Quantum readiness guide: Securing digital trust in the quantum era

Posted by Mike Hathaway on Sep 9, 2025 11:00:00 AM

As quantum computing rapidly advances from theory to practical reality, businesses and organisations must prepare now to safeguard digital trust.

While quantum promises transformative capabilities, from molecular simulation to AI acceleration, it also poses an existential threat to today’s cryptographic foundations. This guide explains what quantum computing is, why digital trust must adapt, how to prepare, and which emerging standards, mandates, and compliance frameworks can help, now and into 2026.

What is quantum computing?

In essence, quantum computing harnesses quantum physics phenomena, like superposition and entanglement, to process data in fundamentally new ways. Unlike classical bits, quantum bits (qubits) can occupy multiple states simultaneously, enabling parallel computation on a scale that traditional computer simply cannot match.

Businesses across sectors, from finance to logistics and pharmaceutical research, are eyeing quantum for solving large-scale modelling, optimisation, machine learning, genomic analysis, and secure communications.

However, the same power makes quantum computers a weapon. Shor’s algorithm threatens to break widely used public-key systems like RSA and ECDSA, on which almost all digital signatures, encryption protocols, and certificate infrastructures currently rely.

How far off is the quantum threat?

Although large-scale quantum computers are not commercially available yet, they are under development by leading technology providers and international governments. Industry risk assessments anticipate that within the next 10 – 15 years (i.e., by 2035), RSA and ECDSA will be vulnerable to real quantum attacks. For high-trust digital data, this is a ticking time bomb, and businesses shouldn’t wait until it’s too late.

Quantum’s impact on digital trust infrastructure

The emergence of quantum computing is more than a technological breakthrough. It fundamentally reshapes how we think about digital trust.

At the heart of this shift lies a major vulnerability: today’s cryptographic standards weren’t built with quantum capabilities in mind. As a result, many of the tools we rely on to secure communication, verify identities, and preserve the integrity of digital records are at risk.

This section examines the specific ways quantum computing challenges the current trust infrastructure, from digital signatures and PKI to hardware and key generation, and what steps can be taken now to mitigate these threats.

Risk to digital signatures and certificate schemes

Public key cryptography underpins digital trust, authenticating identities, validating documents, securing TLS and code signing, and powering PKI systems. With quantum computing able to break RSA and ECDSA, all digital signatures created now may be compromised in the future.

Even encrypted archives or timestamped files signed with legacy schemes face exposure. That means any sensitive archives, contracts, or legal documents stored today could be decrypted or forged in future, unless they’re protected appropriately.

Quantum-safe archival: PAdES LTA

One current mitigation is to use PAdES Long-term Archival (LTA) profiles. These allow you to digitally sign documents and periodically refresh their timestamp using quantum-safe cryptography, ensuring the chain of trust remains verifiable far into the future, even if original keys are later compromised.

Upgrading hardware and random number generation

Modern Hardware Security Modules (HSMs) and QRNGs (quantum random number generators) are being designed to meet quantum-strength requirements, enabling truly unpredictable key material and resisting quantum-based attacks.

Evolving standards and compliance mandates

Quantum readiness is not a one-off project. It’s an ongoing commitment that will continue to evolve as technologies mature and global regulatory frameworks adapt.

As quantum threats transition from theoretical to practical, the organisations leading the charge on digital trust, standards bodies, government agencies, and industry consortiums are actively shaping what quantum-safe compliance looks like now and in the years ahead.

NIST Post-quantum cryptography (PQC) standards

In July 2022, the U.S. National Institute of Standards and Technology (NIST) announced the first set of quantum-resistant cryptographic algorithms selected from its multi-year global competition to standardise PQC. These standards are intended to replace public-key cryptosystems such as RSA and ECDSA.

