Bank of Israel Tells Banks: Map Your Cryptographic Exposure and Submit Quantum Preparedness Plans Within a Year

12 January 2025 — The Bank of Israel’s Banking Supervision Department issued Directive Letter 202501, titled “Banking System Preparedness for Cyber Risks Arising from Quantum Computing Capabilities,” on January 7, 2025. The letter requires all banking corporations and licensed service providers to assess their quantum risk exposure and submit a formal preparedness plan to the Head of the Technology, Innovation, and Cyber Division within one year.

The directive is anchored in Proper Conduct of Banking Business Directive 364, which governs information technology risk management, information security, and cyber defense across Israel’s banking sector. It frames quantum computing as a cybersecurity risk that requires proactive management, specifically citing the threat of adversaries collecting encrypted data today for future decryption (the Harvest Now, Decrypt Later model).

The required preparedness plan must include a mapping of computing and communication infrastructure, identification of data and systems vulnerable to quantum-enabled cryptanalysis, an assessment of potential damage from compromise, and a response plan. The plan must be discussed by the board of directors and management before submission to the regulator.

This makes the Bank of Israel one of the first financial regulators in the world to issue a binding directive, as opposed to advisory guidance, specifically requiring quantum readiness planning from supervised institutions.

My Analysis

Financial regulators globally have been publishing reports and advisories about quantum risk for the past year. The MAS in Singapore issued an advisory in early 2024. FS-ISAC published a migration roadmap. The G7 Cyber Expert Group published a warning. Most of these are guidance documents: useful, influential, but not enforceable. The Bank of Israel is issuing a directive under its supervisory authority, with a one-year deadline and a named submission target.

That difference has real consequences in the banking world. When a supervisor asks for a plan that the board must discuss and formally approve, it enters the governance record. It becomes an auditable commitment. A bank that fails to submit isn’t merely falling behind on best practice; it’s failing a supervisory requirement. The conversation at board level shifts from “should we start thinking about this?” to “we have a regulatory obligation with a deadline.”

The one-year submission window (approximately January 2026) places Israel’s banking sector ahead of most financial regulators on the global timeline. CNSA 2.0 sets January 2027 for new NSS acquisitions, though that’s a defense-focused timeline rather than a financial-sector one. Israel is requiring a planning deliverable from its banking sector before the major economies have finalized their own financial-sector requirements.

The directive also integrates quantum preparedness into the bank’s existing cyber risk framework rather than treating it as a standalone project. The required cryptographic mapping must be “completed as part of the banking corporation’s preparation to meet the requirements of Directive 364.” From a practical standpoint, this means quantum risk assessment becomes part of regular supervisory examinations, not a one-off exercise.

What I’d watch for: whether the Bank of Israel follows this directive with more prescriptive guidance on PQC algorithm selection, migration timelines, or hybrid requirements. The current directive is framework-level: it requires the plan but doesn’t specify the solution. That’s appropriate for early 2025, when the PQC product ecosystem is still maturing. But as NIST-validated implementations become available and FIPS 140-3 PQC modules enter production, expect the supervisory expectations to sharpen.

For CISOs in multinational banks with Israeli operations: this directive applies to you. The one-year clock is running.