FINMA sets post-quantum crypto expectations for the Swiss financial sector — Aufsichtsmitteilung 05/2026 flags 'harvest now, decrypt later' and a missing migration roadmap
FINMA published Aufsichtsmitteilung (supervisory communication) 05/2026 on 9 July 2026, presenting the results of a November 2025–January 2026 survey of 60 Swiss financial institutions on cryptographically-relevant quantum computing (CRQC) risk. Its core finding: institutions are aware of the threat but "meist fehlt aber eine klare Roadmap und eine ausreichend vorausschauende Planung für die Migration zu quantensicherer Verschlüsselung" — most lack a clear roadmap and sufficiently forward-looking planning for the migration to quantum-safe encryption (FINMA, 2026-07-09). FINMA explicitly names "harvest now, decrypt later" — capture-and-store-for-future-decryption of today's encrypted traffic and data — as the operative near-term threat model, and sets, under existing operational-risk-and-resilience supervisory expectations rather than a new binding circular, that institutions should produce a PQC migration strategy and roadmap, run an institution-specific risk analysis, "die Erstellung eines kryptographischen Inventars" (build a cryptographic inventory), adopt crypto-agility, and extend the planning to outsourced service providers. No mandatory deadline accompanies the communication (swissinfo.ch, 2026-07-10).
Why this belongs in the strategic view: it is the home financial-sector regulator setting a direction of travel that a Swiss/EU public-sector or CI reader will encounter next as a compliance expectation, and it reframes post-quantum readiness as a near-term data-protection issue, not a distant cryptographic curiosity — because the "harvest now, decrypt later" risk accrues from today's captured traffic regardless of when a CRQC actually arrives.
Die Institute sind sich der Cyberrisiken von kryptografisch relevanten Quantum Computern bewusst. Meist fehlt aber eine klare Roadmap und eine ausreichend vorausschauende Planung für die Migration zu quantensicherer Verschlüsselung.
Dazu gehört eine klare Strategie und Roadmap für die Migration zu quantensicheren Verschlüsselungen, eine institutsspezifische Risikoanalyse, die Erstellung eines kryptographischen Inventars, der Schutz kritischer Daten vor 'harvest now, decrypt later' Angriffen.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.