G7 Central Banks Publish First Quantum Technologies Report for the Financial Sector

May 11, 2026 – The G7 central banks’ Quantum Technologies Working Group (QTWG) published its first report, “Preparing for Quantum Technologies: Key Considerations for Financial Sector Participants,” marking the first public deliverable from a working group established in 2025 to analyze the economic, financial, and institutional implications of quantum technologies.

The report was published by the Banque de France, which co-chairs the QTWG alongside the Bank of Canada. The working group also includes the Deutsche Bundesbank, the Bank of England, the Banca d’Italia, the Bank of Japan, the Federal Reserve Board, and the European Central Bank.

The bottom line: this is the most comprehensive institutional treatment of quantum risk and opportunity for finance to date, and its significance lies less in any single finding than in the fact that all eight G7 central banks have now collectively acknowledged the quantum threat to the financial system, endorsed the urgency of post-quantum cryptographic migration, and begun mapping the broader implications of quantum technologies for financial markets, payments, and central banking operations.

The QTWG report follows the G7 Cyber Expert Group’s PQC migration roadmap published in January 2026, but serves a different purpose. Where the CEG roadmap focused specifically on coordinating the transition to post-quantum cryptography across the financial sector (with a 2030–2035 migration window), the QTWG report takes a wider lens, examining not just cryptographic security but also quantum computing applications in finance, quantum sensing implications, and the system-level dependencies that quantum adoption could introduce.

The report is explicitly non-prescriptive. It does not set regulatory expectations or recommend specific courses of action. Instead, it provides what the working group calls a “shared analytical framework” for understanding quantum-related risks, opportunities, and trade-offs. Banque de France Deputy Governor Agnès Bénassy-Quéré framed the effort as part of central banks’ mandate to anticipate transformations affecting the financial system.

The Security Assessment: Measured but Unambiguous

The report’s treatment of quantum security threats occupies the first of its two major sections and covers ground that will be familiar to readers who have followed the G7 CEG roadmap or the broader PQC standardization discussion. But the framing carries weight precisely because it comes from the central banking community rather than cybersecurity specialists alone.

On the CRQC timeline, the report states that expert assessments suggest “a non-negligible probability that a cryptographically relevant quantum computer could emerge over the coming decade.” No specific year is offered, and the document explicitly avoids speculative timeline assertions. It acknowledges “substantial uncertainty regarding scientific progress, engineering constraints, scalability challenges and potential advances in quantum algorithm design and optimisation,” while noting that these risks “are no longer purely theoretical, particularly when considering the combined effects of hardware progress and algorithmic improvements.”

The Harvest Now, Decrypt Later (HNDL) threat is given prominent treatment. The report observes that financial data often must remain confidential for decades, creating exposure to scenarios in which encrypted data intercepted today is decrypted once quantum capabilities mature. This temporal dimension, the report argues, means that the threat is already active regardless of when a CRQC actually arrives.

On PQC migration, the report echoes the CEG roadmap’s core message: this is “not a simple substitution exercise.” The transition requires inventorying cryptographic dependencies, testing compatibility with existing systems, and coordinating updates with external counterparties and service providers. Extended transition phases where legacy and quantum-safe systems must coexist will increase complexity and coordination challenges across the financial sector.

The report also examines complementary approaches to PQC, including Quantum Key Distribution (QKD) and Distributed Symmetric Key Exchange (DSKE), but treats these as context-specific complements rather than alternatives. QKD is described as conceptually distinct in its security model but constrained by distance, cost, and scalability. DSKE introduces governance and third-party dependency considerations. The working group’s position is clear: PQC remains the primary pathway, with other approaches potentially layered in for specific high-assurance use cases.

Beyond Cryptography: What the Report Gets Right

The most interesting dimension of the QTWG report is what it covers beyond the now-familiar PQC migration discussion. Three areas merit attention.

The Authentication and Integrity Dimension

The report explicitly addresses the threat to digital signatures, not just encryption. If signature schemes currently in use become vulnerable, this could enable the forgery of signatures or impersonation of trusted entities. The document calls out tokenized assets, digital identity frameworks, and distributed ledger systems as particularly dependent on cryptographic authentication. This is the Trust Now, Forge Later (TNFL) problem, and it is significant to see G7 central banks acknowledging it alongside the more commonly discussed HNDL scenario. While the encryption threat gets most of the headlines, the authentication threat may prove more disruptive for financial infrastructure, where non-repudiation and identity verification are foundational.

