The World Federation of Exchanges (“WFE”), the global industry association for exchange groups and CCPs, has warned of a substantial gap between regulatory expectations and industry expectations around quantum computing risk preparedness.
Major public authorities, standards bodies, and cross-border policy groups have begun issuing guidance, calling for early preparation and coordinated migration to post-quantum cryptography (PQC). This is driven by two core concerns:
- Long lead times required to upgrade cryptographic systems; and
- The “harvest now, decrypt later” threat where attackers steal encrypted data today to unlock it in future once more powerful technologies become available to break the encryption.
The WFE Global Cybersecurity Working Group recently conducted a preliminary survey on the Quantum Computing Preparedness, the results of which highlight the importance of other competing priorities. In particular, Generative AI risks are viewed as far more urgent and immediate, consuming most organisational attention and investment. Quantum Computing is seen as a longer-term threat, with many firms hesitant to commit too many resources until clearer timelines or stable standards emerge.
Most WFE members estimate a 5–10+ year window before cryptographically relevant quantum computers (CRQCs) emerge, in line with NIST FAQs. Consequently, resourcing remains proportionate to a long-term risk, not an imminent one, and shouldn’t be prioritised at the expense of more immediate operational concerns such as AI-driven threats and Cyber Resiliency. This is consistent with the WFE’s 2025 Annual Survey of Risks where AI and Cyber Resilience risks continued to be ranked highest by members, as they have consistently for two years.
Although members do not consider Quantum Computing risk to be imminent, they have already begun laying the necessary groundwork for future preparedness, including:
- Actively monitoring regulatory guidance, vendor progress, and developments in NIST standardisation. Several are incorporating Quantum Computing discussions into risk committees and cyber governance forums.
- Preliminary quantum risk assessments.
- Including quantum-safe encryption criteria in procurement and vendor evaluation cycles.
- Considering projects to map existing cryptographic assets, as the first step in any migration roadmap.
- Working with the WFE to develop a best-practice guide on quantum transition, and a structured roadmap for market infrastructures.
Nandini Sukumar, CEO of the World Federation of Exchanges, said, “While Quantum Computing readiness is undoubtedly important, the migration to post-quantum cryptography remains a long-term undertaking, and the practical groundwork - planning, asset mapping, and vendor coordination - should be paced appropriately. Whilst exchanges recognise that Quantum Computing is a meaningful risk, regulators must understand that preparation should not deflect from more imminent risks related to AI and Cyber Resilience.”
Read the full paper here.
