Quantum Security & PQC

FINMA Quantum Guidance Puts a Mid-2027 Date on Swiss PQC Roadmaps

July 9, 2026 — The Swiss Financial Market Supervisory Authority (FINMA) published FINMA Guidance 05/2026 on quantum computing, an eight-page supervisory communication that pairs the results of a sector survey with recommendations for the migration to quantum-safe cryptography. The central recommendation: supervised institutions should have a post-quantum cryptography (PQC) roadmap in place by mid-2027 at the latest.

The FINMA quantum guidance draws on a survey of 60 licensed banks, insurance companies, managers of collective assets, and financial market infrastructures that FINMA conducted between November 2025 and January 2026. The regulator’s summary: Swiss institutions are aware of the cyber risks posed by cryptographically relevant quantum computers (CRQCs), but most lack a clear roadmap and sufficiently forward-looking planning for the move to quantum-safe encryption.

FINMA frames the subject within existing law. Switzerland’s technology-neutral, principles-based requirements for governance and risk management already cover the risks arising from powerful quantum computers, it argues, and many institutions would need to develop their risk management further to stay compliant with the requirements on operational risk and resilience. The bottom line for the sector: quantum readiness in Switzerland now comes with a date attached. FINMA recommends a board-adopted PQC strategy and roadmap by mid-2027 at the latest, and says it will give the topic greater prominence in its ongoing supervisory activities.

A Sector That Sees the Risk and Hasn’t Moved

The awareness numbers are unambiguous. Sixty-nine percent of surveyed institutions expect the cyber risks of quantum computing to become relevant for them within seven years (17% within three years, 52% within four to seven). About two-thirds expect that, within 10 years at the latest, a quantum computer will be able to crack RSA 2048-bit encryption in under 24 hours. Respondents ranked data security as the area of greatest quantum risk, followed by incomplete migration, missing expertise, harvest now, decrypt later (HNDL) attacks, and interoperability with legacy systems.

The action numbers tell a different story. Of the institutions surveyed, 72% said they had neither planned nor implemented any measures relating to quantum-safe encryption. Twenty-eight percent have taken a strategic decision at the executive-board or board-of-directors level, and 20% also run an active project. A specific quantum-safe roadmap exists at 8% of respondents, and those few typically assume four to five years until critical data and processes are protected. Around half of the institutions plan to draw up a roadmap within the next one to three years. The remaining 43% have not yet decided whether to draw one up.

Two migration prerequisites enjoy near-consensus. Seventy-three percent rate crypto-agility, the ability of IT systems to swap encryption algorithms quickly and flexibly, as important or very important, and 76% see high or very high value in an inventory of the cryptographic methods in use. Sixty percent are already in contact with their software suppliers about the transition or plan to be.

On the opportunity side, the surveyed institutions expect the largest business value from quantum computing in risk and portfolio analysis, transaction monitoring, algorithmic trading, and random-number generation, while judging most applications in their sector to be at the research or early-development stage. Almost two-thirds do not expect to use quantum computing applications themselves for another eight years or more.

Five Recommendations Inside the FINMA Quantum Guidance

FINMA’s recommendations cover five areas and are limited by design to the transition to quantum-safe algorithms; a footnote points to NIST’s finalized PQC standards, FIPS 203, 204, and 205. The recommendations do not address quantum key distribution (QKD) or risks arising from quantum computing applications.

On strategy, FINMA recommends that migration work rest on a strategy adopted by the board of directors, from which an implementation plan with milestones and priorities is derived, including target dates both for complete migration and for migrating critical business processes. The PQC roadmap should be drawn up by mid-2027 at the latest and may form part of an existing strategy, such as one covering cyber risks.

The risk-analysis recommendation asks institutions to examine every business process for the encryption, signature, and authentication technologies it uses. The scope covers all ICT systems, applications, and infrastructure, including newer technologies such as distributed ledger systems (with a citation to Article 973d of the Swiss Code of Obligations), whether operated in-house, outsourced, or consumed as a service. The expected output is a comprehensive, continuously updated cryptographic inventory spanning data in transit and at rest, digital signatures, key management, and authentication mechanisms, with quantum-vulnerable algorithms (RSA, ECDSA, EdDSA, DH, and EC-DH, in FINMA’s list) flagged for risk-proportionate migration plans.

For critical data, FINMA recommends identifying information that needs long-term guarantees of confidentiality, integrity, or non-repudiation, factoring in HNDL, and protecting long-lived data with PQC algorithms first. Citing a joint statement by European cybersecurity agencies, the regulator recommends hybrid schemes, a classical algorithm combined with a PQC algorithm, for the short to medium term, and acknowledges that hybrid deployment brings added complexity and implementation risk.

Crypto-agility gets its own section. FINMA assumes that algorithms considered secure today, PQC included, may need replacing in the future, and recommends making the ability to exchange cryptographic algorithms without major architectural change a requirement for ICT systems and applications that are procured or developed.

