NIST PQC Standards · Quantum Risk · Migration Readiness

YOUR ENCRYPTION
HAS AN
EXPIRY
DATE.

Post-quantum cryptography readiness assessment for financial institutions protecting long-lived sensitive data and critical infrastructure from the advancing — and accelerating — threat of quantum computing.

Discover Your Quantum Exposure Download PQC Readiness Brief
Aligned with
NIST PQCCrypto InventoryMigration Roadmap
NIST PQCStandards aligned
Crypto InventoryAsset mapping
Quantum ExposureRisk scoring
Crypto-AgilityArchitecture review
Migration RoadmapPhased planning

The challenge

Harvest now,
decrypt later.
It is already happening.

Adversaries are collecting encrypted data today — planning to decrypt it when quantum computers become capable. Data encrypted in 2025 may be readable by 2032. The window to act is narrowing.

The threat is not future — the data collection is present

Nation-state adversaries are already executing harvest-now-decrypt-later attacks — collecting encrypted data at scale today with the explicit intention of decrypting it once quantum capability matures. For financial institutions holding long-lived sensitive data — contracts, client records, transaction histories — the exposure window extends further than most risk assessments acknowledge.

NIST has published the standards. Regulators are beginning to ask.

NIST published its first post-quantum cryptography standards in 2024 — FIPS 203, 204, and 205 — establishing the migration target for quantum-resistant cryptography. Financial regulators including the ECB, DORA oversight bodies, and national supervisory authorities are beginning to include PQC readiness in supervisory dialogue. Most institutions cannot yet answer the basic question regulators will ask.

Engagement models

Two assessment tracks.
One migration standard.

EONTA delivers PQC readiness assurance through two structured tracks — exposure assessment and migration planning — each calibrated to your data sensitivity profile and regulatory timeline.

Cryptographic Inventory · Quantum Exposure

Quantum Exposure Assessment

Complete inventory of your cryptographic assets — algorithms, key lengths, certificate authorities, protocol configurations, and third-party dependencies — scored by quantum exposure and prioritised by data sensitivity and longevity.

  • Cryptographic asset discovery and inventory
  • Algorithm and key length vulnerability assessment
  • Certificate and PKI infrastructure review
  • Third-party and vendor cryptographic dependency mapping
  • Data longevity and sensitivity exposure scoring

Inventory-led — not theoretical advisory

Third-party dependency exposure mapped as standard

NIST vulnerability classification applied throughout

"Where is our quantum-vulnerable cryptography — and what data does it protect?"
NIST PQC · Migration Roadmap

PQC Migration Roadmap

Prioritised, phased migration plan from quantum-vulnerable cryptography to NIST PQC standard algorithms — sequenced by exposure severity, data sensitivity, and operational risk, with third-party dependency remediation integrated throughout.

  • NIST FIPS 203/204/205 migration target mapping
  • Phased migration sequence by exposure priority
  • Crypto-agility architecture evaluation
  • Vendor and third-party remediation roadmap
  • Governance framework and oversight structure

NIST PQC standards — FIPS 203, 204, 205 aligned

Regulatory timeline incorporated throughout

Crypto-agility assessment included as standard

"Do we have a documented, prioritised plan to migrate to post-quantum cryptography before our exposure window closes?"

Core capabilities

What we inventory and assess.

Each capability starts with your actual cryptographic environment — not theoretical models — and produces actionable evidence of where your exposure is and how to address it.

Cryptographic Asset Inventory

Complete discovery and cataloguing of all cryptographic assets across your environment — algorithms, key lengths, certificate infrastructure, protocols, and API-level cryptographic usage.

Quantum Exposure Assessment

Systematic scoring of cryptographic asset vulnerability to quantum attack — weighted by algorithm type, key length, data sensitivity, and the longevity of data the cryptography currently protects.

Crypto-Agility Evaluation

Assessment of your architectural readiness to migrate cryptographic algorithms without major system re-engineering — the single most important factor in migration cost and timeline.

