applications, and supply chains. Building that inventory and understanding which algorithms are in use, where, and how they would be affected by quantum capability is the essential foundation for everything that follows.
• The second is a risk prioritisation exercise. Not all cryptographic systems carry the same risk. Data with long confidentiality requirements, critical identity infrastructure, and systems that are difficult and expensive to update should be prioritised. An assessment of where the real exposure sits allows organisations to focus resources on what matters most.
• The third is beginning to build crypto agility into new and updated systems now. Every system procured or upgraded today without cryptographic flexibility will be a future migration problem. Procurement standards, architecture principles, and supplier requirements should all be updated to reflect this.

Key takeaway

Post-quantum cryptography is not a niche technical concern. It is a strategic risk management issue that sits at the intersection of cyber security, regulatory compliance, and long-term organisational resilience. The organisations that recognise this now and begin building their response in an orderly way will be in a fundamentally stronger position than those that wait for the regulatory trigger.

In Sweden, the regulatory trigger is likely coming in 2026 — and the regulatory chain from NIS2 to the Swedish NCSC's kvantsäker kryptografi recommendations means it will arrive with more details than most organisations are expecting. The question is whether organisations will be ready for it.