Quantum Sensing as a Security Variable

The report includes a section on quantum sensing that goes beyond the typical treatment. It acknowledges that quantum sensors could enable new forms of measurement and surveillance that challenge existing assumptions about privacy and interference resistance. The ability to detect weak electromagnetic signals or operate in jamming-resistant environments could have implications for secure communications and data protection. This is a dimension that most financial sector quantum assessments ignore entirely, and the QTWG deserves credit for flagging it. The implications for financial infrastructure are real: timing systems that underpin transaction timestamping and settlement synchronization already depend on precision measurement technologies that quantum sensing could both improve and threaten.

System-Level Implications and Concentration Risk

The report’s section on system-level implications is perhaps its most forward-looking. It warns that if quantum technologies deliver advantages in specific analytical or optimization tasks, this could reinforce existing asymmetries between institutions or concentrate capability around a limited number of technology providers. The working group notes that quantum computing resources will be accessed predominantly through cloud-based platforms, creating shared dependencies and common points of failure. Opacity and explainability challenges compound the problem when quantum techniques combine with advanced optimization or machine learning methods.

This is an underappreciated risk. The financial sector is already experiencing concentration dynamics in cloud computing and AI infrastructure. Quantum computing, with its extreme specialization and capital requirements, could amplify these tendencies significantly. A world where a handful of quantum cloud providers underpin critical financial computations introduces correlated failure modes that existing resilience frameworks were not designed to address.

What the Report Misses

For all its breadth, the QTWG report has notable gaps.

The most conspicuous is the absence of any concrete timeline or milestone framework for the financial sector’s quantum preparedness. The CEG roadmap at least offered a phased structure with approximate dates (awareness by 2027, inventory by 2028, critical system migration by 2030–2032, full transition by 2035). The QTWG report deliberately avoids anything this specific, instead emphasizing that “preparedness is best understood as an ongoing analytical effort rather than a fixed course of action.” This is intellectually defensible but practically insufficient. Financial institutions need actionable timelines, and the G7 central banks are among the few institutions with the authority to set them.

The report also treats quantum computing applications in finance with excessive caution, repeatedly noting that applications “remain largely experimental” and that quantum techniques have “yet to demonstrate production-ready performance.” This is accurate as of today, but the hedging is so thorough that a busy CISO could read the applications section and conclude that quantum computing is a distant academic curiosity with no near-term relevance. The hybrid classical-quantum approaches already being explored by major financial institutions deserve more substantive treatment.

Finally, the report is silent on how the QTWG’s work will intersect with existing regulatory frameworks. DORA, Basel III operational resilience requirements, SEC cybersecurity disclosure rules, and national financial sector regulations are already creating compliance timelines that financial institutions must navigate. Understanding how quantum preparedness fits within these existing frameworks, rather than being treated as a standalone analytical exercise, is the question that financial sector practitioners most urgently need answered. As I have argued before, the debate about when a CRQC will arrive is increasingly beside the point. Regulators, insurers, investors, and counterparties are already setting their own quantum deadlines. The QTWG report acknowledges the need for coordination but stops short of contributing to the ecosystem-driven deadline pressure that is actually driving action.

Two G7 Bodies, One Direction

The publication of this report alongside the CEG’s PQC roadmap from January creates an interesting institutional picture. The G7 now has two separate working groups addressing quantum risk in finance: the CEG (co-chaired by the U.S. Treasury and the Bank of England), which focuses on cybersecurity and PQC migration mechanics, and the QTWG (co-chaired by the Banque de France and the Bank of Canada), which takes a broader view of quantum technologies including applications and systemic effects.

The two bodies complement each other. The CEG provides the operational roadmap; the QTWG provides the analytical framework. The CEG tells financial institutions what to do; the QTWG helps them understand why and what else to watch. For the financial sector, the practical takeaway from both reports converges on the same point: PQC migration is the priority, the timeline is measured in years rather than decades, and the scope of quantum-related risk extends well beyond cryptography.

What I find most significant about the QTWG report is not any single finding but rather the institutional signal it sends. Eight central banks, representing the world’s largest economies, have collectively stated that quantum technologies present material implications for the financial system. They have endorsed the HNDL threat as real and current. They have acknowledged that PQC migration is complex and urgent. And they have begun the harder work of mapping quantum’s broader effects on market structure, concentration risk, and governance.