PQC Migration Roadmap

Prioritised, phased migration plan to NIST PQC standards — sequenced by exposure severity, operational risk, and regulatory timeline, with implementation dependencies mapped throughout.

Third-Party Dependency Review

Mapping and risk assessment of vendor and partner cryptographic dependencies — identifying where your PQC migration depends on third-party remediation timelines outside your direct control.

Cryptography Governance Framework

Assessment of existing cryptographic policy, oversight structure, and key management governance — and the enhancements required to manage PQC migration as an operational programme.

How it works

From cryptographic
inventory to migration
confidence.

A structured engagement that begins with what is actually in your environment — not assumptions — and produces a migration roadmap your technical and governance teams can execute.

Inventory

Discover and catalogue all cryptographic assets — algorithms, keys, certificates, and protocols — across your systems, APIs, and third-party dependencies.

Assess

Score cryptographic exposure by algorithm vulnerability, data sensitivity, and data longevity. Map third-party dependency risk.

Evaluate

Assess crypto-agility, migration feasibility, and operational risk for each exposure cluster. Apply NIST PQC standard mapping.

Roadmap

Produce a prioritised, phased PQC migration roadmap — sequenced by exposure severity and regulatory timeline, with governance framework recommendations.

Why EONTA

Why inventory-led
PQC assurance matters.

Inventory-Led — Not Theoretical Advisory

PQC readiness cannot be assessed theoretically. EONTA starts with a complete inventory of your actual cryptographic environment — what algorithms you are using, what data they protect, and how long that data needs to remain confidential. Theoretical frameworks applied without this foundation produce recommendations that cannot be executed.

Third-Party Dependency Exposure Mapped Throughout

Your PQC migration is only as fast as your slowest vendor. EONTA maps third-party cryptographic dependencies as a standard component of every engagement — because your migration roadmap must account for the remediation timelines of the providers whose cryptographic implementations you depend on.

NIST PQC Standards Applied — Not Future Standards Anticipated

NIST published FIPS 203, 204, and 205 in 2024. These are the current, finalized post-quantum standards. Our migration roadmaps are built to these standards — not to anticipated future publications — providing a migration target that is actionable today.

Who this is for

Built for those
accountable for cryptographic risk.

EONTA's PQC readiness services are designed for the governance functions and technical roles directly accountable for cryptographic security, long-term data protection, and emerging technology risk.

Primary stakeholders

Chief Information Security OfficersChief Technology OfficersIT Security ArchitectsRisk Officers & CROsInternal Audit FunctionsBoard Risk CommitteesCryptography & PKI TeamsRegulatory Affairs

Common engagement triggers

Regulatory inquiry or supervisory dialogue including PQC

Financial institutions receiving questions about PQC readiness from regulators, supervisors, or correspondent bank counterparties requiring documented evidence of assessment and planning.

Long-lived data sensitivity concern — contracts, records, transactions

Institutions holding data with multi-year confidentiality requirements that falls within the harvest-now-decrypt-later exposure window requiring priority exposure assessment.

Strategic technology programme — platform migration, cloud adoption, or PKI refresh

Organisations undertaking major infrastructure changes with the opportunity to embed crypto-agility and PQC migration preparation into the architecture from the outset.

Frequently asked

Questions before
every PQC engagement.

