Anitha Arulrajakumar, what is the main aim of this survey?

The questionnaire was intended for all businesses. The objective was to evaluate the overall ecosystem’s readiness and awareness regarding the importance of initiating early considerations for Post-Quantum Cryptography (PQC) and quantum-safe security solutions.

More particularly, we wanted to understand the current state and the needs of the market, and to provide guidance and connect cybersecurity providers and businesses to cybersecurity solutions.

What is Post-Quantum Cryptography (PQC) ? And why is PQC readiness so important?

Post-Quantum Cryptography refers to the practice of preparing computer systems, networks, and sensitive information for protection against future threats posed by quantum computing.

Advances in quantum technologies are expected to break widely used cryptographic algorithms such as RSA and ECC(Elliptic Curve Cryptography), creating potential vulnerabilities across digital infrastructures.

This makes PQC readiness essential for businesses of all sizes, since even small organizations could face risks with serious financial, reputational, and regulatory consequences.****

By proactively planning the transition to quantum-safe cryptographic solutions, SMEs can safeguard their digital assets, ensure long-term resilience, and maintain the trust of their customers and partners.
\

---

What are the main trends that emerged from the survey?

25 businesses and organizations responded to the survey. The majority was highly aware of post-quantum cryptography (PQC). Interestingly, lack of awareness is no longer the primary issue most leaders understand the basics of PQC.

But this awareness does not translate into action. Indeed, many consider PQC migration a distant issue and not an immediate threat. In other words, they often overlook the “harvest now, decrypt later” risk—collecting data now for future decryption—delaying migration by 5 to 10 years.

What are the main reasons for this perception?

The main barriers to PQC adoption are legacy systems, technical complexity, cost and a pervasive lack of urgency. Many organizations still rely on outdated IT infrastructure that is difficult and costly to upgrade.

The technical complexity of transitioning to PQC—such as testing new algorithms, ensuring compatibility with existing systems, and managing hybrid encryption environments—is often seen as overwhelming, especially for smaller companies with limited IT resources.

Lack of ownership is another critical issue: 40% of respondents reported having no designated PQC leader within their organization. Without clear responsibility, PQC is rarely included in risk management, daily operations, strategic planning, or cyber resilience programs.

This absence of ownership means the topic is deprioritized in favor of more immediate concerns. Skills shortages and budget constraints further exacerbate the problem. Only 24% of organizations have in-house PQC experts, and most do not plan to invest in training or hiring within the next year. Leadership is aware of the challenge, but without dedicated staff or financial resources, progress stalls.

This is surprising, as most respondents were CISOs, CEOs or IT directors. The paradox is clear: leaders recognize the challenge but lack the resources to address it.

Budget constraints make it difficult to allocate funds for migration, especially when PQC is perceived as a long-term rather than an immediate risk.

What did respondents say about strategy?

Nearly half (48%) lack a PQC transition roadmap. This aligns with the absence of ownership and urgency. Only 32% have identified critical assets or prepared an inventory, despite regulatory timelines (e.g., EU’s 2026 deadline). Only 16% have initiated pilots or Proofs of Concept (PoC), indicating that executive awareness has not yet translated into governance structures, budgeting, or execution plans. Most organizations remain at an early stage of PQC

maturity.

The situation is similar regarding regulations and compliance issues. While DORA, NIST and the EU Commission emphasize on strong security obligations including encryption requirements , most organizations lag behind. Awareness campaigns and collaborative workshops could help bridge this gap.

Do companies plan to engage with vendors or supply chains on PQC?

No, as most are passive, waiting for vendors to initiate action. Proactive engagement—especially collective pressure from sectors like finance or health—could accelerate vendor compliance.

Which sectors responded to the survey?

Information and communication (24%), agriculture/forestry/fishing (20%), manufacturing (16%), and public administration/defense (12%) were the most represented. Finance (8%), education, construction, and water supply also participated.

The high response from non-tech sectors (e.g., agriculture) suggests leadership awareness across industries, though action remains limited.

What are the recommendations from the Luxembourg House of Cybersecurity (LHC)?

Our key recommendations will include:

• Raising awareness about “harvest now, decrypt later” risks
• Assigning clear PQC ownership
• Developing a transition roadmap
• Starting with asset inventories
• Encouraging collective action on vendor engagement

The LHC and ecosystem members can provide expertise and support, especially for legacy system testing and hybrid algorithm implementation.

The Quantum Lab is intended to support understanding and mitigation of the implications of the Post-Quantum transition. Therefore, the Cybersecurity Flagship – the Luxembourg Cybersecurity Factory - introduces a step-wise approach starting with assessment of needs and quantum attack surface, together with providing the necessary training and sandbox testing environment for readiness preparation for PQC.

What main messages do you wish to address to companies?

PQC is not a distant threat. Organizations must start now: assign ownership, plan transitions, and engage teams. Delaying the migration to PQC by 5 to 10 years might create a dangerous gap between knowledge and action, leaving organizations vulnerable despite their awareness.

The ecosystem — including LHC, the university, and experts—is ready to support this critical shift.

Plenty of events are being organised to provide platforms of exchange and expertise sharing in Luxembourg, such as:

- Quantum Breakfast Series by the University of Luxembourg

- Information Security Education Day by the University of Luxembourg

All of them are to be found on cybersecurity.lu/events

About the survey

The study was conducted by the Data For Research, Innovation, and Governance (D4RIG) team of the National Cybersecurity Competence Center (NC3).

NC3 is hosted by the Luxembourg House of Cybersecurity (LHC). It aims to strengthen the cyber protection of the country's companies, institutions and other stakeholders.

The full report with results of the survey and recommendations on further action is now available here.

---