G7 Mandates Quantum-Safe Finance by 2034

The global financial sector faces a critical deadline to secure its digital infrastructure against a future threat. The G7 has issued a recommendation that financial institutions and public entities must complete a full transition to post-quantum cryptography (PQC) by the year 2034. This directive comes from the G7 Cyber Expert Group (CEG), a body of specialists advising finance ministers and central bank governors on cybersecurity. Their newly published roadmap outlines a strategic approach for the financial industry to test, migrate, and fully adopt quantum-resistant cryptographic systems. The goal is to proactively address the risk that future quantum computers could break the encryption protecting today’s most sensitive financial data.

This roadmap, developed by a dedicated task force with experts from financial authorities and industry across G7 nations, is designed to inform senior leadership about the necessary steps for this complex transition. It is important to note that the document offers recommendations rather than prescriptive regulations or official guidance. It establishes six recommended phases with associated timelines to help organizations navigate the journey.

The initial phase, focusing on awareness and preparation, is suggested for 2025 through 2027. During this time, organizations should educate stakeholders about quantum threats and begin mapping their critical systems and sensitive data. Running in parallel, a discovery and inventory phase from 2025 to 2028 involves creating a comprehensive catalog of all internal systems and third-party dependencies to identify potential security gaps.

Following this, a risk assessment and planning period from 2026 to 2029 should see organizations start formal migration planning for all systems, including those deemed less critical. The core migration execution phase spans from 2027 to 2034, where entities progressively upgrade their cryptographic systems to quantum-resistant solutions, prioritizing the most vital functions first.

As the transition nears completion, a dedicated migration testing window from 2032 to 2035 is advised to ensure migrated systems function correctly and to conduct broader ecosystem resilience exercises. Finally, a validation and monitoring phase from 2033 to 2035 recommends ongoing system validation and improvement, including the incorporation of new cryptographic standards as they emerge.

Beyond the phased timeline, the G7 emphasizes that transition plans should be built on a risk-based approach aligned with evolving standards. Ideally, this effort should be integrated into existing governance, risk management, and technology strategies. The experts also stress the importance of maintaining flexibility, allowing plans to be recalibrated as needed over the coming decade.

A key concept highlighted in the document is cryptographic agility. The G7 advises that organizations build this capability into their transition plans to adapt swiftly to new threats. Cryptographic agility refers to the ability to quickly swap out cryptographic algorithms without major system disruption. This is often achieved by creating an abstract layer between applications and cryptography libraries, which isolates security functions from the main codebase. With this architecture in place, an organization can update its encryption, for instance, switching from an RSA algorithm to a post-quantum alternative, with minimal downtime, simply by modifying the underlying library rather than rewriting entire software applications.

The G7 further encourages widespread collaboration across jurisdictions and among financial entities of all sizes and types, including with third-party vendors and partners. Such cooperation is seen as vital for sharing knowledge, avoiding fragmented approaches, and ultimately enhancing the interoperability of the global financial system as it braces for the quantum era.

(Source: InfoSecurity Magazine)