Honest answer: we don't know precisely — but adversaries are not waiting. The 'harvest now, decrypt later' threat is real today: attackers are collecting encrypted data now with the intent to decrypt it once quantum capability is available. For data with long confidentiality requirements — customer records, transaction histories, sovereign communications — the migration timeline must begin now, regardless of when cryptographically relevant quantum computers arrive.
The primary quantum-vulnerable algorithms are RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman key exchange — the foundations of most current TLS, PKI, and digital signature infrastructure. AES-128 and SHA-256 are weakened but not broken by quantum attacks; AES-256 and SHA-384/512 provide adequate quantum resistance. The focus of PQC migration is asymmetric cryptography.
NIST published its first three PQC standards in August 2024: FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, for digital signatures). A fourth standard, FN-DSA (FALCON), is in final processing. These are the standards against which EONTA's cryptographic inventory assessments are aligned. Financial regulators in the EU and UK have begun referencing these standards in guidance.
A cryptographic inventory systematically identifies every cryptographic algorithm, key, certificate, and protocol in use across your systems, applications, and infrastructure. EONTA's inventory methodology combines automated scanning tooling with architecture review and stakeholder interviews — producing a comprehensive asset register that identifies which assets use quantum-vulnerable algorithms and their criticality to business operations.
A scoped cryptographic inventory and readiness assessment for a mid-size financial institution typically requires 4–7 weeks. For institutions with complex infrastructure, large numbers of interconnected systems, or extensive third-party dependencies, timelines extend accordingly. A phased approach — inventory first, migration roadmap second — is common and often more practical.
Deliverables include: a comprehensive cryptographic asset inventory; a quantum vulnerability classification of all identified algorithms and certificates; a migration readiness assessment by system and business criticality; a third-party and supply chain dependency analysis; a prioritised migration roadmap aligned to NIST standards; and a board-ready summary for executive and regulatory audiences.
Both — but institutions that treat it purely as a technology project typically underestimate scope and timeline. The migration requires cryptographic governance (policy, standards, inventory management), vendor and third-party coordination, testing and assurance of migrated systems, and regulatory engagement. EONTA's role is to assure the governance and planning of the migration — the technical implementation is led by your engineering and vendor teams.
The primary quantum-vulnerable algorithms are RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman key exchange — used in TLS, SSH, code signing, certificate infrastructure, and most asymmetric cryptographic operations. Symmetric algorithms (AES-256, SHA-3) are considered quantum-resistant with appropriate key lengths. The NIST PQC standards (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA) provide standardised replacements for the vulnerable asymmetric algorithms.
NIST published its first three Post-Quantum Cryptography standards in August 2024: FIPS 203 (ML-KEM, formerly CRYSTALS-Kyber), FIPS 204 (ML-DSA, formerly CRYSTALS-Dilithium), and FIPS 205 (SLH-DSA, formerly SPHINCS+). These are final, published FIPS standards — not draft proposals. EONTA's migration roadmaps are built to these standards. NIST is expected to publish additional PQC standards in subsequent years, and our framework incorporates crypto-agility to accommodate future updates.
A cryptographic asset inventory and quantum exposure assessment for a defined institutional scope typically concludes in 3–5 weeks. An engagement that also includes migration roadmap development, crypto-agility evaluation, and third-party dependency mapping typically requires 6–9 weeks. Duration depends on the number of systems in scope, the complexity of your cryptographic environment, and the extent of third-party dependency mapping required.
That is precisely why EONTA starts with a discovery-led inventory — not a self-declaration exercise. Most organisations do not have a complete, current picture of their cryptographic environment. Our inventory methodology uses a combination of documentation review, system interrogation, API scanning, and stakeholder interviews to build a comprehensive asset register from which exposure assessment can be conducted.
Standard deliverables include: a complete cryptographic asset inventory; a quantum exposure assessment with risk scoring by asset type; a crypto-agility evaluation with architectural recommendations; a prioritised PQC migration roadmap aligned to NIST standards; a third-party cryptographic dependency risk register; and a board-ready executive summary. We also provide a cryptography governance framework assessment where existing policy and oversight structures are reviewed.

Take the next step

Do you know where your quantum-vulnerable cryptography is — right now?

Most organisations discover their exposure when a regulator or auditor asks. Find out on your terms, before that conversation happens.

Discover Your Quantum Exposure Email Our Team

All scoping conversations are confidential. EONTA does not share engagement details with third parties.