Quantum & Post-Quantum Cryptography 2026
- Brian Couzens
- 7 hours ago
- 10 min read

The Mid-Year Global Intelligence Review
Special Edition | January – June 2026
About this Special Edition
This special edition departs from the normal weekly format.
Rather than examining a single seven-day reporting window, it assesses the cumulative developments that shaped the first half of 2026 across quantum computing, post-quantum cryptography (PQC), standards, regulation, government policy, commercial adoption, and enterprise readiness.
The objective is not to report every announcement made between January and June. It is to identify the strategic signals that materially altered the industry’s direction and assess their implications for governments, regulators, boards, technology leaders, and risk functions.
Every assessment is grounded in primary-source evidence and independent analysis. As with every edition of Quantum Weekly, developments are evaluated not simply for their technical significance, but for what they mean operationally, commercially, and strategically.
1. Executive Assessment: The State of Quantum at Mid-Year
The first half of 2026 marked the formal transition of quantum vulnerability from an abstract future concern into a binding operational and regulatory issue.
The historical assumption that organizations had until the mid-2030s to address public-key cryptography risk no longer holds. H1 2026 compressed the timeline through a combination of hardware progress, policy escalation, hyperscaler deployment, and enterprise audit pressure. The result is no longer theoretical uncertainty — it is a governance, architecture, and capital allocation problem.
Three macro shifts defined the period.
First, post-quantum cryptography moved from advisory language into enforceable procurement and compliance expectations.Second, the hardware conversation shifted away from raw qubit counts and toward high-fidelity error correction and logical qubit viability.Third, transport-layer PQC scaled faster than enterprise internal systems, creating a dangerous illusion of readiness in which the perimeter looks secure while internal identity, signing, and data layers remain exposed.
The most important unresolved question is no longer whether PQC matters. It is whether organizations can inventory cryptographic dependencies, validate implementations, and migrate at application depth fast enough to avoid a widening resilience gap.
The strategic conclusion is simple: quantum risk is now a business continuity issue, not a technology watch item.
2. The Strategic Signals That Mattered
H1 2026 did not produce one single event that changed everything. It produced a cluster of signals that, taken together, redefined the landscape.
Signal 1: Federal PQC moved into enforcement
The June 2026 White House executive order accelerated the federal post-quantum transition and signaled that migration is no longer a voluntary planning exercise for agencies and contractors. The policy effect is broader than the US government itself because federal procurement rules tend to cascade into vendor expectations and downstream supply chains.
This matters because compliance no longer means “we have a plan.” It increasingly means “we can prove inventory, prioritization, and execution.” For contractors, SaaS vendors, defense suppliers, and critical infrastructure providers, that changes the board-level risk conversation immediately.
Signal 2: Standards are now implementation reality
The standards question is largely settled. NIST’s PQC standards already provide the engineering baseline, which means the industry is no longer waiting for algorithm selection. The issue now is how to deploy the standards safely, at scale, and without creating new operational fragility.
That shift matters because many organizations still behave as though PQC is a future problem. In reality, the standards are available, the migration challenge is here, and the remaining risk is execution quality.
Signal 3: Hyperscalers proved PQC can scale
The edge and transport layer have become the fastest-moving part of the migration story. Hyperscalers and internet infrastructure providers have demonstrated that hybrid post-quantum key exchange can be deployed broadly at scale.
That is a major milestone, but it is also easy to misread. A secure transport layer does not mean the rest of the enterprise has migrated. Internal applications, database encryption, identity systems, code signing, and certificate chains are often much harder to change than the public web perimeter.
Signal 4: Hardware progress changed the risk horizon
The most important hardware signal is not simply that quantum research advanced. It is that error-correction efficiency improved enough to challenge old assumptions about the physical resource requirements for a cryptographically relevant machine.
That matters because the quantum threat horizon is determined not only by qubit counts, but by architecture, error rates, and engineering efficiency. Boards and risk leaders should stop asking only “How many qubits?” and start asking “What is the logical qubit pathway, and how quickly can it scale?”
Signal 5: CBOM emerged as a governance control
Cryptographic Bills of Materials are becoming one of the most important control mechanisms in PQC migration. They create machine-readable visibility into what cryptographic assets exist, where they are used, and which dependencies need to be remediated.
This is significant because organizations cannot govern what they cannot inventory. CBOM is what turns cryptographic risk from a vague technical issue into a controllable enterprise process.
Signal 6: Enterprise readiness remains uneven
The gap between hyperscalers and the average enterprise widened further in H1 2026. Large cloud and platform providers moved first, while many organizations remained stuck at the perimeter, still focused on discovery rather than remediation.
