In October 2025, post-quantum cryptography (PQC) still felt like a strategic warning, serious, but easy to postpone. In 2026, the framing is changing. Not because a “break-everything” quantum computer is already online, but because the prerequisites for a real transition are finally lining up: standards, policy timelines, and, most importantly, industrial proof points that address the hard part… How do you migrate at scale without replacing entire fleets?
That is the core message of this update: the challenge isn’t to “believe in quantum.” It’s to make security sustainable. In defense, where systems live for decades, interoperability is non-negotiable, and the supply chain is a contested space, the question is no longer “which algorithm wins?” The question is: can you evolve cryptography without breaking operations?
The clearest risk: collect today, crack tomorrow
The most realistic scenario is not dramatic. It’s routine: intercept encrypted traffic today, store it, and attempt to decrypt it later as capabilities mature. In defense, that matters because many assets retain value for years: identities and access, operational logs, plans, sensor data, mission archives, industrial exchanges, and R&D.
If information must remain protected for 10–15 years, the logic is simple: you raise the bar before the threat fully materializes. Quantum is not a single “D-Day.” It is a time-horizon problem.
What changed since 2025: PQC becomes executable
Three developments make 2026 meaningfully more operational than 2025.
Standards are in place
The first finalized PQC standards provide a shared baseline for vendors and buyers. That shifts the discussion from “we’re waiting for stabilization” to “we can plan integration.”
Timelines are becoming real
In Europe, the post-quantum transition is increasingly treated as structural cybersecurity, with public milestones (start by 2026; aim for critical infrastructure transition around 2030). That doesn’t mean everything migrates tomorrow, but it does mean long-cycle programs (OT, platforms, certified systems) need to align now.
Migration is treated as a program, not a patch
Serious migration playbooks converge on the same reality: inventory, prioritization, testing, dependency management, supplier alignment, and an inevitable transition phase. In plain terms: this isn’t a quick fix. It’s a multi-year program.
This trio, standards + timeline + method, is the inflection point. PQC moves from abstract debate to practical execution.
The useful industrial signal: Thales and “quantum-safe” 5G SIM/eSIM
Here is why the Thales announcement matters, if you read it correctly. Thales is not claiming a “magic, unbreakable SIM.” The pragmatic claim is about upgradability: the ability to remotely upgrade the security of already-deployed 5G SIM/eSIM, adding post-quantum mechanisms without physically replacing cards and without interrupting service.
That matters because it illustrates the rule that will decide whether PQC succeeds at scale:
Post-quantum security only scales if it is upgradeable. The trap is obvious: if you must physically replace millions of endpoints, the transition becomes a logistics nightmare. If you can evolve cryptography like software, securely and at tempo, the transition becomes governable.
And in defense, the logic goes far beyond telecom. Radios, gateways, sensors, embedded systems, trust anchors, if crypto is frozen, you inherit structural risk. If crypto is modular and maintainable, you gain maneuver room.
The defense implications that actually matter
Start with reality: where does crypto actually live?
In many organizations, cryptography isn’t a single box you can “upgrade.” It’s scattered across VPNs, certificates, PKI, signed updates, embedded components, IT/OT links, vendor stacks, and tactical networks. The first step is not “pick the best algorithm.” The first step is mapping:
- Where are cryptographic mechanisms used?
- What do they protect (confidentiality, integrity, identity)?
- Which mission-critical systems depend on them?
Without an inventory, you can’t prioritize. Without prioritization, you can’t migrate.
Don’t fixate on decryption: signatures and supply chain are frontline issues
Public debate often reduces “quantum” to breaking encryption. But in critical systems, integrity and provenance are just as decisive: firmware updates, secure boot chains, software packages, and device enrollment. If an adversary can poison an update path or compromise a trust root, they don’t need to decrypt anything to cause strategic harm.
For 2026, the message is straightforward: protecting the software ecosystem and its signing mechanisms is a post-quantum priority, because that is where supply-chain credibility is won or lost.
Long-life systems must be designed to evolve
Defense platforms and infrastructures run on 15–30-year lifecycles. Crypto frozen today becomes a structural risk tomorrow. The practical requirement is crypto-agility: the ability to switch schemes, update trust elements, and manage hybrid transition periods, without immobilizing capability.
That is exactly why industrial signals like Thales are valuable: they show an approach that fits real-world constraints. If upgradeability is feasible in secure elements, it becomes feasible as a design requirement across other defense ecosystems.
A “reasonable” path for 2026
Inventory and classify: Where is crypto used? Which flows and datasets? What sensitivity horizon? Which systems can’t be updated easily?
Prioritize by value horizon and operational impact: Long-life secrets rise to the top. Systems that can’t be modified become risks to manage through architecture (segmentation, compensating controls) until modernization is possible.
Run pilots on cross-cutting foundations: PKI, certificates, critical VPNs, signed update mechanisms, these levers improve posture quickly and prepare the ground.
Require crypto-agility in procurement: This is the most decisive long-term move: if future systems are designed to evolve, the transition becomes a controlled program—not a crisis.
The quantum era won’t arrive as a single overnight break. It will unfold as a transition race—measured less by the elegance of an algorithm than by an ecosystem’s ability to evolve cryptography at scale, under real constraints, without breaking interoperability.
In that reading, the Thales signal does not prove the problem is “solved.” But it does highlight where the most practical fight sits in 2026: making security maintainable—and making migration possible.
Article 1: Quantum threats in 2025: the next cyber defense challenge