Four algorithms were chosen for standardisation:

  • CRYSTALS-Kyber (key encapsulation mechanism – KEM)
    For general encryption and key establishment, Kyber is a lattice-based algorithm selected for its efficiency and strong security. It is expected to replace RSA and Elliptic Curve Diffie-Hellman (ECDH) in many cases.
  • CRYSTALS-Dilithium (digital signatures)
    A lattice-based digital signature algorithm, Dilithium is NIST’s primary recommendation for replacing RSA and ECDSA for digital signing due to its balance of security and performance.
  • FALCON (digital signatures)
    Also lattice-based, FALCON offers small signatures and public keys than Dilithium but is more complex to implement securely. It is recommended for applications requiring compact key sizes.
  • SPHINCS+ (digital signatures)
    A stateless hash-based signature scheme, SPHINCS+ is included as a backup due to its conservative design, though it’s generally less efficient than the lattice-based alternatives.

NIST has already published draft standards for CRYSTALS-Kyber and CRYSTALS-Dilithium as part of FIPS 203 and FIPS 204, respectively. These algorithms are now being integrated by vendors into software libraries, protocols, and hardware, with hybrid schemes (i.e., ECC + Kyber) also in use to ease the transition during the migration period.

Additionally, NIST has published FIPS 205 as the finalised Stateless Hash-based Digital Signature Standard (SLH-DSA), based on SPHINCS+, which became effective on 13 August 2024. This standard specifies multiple parameter sets for internal use by U.S. Federal agencies, complementary to FIPS 204 and FIPS 186-5, for post-quantum signatures, and includes a NIST validation programme for conformance.

Architecturally, SLH-DSA uses hash-based techniques with FORS and XMSS organised in a hypertree, offering a conservative, stateless alternative to lattice-based approaches like CRYSTALS-Dilithium (ML-DSA). It provides authentication, integrity, and non-repudiation, and is positioned as a backup PQC signature mechanism. SLH-DSA is also being adopted into commercial software and hardware products.

Future rounds of the competition are ongoing to evaluate additional candidates, particularly for digital signatures and specialised or constrained environments.

Global regulatory and policy alignment

Governments and policy organisations across the globe are aligning with NIST’s approach, prioritising post-quantum algorithms over alternatives like Quantum Key Distribution (QKD). Several agencies have collectively endorsed a transition to algorithmic quantum resistance including:

They recognise it as the most scalable, auditable, and broadly applicable approach for securing data and digital identities in the post-quantum era.

National regulations and migration timelines
Several national regulators are preparing or have issued guidance on transitioning to PQC:

Most national approaches will follow multi-phase implementation plans, beginning with hybrid deployments and moving toward full PQC adoption once standards mature and tooling stabilises. Regulatory audits will increasingly expect organisations to document:

  • Which cryptographic systems are currently in use
  • Their risk exposure to quantum threats
  • Concrete steps and timelines for migrating to PQC

EU eIDAS 2.0 and the trust services landscape

The European Union’s revision of eIDAS, known as eIDAS 2.0, is expected to introduce requirements that reflect quantum threat realities, especially for Qualified Trust Service Providers (QTSPs). While not yet formalised in law, regulators have signalled that PQC or hybrid signatures schemes will become mandatory for qualified electronic signatures (QES), seals, and timestamps.

Alongside this, organisations should expect:

  • Stricter audit and validation requirements for long-term digital signature retention and timestamp integrity
  • Periodic revalidation of archived documents using quantum-safe mechanisms, such as PAdES LTA with updated timestamps
  • PQC readiness to become a certification condition under the Trust Service Regulation (TSR) and related supervisory frameworks

This evolution will align EU trust infrastructure with emerging NIST and international cryptographic standards.

Guidance from industry and technical bodies

Industry groups and technical standards organisations are also responding with updates that promote interoperability, security, and compliance:

Data privacy and long-term confidentiality

Quantum’s impact also intersects with data protection and privacy laws. For example, under the General Data Protection Regulation (GDPR), organisations must ensure that sensitive personal data remains protected throughout its retention period. This has implications for:

  • Archived encrypted data that could be harvested now and decrypted later
  • Signed documents that may be forged or rendered unverifiable if legacy algorithms are broken

Supervisory authorities increasingly expect businesses to consider “harvest now, decrypt later” risks in their security and encryption strategies. Forward-looking compliance now means incorporating quantum-aware threat models into your privacy, data retention and document archival practices.