This is where most of the real risk sits. The perimeter is easier to modernize than the internal architecture. Identity providers, signing infrastructure, legacy ERP systems, mainframes, and long-lived archives are where migration becomes expensive, slow, and politically difficult.
3. Government and Regulation
Policy became the most visible accelerator in H1 2026.
In the United States, the June executive order created a formal timetable for federal migration and reinforced the expectation that agencies and contractors must move from planning to execution. That is important not just as a national policy matter, but because it establishes a template for procurement, supplier diligence, and compliance expectations across the broader market.
In Europe, the most important trend is not a single dramatic announcement but the enforcement posture around operational resilience. Financial regulators are increasingly looking beyond breach response and toward demonstrable dependency mapping, crypto-agility, and third-party risk control. That means cryptography is now part of resilience regulation, not just security engineering.
In Asia-Pacific, the picture is more fragmented but no less important. Some jurisdictions are moving quickly through procurement guidance, critical infrastructure planning, and financial-sector readiness work. Others remain in early-stage awareness mode. That unevenness matters because it creates regional differences in vendor expectations, compliance schedules, and enterprise maturity.
The broader global pattern is clear: PQC is becoming a regulatory and procurement issue before it becomes a universal technical reality.
4. Hardware and Research
The quantum hardware narrative in H1 2026 should be interpreted carefully.
The industry has spent years using raw physical qubit counts as the headline metric. That metric is no longer sufficient. What matters more is error correction, logical qubit stability, and the ability to build systems that can perform meaningful computation with practical fidelity.
Neutral-atom architectures, photonics integration, and error-correction advances deserve attention because they suggest new scaling paths. But the right analytical posture is discipline, not hype. Not every breakthrough changes the timeline. Some change only the headline.
For executives, the real takeaway is that the hardware conversation is no longer about distant science fiction. It is about which engineering path is most likely to reduce the time required to reach operationally relevant quantum capability.
That has direct implications for cryptographic planning, long-life data protection, and strategic threat modeling.
5. Post-Quantum Cryptography
PQC is now moving from concept to implementation.
The most important lesson of H1 2026 is that transport-layer migration is only the beginning. Organizations that can support hybrid key exchange at the edge may still be badly exposed internally if identity, signing, and archived data remain classical.
This matters because the hardest part of PQC is not always encryption. It is trust infrastructure. That includes:
Digital signatures.
Certificate chains.
Code signing.
Root-of-trust systems.
Device identity.
Long-term authentication records.
That is why boards should resist the temptation to treat a successful hybrid TLS deployment as evidence of full migration. It is a milestone, not a finish line.
CBOM is emerging as the operational bridge between discovery and action. Without machine-readable cryptographic inventories, enterprises will struggle to prioritize what must be remediated first, what can be wrapped temporarily, and what should be rebuilt entirely.
The enterprise lesson is blunt: PQC migration is a dependency problem, not just a protocol problem.
6. Enterprise Readiness
H1 2026 exposed a widening readiness gap across sectors.
Hyperscalers, cloud providers, and some financial institutions are making meaningful progress, especially where they can apply changes centrally. Most other organizations are still early in the journey, often stuck in discovery, spreadsheet tracking, or pilot mode.
The typical failure pattern looks like this:
Discovery is treated as the endpoint.
Transport is modernized first.
Identity is deferred.
Legacy systems are left untouched.
Board reporting implies progress that does not yet exist.
This creates a dangerous false sense of security.
The real readiness test is whether an organization can answer four questions:
What cryptography do we use?
Where is it embedded?
Which business services depend on it?
What is the migration plan by dependency, not by technology silo?
If the organization cannot answer those questions with confidence, it is not ready.
7. Sector Analysis
Financial services
Financial services are under the strongest near-term pressure because of regulation, cross-border dependencies, and long-lived systems. Banks, insurers, payment providers, and market infrastructure operators cannot afford to treat PQC as an abstract future issue.
The main challenge is not awareness. It is complexity. Legacy payment rails, SWIFT integrations, third-party dependencies, and internal authentication systems create a migration problem that is both technical and governance-heavy.
Government and defense
Government and defense organizations face the most direct policy pressure and the highest consequences for delay. The combination of national security requirements, classified systems, and procurement obligations makes this sector a leading indicator for the rest of the market.
The challenge is not only migration. It is assurance. Agencies and contractors need provable inventory, validated implementation, and auditable remediation pathways.
Cloud and infrastructure
Cloud and infrastructure providers are the current pace-setters. They can modernize transport layers and ship new defaults faster than most enterprises can update internal systems.
That gives them a powerful strategic position, but it also places a burden on their customers. The more the cloud abstracts cryptographic migration, the easier it becomes for enterprises to assume they are done when they are not.
