The 2026 Global Study on Postquantum and Cryptographic Security Trends

The purpose of this research is to provide important information about trends in post quantum, cryptographic security, PKIs and HSMs. Ponemon Institute surveyed 4,149 IT and IT security practitioners who are familiar with the use of these technologies in their organizations.

The countries in this research are the United States (552 respondents), United Kingdom/Ireland (573 respondents), Canada (396 respondents), DACH (553 respondents), Indonesia (369 respondents) and Singapore (482 respondents).

The post quantum threat is coming quickly, but will organizations be prepared? Quantum computing is a rapidly emerging technology that harnesses the laws of quantum mechanics to solve problems too complex for classical computers. The quantum threat, sometimes referred to as “post quantum”, is the inevitability that within the decade it will be capable of breaking traditional public cryptography such as RSA and ECC.

Only 38 percent of respondents say their organizations are preparing for the post-quantum threat, a slight decrease from 41 percent in last year’s report. Of these respondents, 44 percent from 2024 and 2025 are building a post-quantum cryptography strategy.

Thirty-two percent of respondents say their organizations are taking an inventory of their cryptographic assets and/or ensuring they are crypto agile. This is a decline from 38 percent of respondents in last year’s report. Testing within organizations’ systems and applications increased significantly from 10 percent of respondents to 21 percent.

The following summarizes the most significant research trends in postquantum and cryptographic trends

Organizations believe the PQ threat is imminent. Seventy-five percent of respondents agree and say a quantum computer will be capable of breaking traditional public key cryptography within 5 years (51 percent) or in 5 to 10 years (24 percent). Only 12 percent say it will never happen.

 The biggest challenge to reducing the quantum-threat and migration to post quantum cryptography (PQC) continues to be the inability to improve the discovery/inventory of their organizations’ cryptographic assets. Forty-one percent of respondents in this year’s study vs. 43 percent of respondents in last year’s study say the inability to improve visibility into their cryptographic assets is the greatest concern. Two concerns that have increased significantly are the lack of an adequate budget (39 percent in this year’s study vs. only 31 percent in last year’s study) and lack of in-house expertise (38 percent in this year’s study vs. only 28 percent in last year’s study).

Fifty percent of respondents say a successful quantum attack would have a serious impact on their organizations and industries. Fifty percent rate the potential impact as serious, but only 36 percent of respondents rate the adequacy of government policy and public-private coordination on quantum readiness as more than adequate. A successful quantum attack against organizations and industries could result in the loss of access to encrypted critical infrastructure (58 percent of respondents) and exposure of long-term sensitive data such as health records and trade secrets (59 percent of respondents).

The lack of visibility into the cryptographic estate, certificates and keys and secrets puts organizations’ cryptographic security at risk.  Only 43 percent of respondents say their organizations have full or complete visibility into their organizations’ cryptographic estate and only 43 percent of respondents say they have full or complete visibility into certificates across the organization and only 40 percent say they have full or complete visibility into keys and secrets across the organization.

Private cloud-based applications and mobile device authentication applications that use PKI credentials declined significantly from 2024. Private cloud-based applications using PKI declined the most (56 percent of respondents in 2024 vs. 32 percent of respondents this year). Mobile device authentication decreased from 60 percent of respondents to 41 percent of respondents). The top applications using PKI credentials are private networks (52 percent of respondents), SSL certificates for public facing websites and services (50 percent of respondents) and document/message signing (45 percent of respondents).

Internal corporate certificate authorities (CAs) are most often used to deploy PKIs but have declined since last year. Forty-six percent of respondents in this year’s report use CAs to deploy PKI and 60 percent of respondents in last year’s study. Business partner provided service increased the most from 18 percent of respondents in last year’s report to 40 percent of respondents in this year’s study. Private CAs running within a public cloud increased from 21 percent of respondents last year to 37 percent of respondents this year.

The most important security certification when deploying PKI infrastructure is Common Criteria EAL Level 4+ (54 percent in this year’s study vs. 57 percent of respondents in last year’s study). The second most important certification is FIPS 140-2 Level 3. However, its importance has declined significantly from 55 percent of respondents to 32 percent of respondents.

The biggest uncertainty and concern about the evolution of PKI are PKI technologies and external mandates and standards. When asked what the greatest areas of change and uncertainty to PKI will be, 49 percent of respondents say it is PKI technologies, an increase from 43 percent in 2024 and external mandates and standards, an increase from 37 percent of respondents in 2024. Budget and resources, increased significantly to 43 percent of respondents vs. 30 percent of respondents.

More organizations use HSMs and use HSMs to secure PKI. Sixty-six percent of respondents in this year’s research vs. 55 percent of respondents in last year’s research say their organizations use HSMs. Sixty-three percent of respondents in this year’s research vs. 51 percent of respondents in last year’s research say their organizations use HSMs to secure PKI.

The top areas of deployment to secure PKI are online roots and offline roots. According to last year’s research, 47 percent said they are deployed to secure PKI in online roots and 42 percent said they are deployed to secure PKI in offline roots.  

Part 2. Key findings

 In this section we present the research results in detail. The compete audited findings are shown in the Appendix. The report is organized according to the following topics. Whenever possible, trends in research findings from last year’s Entrust study are included. 

  • Postquantum: The Threat and the Readiness Journey
  • Cryptographic Security and Management
  • Trends in PKI Security and HSMs

To read key findings and the rest of this report, visit Entrust’s website here. 

Leave a Reply

Your email address will not be published. Required fields are marked *