Become quantum-ready now: A step-by-step guide

Preparing for the post-quantum era is more than just understanding the risks. It’s about taking clear, strategic action.

While the timeline for large-scale quantum threats is still unfolding, the work to futureproof your cryptographic infrastructure must begin today.

The following roadmap outlines a practical, enterprise-level approach to quantum readiness. From auditing your current cryptographic assets to implementing pilot projects and engaging with vendors, these steps will help you build resilience, maintain compliance and protect digital trust:

  1. Audit your crypto landscape
    1. Identify every system using encryption or digital signatures: applications, TLS certificates, archives, identity systems, key vaults.
    2. Map out vendor dependencies, which rely on RSA/ECDSA, SHA-256, or support PQC.
    3. Assess archives – contracts, legal records, archives that may need future timestamp refresh via PAdES LTA.
  2. Risk analysis and planning
    1. Use Mosca’s theorem: estimate when encrypted data needs to stay secret until, and how long quantum attacks remain plausible. This gives you a timeline for transition.
    2. Prioritise systems that carry long-term confidentiality or legal validity obligations.
    3. Treat high-trust use cases (such as PKI, e-signing, document archives) as top priorities.
  3. Engage vendors and roadmaps
    1. Query your vendors: do their product roadmaps include hybrid PQC+classical signing?
    2. Are they updating HSMs, code-signing tools, document platforms to support PQC?
    3. Ask for timelines, upgrade paths, and planning for FIPS 140-3 compliance with PQC.
  4. Begin implementation pilots
    1. Adopt PAdES LTA signing immediately for archives and high-importance documents.
    2. Pilot hybrid TLS or SSH where PQC support exists.
    3. Ensure your key vaults and HSMs are quantum-ready (supporting lattice-based primitives, QRNGs).
  5. Staff training and governance
    1. Update security policies to include quantum threat modelling, PQC timelines.
    2. Train stakeholders on migration impacts, compliance reporting (i.e. for GDPR, eIDAS 2.0).
    3. Update incident response plans for suspected archive compromise from quantum-later decryption.
  6. Monitor and iterate
    1. Keep abreast of updates from NIST, ENISA, vendor bulletins and evolving eIDAS 2.0 / ETSI PQ standards into 2026.
    2. Plan for continuous updates beyond deployment: as PQC matures, you may need to regularly re-sign or migrate keys.

Why Ascertia is your partner in quantum-ready trust

Navigating the shift to quantum-safe cryptography demands trusted partners with proven solutions, deep expertise, and a clear commitment to evolving standards.

Ascertia is uniquely positioned to support organisations through every stage of the quantum-readiness journey, from initial planning to full implementation.

Continuous alignment with standards

Ascertia stays on the cutting edge of PQC developments, closely monitoring evolving standards and preparing our solutions for future integration. While full PQC support, such as creating PQC-compliant timestamps for PAdES LTA signatures or leveraging PQC-ready hardware, is not yet feasible due to ongoing standardisation, we are actively laying the groundwork.

Our SigningHub and ADSS Server are continually enhanced to support hybrid signature schemes, NIST-recommended lattice-based algorithms, and the potential for future integration with quantum-safe technologies as standards mature.

Expertise in high-trust environments

From governments to financial institutions, Ascertia delivers PKI and digital signing ecosystems already compliant with Common Criteria EAL4+, eIDAS Qualified Signature standards, and FIPS requirements, all evolving to support quantum-ready variants.

