Paul Holt, GVP of EMEA at DigiCert discusses why post-quantum readiness now demands executive attention, not just technical planning.
Digital trust is the quiet foundation of our digital economy. Every transaction, certificate and connected device depends on it.
Yet that foundation is shifting and the pace of change is accelerating.
Quantum computing is no longer a distant concept.
Investment across the UK and Europe is turning theory into capability and its potential to undermine today’s cryptographic systems is clear.
The question for business leaders is no longer if quantum will arrive, but whether their organisations will be ready when it does.
Across the region, quantum and security teams are already responding.
They recognise that preparing for the quantum era is not a routine technical upgrade.
It is a strategic investment in resilience, compliance and the continuity of digital trust.
Until recently, many organisations viewed post-quantum cryptography (PQC) as an issue for the future. That perception is changing quickly.
The first quantum-safe algorithms have now been selected by the US National Institute of Standards and Technology (NIST).
The EU Agency for Cybersecurity (ENISA) and the UK’s National Cyber Security Centre (NCSC) are urging organisations to start planning their transitions.
Meanwhile, European regulations such as NIS2 and eIDAS 2.0 are expanding executive accountability for cryptographic control and operational resilience.
At the same time, discovery work is exposing just how complex modern encryption estates have become.
Certificates and keys are often scattered across thousands of systems, from cloud platforms to industrial control environments.
That complexity makes change slow. Every month of delay reduces the time available for controlled testing, phased rollout and partner coordination.
The window for proactive preparation is narrowing and with it the opportunity to lead rather than react.
Europe has already seen what happens when compliance and security planning come too late.
When the General Data Protection Regulation (GDPR) took effect in 2018, many organisations underestimated the effort required to adapt their data-handling processes.
The rush to comply led to expensive consultancy projects, hurried technology fixes and in many cases, large fines.
The same pattern will repeat with PQC if planning is deferred.
Retrofitting cryptographic controls once standards are mandated will be far costlier and riskier.
Teams may need to replace or reissue millions of certificates in compressed timeframes while keeping core services running.
Coordination across vendors and regulators will add further strain.
For many, the financial impact could be several times higher than if preparation had begun early.
The reputational impact of appearing unprepared could be greater still.
Regulatory penalties are only part of the story. The larger danger lies in the security gap that quantum computing will create.
When practical quantum machines arrive, algorithms such as RSA and ECC will no longer provide adequate protection.
Encrypted data stolen today may be decrypted in the future – the “harvest now, decrypt later” risk.
Sensitive information that appears secure in 2025 could be exposed within a decade.
Once quantum attacks become viable, weaknesses will not fail gradually.
They will open across every system relying on vulnerable encryption. For sectors such as finance, energy, healthcare and government, that could mean loss of intellectual property, service disruption and widespread reputational damage.
This is why urgency matters. The threat is not theoretical; it is already forming.
Responsibility for PQC readiness looks different across organisations.
In large enterprises, dedicated quantum or cryptography teams are often leading programmes in partnership with CISOs, CIOs and compliance leaders.
In mid-sized and smaller organisations, security or IT teams are taking the lead, with direct executive oversight.
Whatever the structure, success depends on collaboration.
Security, cryptography, compliance and transformation functions must align priorities, resources and timelines.
The goal is not to replace every system overnight, but to build crypto-agility – the capability to identify, update and replace cryptographic assets efficiently and safely.
Across Europe, forward-looking organisations are focusing on three priorities:
These measures turn an abstract problem into a structured, manageable programme of work.
Quantum readiness is now a test of leadership as much as technology.
It demands foresight, cross-functional coordination and visible support from the top.
Boards and executives should treat PQC as a pillar of enterprise resilience, not a niche technical concern.
They should ensure that discovery work is funded, responsibilities are clear and accountability for progress sits at the highest level.
For quantum and security teams, the priorities are clear:
Organisations that act now will control their own transition timelines.
Those that wait may find them dictated by regulators, customers or attackers.
Quantum computing may still be emerging, but the race to be ready has already begun.
Digital trust still runs downhill – and in this era of accelerated change, it is quantum and security professionals who must keep it flowing.
Paul Holt joined DigiCert from Venafi, where he served as Vice President of Sales, covering both the EMEA and APAC markets.
With decades of experience, Holt has also held senior leadership positions at Anchore and VeriSign, where he led sales strategy in security services.
DigiCert is a global leader in intelligent trust.
We protect the digital world by ensuring the security, privacy and authenticity of every interaction.
Our AI-powered DigiCert ONE platform unifies PKI, DNS and certificate lifecycle management, to secure infrastructure, software, devices, messages, AI content and agents.
This article was originally published in the February edition of Security Journal UK. To read your FREE digital edition, click here.
