A new framework helps banks sort urgent post-quantum crypto work from the rest

Financial institutions now have a concrete method for deciding where post-quantum cryptography belongs on their security roadmaps. New research coordinated by Europol sets out a scoring framework that helps banks rank systems and business use cases based on quantum risk and the time required to migrate them. The goal is practical prioritization, and the paper is aimed at security teams that need to move from planning into execution.

The research responds to a growing operational problem. Public key cryptography underpins payments, authentication, websites, and backend systems across financial services. Quantum computing threatens many of the algorithms in use today. Large institutions cannot update every system at once, and leadership teams need a defensible way to decide what comes first. The paper proposes a structured approach that fits into existing risk management practices.

Building a quantum risk score

The framework starts with a Quantum Risk Score that captures how exposed a specific use case is to future quantum attacks. The authors define three inputs.

Shelf life measures how long protected data remains sensitive. Financial records, personal information, and authentication material often remain relevant for many years and receive higher scores. Exposure reflects how accessible the data or cryptographic material is, such as public internet access or physical availability of devices. Severity represents the business impact of a compromise, including disruption, fraud, or regulatory consequences.

Each factor receives a score from one to three. The average becomes the Quantum Risk Score. The intent is to give security teams a common language for discussing quantum exposure across different parts of the organization.

Estimating migration time and complexity

Risk alone does not determine priority in the model. The paper pairs quantum risk with a Migration Time Score that estimates how difficult it would be to make a use case quantum safe.

Migration time is based on three factors. Solution availability reflects the maturity and deployment status of post-quantum cryptographic options. Execution cost and time captures the effort required to implement those options in production systems. External dependencies measure reliance on vendors, standards bodies, regulators, and partners.

Each factor uses the same one-to-three scale. Higher scores indicate longer timelines and greater complexity. Averaging these inputs produces a single Migration Time Score.

From scores to action

The two scores are combined in a simple matrix that assigns use cases to high, medium, or low priority categories. High priority includes systems with elevated quantum risk that either have near-term migration paths or require early planning due to long dependency chains. Medium priority includes use cases that align with routine upgrade cycles or have moderate exposure. Low priority covers systems with limited risk and minimal urgency.

The authors stress that the scoring exercise itself delivers value. Creating a complete inventory of cryptographic use cases forces organizations to document dependencies, data lifetimes, and upgrade constraints. This visibility supports informed planning even when precise timelines remain uncertain.

Point of sale systems show long-range challenges

One example in the paper analyzes point of sale systems used for card payments. These terminals rely on public key cryptography for offline transaction signing and handle sensitive payment data. The Quantum Risk Score lands in the middle range due to long-lived keys and broad physical exposure.

The Migration Time Score is high. Payment terminals follow multi-year hardware refresh cycles, and the ecosystem includes payment networks, card issuers, terminal vendors, and standards bodies. Post-quantum specifications for card payments remain in development. The framework places point of sale systems in a category that calls for early inclusion in long-term roadmaps, with planning aligned to hardware lifecycles and vendor timelines.

Public websites emerge as early candidates

A second example focuses on public-facing websites. These systems depend on TLS for authentication and confidentiality and often transmit customer credentials and financial data. The Quantum Risk Score is medium due to long data retention periods and exposure over public networks.

Migration time for websites scores low. Hybrid post-quantum TLS key agreement mechanisms already appear in major browsers, operating systems, and content delivery networks. The paper identifies public websites as a practical starting point for deploying post-quantum protections through standard software upgrades and configuration changes.

Cleaning up cryptographic antipatterns

The research also highlights cryptographic antipatterns that increase long-term risk and complicate future migrations. Examples include manual certificate management, hard-coded credentials, inconsistent TLS configurations, and outdated protocol support.

The authors recommend identifying and remediating these practices early as part of quantum readiness work. Addressing antipatterns improves governance, reduces operational risk, and supports cryptographic agility. The paper presents these steps as actions that strengthen security posture while easing future transitions.