The final recommendation reaches outside the institution. PQC migration creates dependencies on outsourcing partners and external interfaces, those providers must migrate too, and the change is best planned into regular release cycles. Responsibility for outsourced functions stays with the outsourcing institution; the reference FINMA gives is Circular 2018/3 on outsourcing. Crypto-agility should be a prerequisite for all new outsourcing arrangements in the software and data sectors, the regulator writes, and should be incorporated into existing arrangements at the earliest opportunity.

An outlook section closes the document: CRQCs do not yet exist, technological progress has gained momentum, and such machines can be expected in the coming years.

My Analysis

I read the guidance the morning it dropped. Geneva is one of my home bases, FINMA supervises a good share of my professional neighborhood, and I have spent years arguing that the deadlines are already set: regulators, insurers, investors, and clients are the quantum clock now, whatever anyone believes about Q-Day. Switzerland has added its entry to the list.

A Deadline Without a Single New Rule

Start with the instrument. A FINMA Aufsichtsmitteilung, or supervisory guidance, is formally non-binding: it creates no new law, and this one doesn’t pretend to. Its legal argument fits in one paragraph: Swiss financial market law imposes technology-neutral, principles-based requirements for governance and risk management; those requirements already cover the risks from powerful quantum computers; and, based on its supervisory activities, FINMA concludes that many institutions need to develop their risk management further to stay compliant. Translated from supervisory prose: some of you are falling behind on rules that already apply to you.

The word “recommends” appears throughout the document. Anyone who has sat across the table from a prudential supervisor knows how to read it, and the closing line removes residual doubt: FINMA will give the topic greater prominence in its ongoing supervisory activities. In Swiss practice that means the questions arrive in supervisory reviews and regulatory audits, and the wait-and-monitor answer that 70% of institutions gave in the survey becomes a much harder one to defend. FINMA reached for the same instrument in December 2024 to set expectations on AI governance, and institutions that watched how that guidance hardened into supervisory practice will recognize the sequence. That is how supervisory expectations harden in Switzerland: no consultation period, no legislative vote, not a single new rule.

The Sector’s Own Numbers Don’t Close

FINMA is too polite to spell out the tension in its own data, so I will. More than two-thirds of Swiss institutions expect quantum cyber risk at their door within seven years. Two-thirds expect RSA-2048 to fall within 10. And 72% have taken no concrete step, while 43% haven’t even decided whether to produce a plan.

Run the arithmetic on the sector’s stated expectations. The survey closed in January 2026, so the 10-year ceiling points to late 2035. Half the sector intends to produce its roadmap between 2027 and 2029. The 8% that already have roadmaps assume four to five years to get critical data and processes protected. String those together for a typical institution (and note the duration figure comes from the best-prepared cohort, so treat it as a floor): planning starts in 2027, execution runs to 2032 or 2033, and that covers the critical tier only, with the rest of the estate to follow. Measured against the sector’s own expectations, the margin on critical assets is a year or two. On full estates it is negative.

The four-to-five-year assumption deserves scrutiny of its own. It covers critical data and processes only, and even so it sits at the compressed end of published estimates. A December 2025 peer-reviewed enterprise migration study I analyzed in February puts full-scope migrations at 5–7 years for small enterprises, 8–12 for medium ones, and 12–15+ for large ones. Swiss universal banks and insurers are not small enterprises. The institutions furthest ahead in this survey may still be planning on optimistic numbers.

And the just-in-time framing fails on its own terms for any data with a long confidentiality life. HNDL means ciphertext harvested in 2026 stays exposed no matter when the migration completes; finishing critical-tier work in 2033 protects nothing exfiltrated in the seven years before it. My own working estimate for RSA-2048 sits around 2030, earlier than the sector’s median, but the gap between our estimates is almost beside the point. The exposure window opened years ago.

One aggregate observation, because I spend half my writing life pushing back on quantum denialism and the other half on quantum panic: this survey shows neither. The published distribution ends at 15 years with every answer inside it (whether that reflects the questionnaire’s options or real conviction, denialism is nowhere in FINMA’s data), and the same survey finds almost two-thirds expecting to wait eight-plus years before using quantum computers themselves. Sober about the applications, serious about the threat. The Swiss sector holds the position I keep arguing for; what it lacks is the follow-through, and follow-through is what FINMA has now asked to inspect.

HNDL Cuts Deeper in Switzerland

Swiss finance sells confidentiality with a long shelf life. Private banking and wealth management relationships run for decades and across generations, professional secrecy carries criminal sanctions under Article 47 of the Banking Act, and an international clientele chose this jurisdiction partly for its discretion. A file harvested from a Swiss institution today and decrypted in 2033 breaks promises made in a different century. When FINMA calls the HNDL risk “already very real,” the phrase lands harder in Zurich and Geneva than it would in a market where data ages out of sensitivity within a few years.

Non-repudiation for electronic signatures sits on the same list of long-term guarantees to analyze, and it deserves more attention than one clause suggests. That is the signature-side twin of HNDL, the problem I have been calling Trust Now, Forge Later since 2018: a document signed today with a quantum-vulnerable algorithm must remain provably authentic long after that algorithm falls, or the archive of record becomes an archive of deniability. Archival timestamping buys time here, but only if it is applied before the signing algorithm breaks.