Flexible deployment and hybrid models

Our architecture supports on-premise, cloud-based, and hybrid deployments, enabling organisations to adopt quantum-safe cryptography with minimal disruption. You can deploy PQC components in a phased approach: pilot cloud services for high-volume signing while legacy systems are upgraded.

Comprehensive auditing and traceability

Ascertia’s SigningHub and ADSS Server solutions deliver robust auditability features essential for trust, compliance, and long-term validation. Both platforms provide detailed audit trails that capture who signed, when the action occurred, and confirmation the document has not been altered, all critical elements in ensuring regulatory compliance under frameworks such as eIDAS 2.0 and GDPR.

In SigningHub, each signature action is documented through a Workflow Evidence Report, which records vital metadata, including:

  • The identity of the signer
  • IP address
  • Signing method (server-based or remote)
  • Certificate Authority
  • Signature type (QES/AES)
  • Trust service provider

For ADSS Server, auditing similarly ensures transparency by recording user interactions with their signing credentials, such as when a signature is activated. Algorithm details are recorded at the point of certificate issuance, not during individual signing events.

Together, these auditing capabilities provide a tamper-evident log of signing activities, reinforcing non-repudiation and document integrity, which is particularly important for organisations preparing for future standards around quantum-aware archival and long-term signature validation, where traceability and evidential value will remain paramount even as cryptographic landscapes evolve.

Real-world use case: A hypothetical quantum readiness journey

Worldwide Bank, a global financial institution, stores encrypted client data and digitally signed contracts valid for 20 years. Recognising quantum risk, their digital trust team implements:

  • Auditing – They catalogue all cryptographic systems (TLS, code signing, document archives, smart contracts).
  • Risk modelling – Using Mosca’s theorem, they identify that contracts signed in 2025 must stay secure until 2045.
  • Piloting – They implement PAdES LTA for digital contract archive. They test hybrid TLS using lattice-based PQC in new client portals.
  • Vendor engagement – Their certificate providers confirm PQC support in 2026; hardware vault providers confirm upcoming QRNG-capable HSMs.
  • Training and governance – Cyber policy is updated to include quantum-risk, staff are trained on PQC timelines; compliance teams prepare for future audit demands.
  • Monitoring – They subscribe to NIST, ENISA, and CSC updates, and plan quarterly reviews through 2026.

By 2028, Worldwide Bank has migrated high-risk systems to PQC, maintained archive encryption with PAdES LTA, and documented a full compliance trail against emerging eIDAS 2.0-like mandates.

Securing digital trust in a post-quantum world with Ascertia

Quantum computing is an active, accelerating force that’s reshaping how digital trust must be secured. As its capabilities evolve, so too must the cryptographic foundations underpinning everything from identity verification and secure communication to long-term document validity and regulatory compliance.

The risks are real; systems built on RSA, ECDSA, and SHA-2 will eventually fall to quantum attacks. Data signed or encrypted today could be exposed or invalidated tomorrow. This reality demands proactive, strategic transformation, not just awareness.

At Ascertia, we are deeply invested in making that transformation achievable, secure, and standards-aligned. Our solutions are already trusted in the most demanding environments, government agencies, regulated financial institutions, and QTSPs across the globe. We’ve built quantum readiness directly into our roadmap, aligning with NIST PQC standards, supporting PAdES LTA for long-term validation, and enabling hybrid signing models that ensure continuity and interoperability.

We understand that no two organisations will take the same path to quantum resilience. That’s why we support flexible deployment models, phased transitions, and rich integration options across your PKI, identity, and signing infrastructure. From audit trails that meet the most stringent compliance requirements to cryptographic agility that adapts to tomorrow’s standards, we offer the tools and expertise to help you move forward with confidence.

The transition to a post-quantum world won’t happen overnight. But those who start preparing now, auditing their cryptographic landscape, engaging trusted vendors, and piloting hybrid or quantum-safe solutions, will be best positioned to preserve digital trust well into the future.

Ascertia is ready to help you lead that journey. For tailored advice and implementation guidance, contact our team of experts.