Telecom
Telecom operators face a distinct challenge: protocol size, latency, compatibility, and device lifecycle. In many cases, PQC is not just a software change; it is an infrastructure and device-management problem.
This sector is likely to move in hybrid mode for longer than others because the cost of breaking service is simply too high.
Healthcare
Healthcare remains one of the least prepared sectors despite holding some of the most sensitive long-tail data. Medical records, research data, insurance systems, and device ecosystems create a large attack surface and a long migration tail.
The issue here is not a lack of importance. It is a lack of inventory, governance maturity, and budgetary urgency.
Digital assets and Web3
Digital assets remain structurally exposed because public-key dependence is embedded deeply in wallet design, transaction validation, and network trust. This makes the sector highly sensitive to any credible advance in quantum resource efficiency.
The strategic implication is that blockchain ecosystems must begin thinking about migration architecture now, not after a crisis.
8. The Blind Spots Most People Miss
The biggest mistake in the market is equating edge encryption with enterprise resilience.
That creates the API wrapper illusion: a company can wrap external traffic in a quantum-safe layer, report progress to leadership, and still leave internal identity, data, and signing infrastructure fully exposed.
The second blind spot is the lack of dependency context. Discovery tools often generate large inventories of legacy keys, but those inventories are only useful if they are mapped to business services, suppliers, and continuity risks.
The third blind spot is implementation assurance. Many enterprises will be tempted to adopt vendor claims before they have independent validation. That is dangerous, especially in a domain where subtle implementation flaws can create classical attack paths even when the algorithm itself is sound.
The final blind spot is organizational. PQC is often handled by security teams, but the real impact spans procurement, legal, risk, architecture, infrastructure, and executive governance. If the migration is owned by one function alone, it will fail.
9. Mid-Year Scorecard
Category | H1 2026 Status | Strategic Trajectory | Operational Meaning |
Government action | Accelerating | Policy moved into enforcement | Compliance is now tied to procurement and contract access |
Standards | Strong | Algorithm selection is largely settled | Implementation, validation, and deployment are the issue |
PQC adoption | Early to moderate | Hyperscalers lead; most enterprises lag | Transport is ahead of identity and data migration |
Hardware progress | Significant | Error correction and architecture matter more than qubit counts | Risk horizon may be compressing |
Enterprise readiness | Uneven | Discovery is rising, remediation is slower | Inventory without prioritization is insufficient |
Crypto agility | Underdeveloped | Hardcoded assumptions still dominate | Architecture redesign is required |
Board readiness | Improving | Awareness is up, capital allocation remains reactive | Governance must catch up with technical reality |
10. Second-Half Outlook
The second half of 2026 is likely to be shaped by four core developments.
First, federal and regulatory deadlines will force more organizations to disclose migration ownership and dependency mapping.Second, implementation flaws and side-channel risks in early PQC deployments will become more visible.Third, hyperscalers will continue to push defaults, making transport-layer quantum safety feel normal while deeper enterprise systems lag.Fourth, the market for automated remediation, CBOM tooling, and crypto-agility platforms will expand rapidly.
The critical question is not whether quantum risk matters. It is whether organizations can move from awareness to proof.
Final Verdict
The first half of 2026 permanently changed the operating model for quantum and post-quantum cryptography.
The industry can no longer treat quantum risk as a distant scientific milestone or a narrow research topic. It is now an active governance, procurement, and resilience issue with global implications. Standards are established, policy pressure is rising, hardware progress is accelerating, and enterprise readiness remains uneven.
The winners in this transition will be the organizations that understand one simple truth: PQC migration is not a software patch. It is an enterprise transformation program.
Those that build machine-readable inventories, validate their implementations, map dependencies to business risk, and allocate executive ownership now will be positioned to absorb the transition. Those that rely on perimeter wrappers, informal tracking, or delayed planning will inherit technical debt that compounds into strategic exposure.
SITG-Consulting Strategy | Intelligence | Technology | Governance
Products & Services
• Quantum Risk Strategy • Post-Quantum Cryptography (PQC) Readiness • Cryptographic Bill of Materials (CBOM) • Cryptographic Discovery & Inventory • Cryptographic Governance & Transformation • Independent Validation & Assurance • Executive & Board Advisory • Security Architecture & Risk Reviews • AI Governance & Assurance • Research, Intelligence & Publications
Copyright © 2026 SITG-Consulting
This publication may be copied, quoted, shared and redistributed, in whole or in part, provided that full attribution is given to SITG-Consulting and the original author, Brian Couzens, and the content is not modified in a manner that misrepresents its meaning or context. Commercial reproduction, resale, or incorporation into proprietary works without prior written permission is prohibited