A third detail: the inventory scope names distributed ledger technology, complete with a citation to the ledger-based securities article of the Code of Obligations. Switzerland licenses digital-asset banks and a regulated digital exchange, and the signing keys behind ledger-based securities are among the most quantum-exposed assets in the country. A Swiss cryptographic inventory that skipped them would miss the point of the exercise.

The Sharpest Tooth Is a Contract Clause

Most regulatory treatments handle crypto-agility as an engineering aspiration. FINMA turned it into procurement language: a prerequisite for all new outsourcing arrangements in the software and data sectors, retrofitted into existing arrangements at the earliest opportunity, with responsibility parked immovably on the institution under the outsourcing circular. Of everything in the guidance, I expect this clause to move markets fastest.

Swiss financial institutions buy from a concentrated set of core-banking platforms, cloud providers, and hardware security module suppliers. When institutions across a market this compact start inserting the same contractual requirement, vendor roadmaps move, and the survey shows the demand channel is already open: 60% of respondents are talking to their software suppliers about the transition or planning to. France’s ANSSI is applying the same supply-side pressure through certification; FINMA reaches the identical choke point through outsourcing contracts, which needs no certification body, only procurement teams reading the same eight pages.

Hybrid In, QKD Out, and One Typo

FINMA anchors its hybrid recommendation to the pan-European “Securing Tomorrow, Today” joint statement, first signed by the cybersecurity authorities of 18 EU member states in November 2024 and expanded in a 2025 update to 21 European states. That places Swiss supervision on the BSI and ANSSI side of the hybrid debate, a divide that runs through every jurisdiction I track, and a stricter posture than the NSA’s, which permits hybrid as an interim measure but treats standalone PQC as sufficient. Credit where due: FINMA names the cost, added complexity and implementation risk, instead of selling hybrid as a free lunch.

QKD is handled by omission. FINMA scopes its recommendations to algorithmic migration and sets QKD aside as out of scope, so QKD purchases do not substitute for the strategy, roadmap, and inventory the regulator is asking for. In the country where commercial QKD was pioneered, and whose federal quantum strategy flags the absence of a national QKD network, the scoping choice reads as deliberate. It matches the split I have traced in how national agencies treat QKD: PQC is the answer for the general case, QKD at most a specialty layer.

And one small thing, offered with sympathy. Footnote 1 of the English version cites the NIST standards as ML-EM, ML-DAS, and SLH-DAS. The algorithms are ML-KEM, ML-DSA, and SLH-DSA. A copy-editing slip and nothing more, but a revealing one: this vocabulary is barely two years old, and even the supervisor writing the guidance hasn’t fully absorbed it. Expect the same stumbles in the board papers and vendor contracts these roadmaps will generate, and budget review cycles accordingly.

Mid-2027 Against Everyone Else’s Clock

For calibration: the EU’s coordinated roadmap expected member states to begin their transitions and stand up national plans by the end of 2026, with high-risk use cases migrated by 2030 and as many systems as feasible by 2035. The UK NCSC wants discovery complete and migration plans in place by 2028, high-priority systems migrated by 2031, and everything done by 2035. The G7 Cyber Expert Group sketched critical-system migration in finance for 2030–2032 with full transition by 2035, and CNSA 2.0 gates new US national-security-system acquisitions from January 2027; the full picture, with FINMA now on it, is on my interactive PQC deadlines timeline. The instruments differ (state roadmaps, supervisory guidance, procurement gates), so the dates are not strictly comparable, but the band is unmistakable. FINMA’s mid-2027 roadmap milestone lands ahead of the UK’s 2028 planning deadline and about six months behind the EU’s. Switzerland is neither leading nor lagging; it has simply stopped being silent.

What FINMA did not set is an end date. The roadmaps must contain target dates for critical processes and for complete migration, but institutions choose those dates themselves. As supervisory design this has a certain elegance: boards own the outcome and answer for it under existing governance rules. It also has an obvious failure mode, because self-set dates invite sandbagging. My prediction, and I am happy to be held to it: if the roadmaps FINMA sees in 2027 cluster their completion dates in the late 2030s, the next Swiss instrument on this topic will be a circular with numbers in it, on the same escalation path from guidance to mandate that ANSSI confirmed last month with its 2027 certification cutoff.

For Swiss institutions, the sequencing is dictated by the guidance itself. A roadmap a supervisor will respect needs an inventory behind it, and cryptographic inventories at financial-institution scale take half a year to a year before they are decision-grade. Counting back from mid-2027, discovery starts now. Prioritize the long-lived confidential data and the external interfaces, and put the agility clause into every contract signed from this quarter forward, because procurement is the cheapest lever to pull early. My practical steps guide covers the opening moves, the open-source PQC Migration Framework provides the full method, including a financial-services extension, and my book Quantum Ready is the long-form treatment if the board wants the whole picture.

FINMA ends by promising the topic greater prominence in its supervisory work, which means this survey gets rerun, formally or one supervisory review at a time. When the next set of numbers comes out, the figure to watch is how many of the self-set target dates hold once the inventories come back and the estates turn out, as they always do, to be larger than anyone budgeted for.

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.