Malicious actors are currently collecting massive volumes of encrypted information with the expectation of decrypting it when quantum computers reach sufficient computing power. The data stolen tomorrow using quantum algorithms is, in reality, the data being transmitted today.
“Spanish organizations must understand that preparing for post-quantum cryptography is not a future project, but an operational resilience program that starts now. Those who begin building their cryptographic inventory, identifying their critical assets, and conducting controlled tests will have an advantage at both a regulatory and reputational level,” notes Eutimio Fernández, Regional Sales Manager for Iberia at Thales Cybersecurity Products.
Regulatory framework and action plans
In 2024, the European Commission published its Recommendation on the coordinated transition to post-quantum cryptography (algorithms and protocols designed to withstand attacks from quantum computers), urging Member States to begin migrations immediately and prioritize critical infrastructure before 2030. Spain also has its Quantum Technologies Strategy 2025-2030, which reinforces the urgency of addressing quantum cybersecurity as a priority. In parallel, the European cybersecurity regulatory framework—with NIS2, DORA for the financial sector, and the National Security Scheme in the public sector—is raising the bar for cryptographic management.
“The most advanced companies are already moving from strategy to execution with plans that include an initial cryptographic inventory, interoperability analysis, selection of pilot projects, and the building of auditable evidence. It's not about completing the cryptographic base migration this year, but about considering where to start, what to prioritize, and which systems to test,”continues the head of Thales Cybersecurity Products. These action plans include identifying where encryption is used, what data it protects, and which assets have long confidentiality horizons; in terms of interoperability, documenting dependencies with cloud providers, SaaS platforms, payment networks, or partners that will affect the pace of migration; selecting one or two starting points to test hybrid algorithms (vulnerable and non-vulnerable) without disrupting operations, such as an internal PKI route, a critical TLS flow, or a code signing process; and generating a package of evidence from day one that can be presented to regulators, boards of directors, and auditors as proof of structured progress.
Model for financial services and complex environments
In heterogeneous and complex environments such as finance, Thales Cybersecurity proposes a two-track migration model: Critical data, identities, and applications: based on Thales Cybersecurity's Luna HSMs, which provide a governed foundation for introducing hybrid and post-quantum cryptography into key management flows, PKI, TLS, and code signing, preserving key custody during the transition. Data in transit on critical paths: Thales Cybersecurity's High Speed Encryptors (HSEs) protect sensitive network traffic between sites, data centers, cloud environments, and disaster recovery connections without waiting for the entire application and vendor chain to be ready. This reduces exposure to Harvest Now, Decrypt Later attacks while application migration progresses. Thales Cybersecurity Products solutions are available in Spain through Exclusive Networks, a leading cybersecurity distributor that leverages a partner network including systems integrators, managed service providers (MSPs), and regional specialists to accelerate the adoption of security solutions with enablement, technical training, and support services. Thales has also published "The Quantum-Safe Financial Enterprise," a practical guide for financial institutions that details how to establish a cryptographic ledger system, prioritize assets according to their risk level, and generate auditable evidence aligned with regulatory expectations. The guide is available free of charge here.
