SecurityBrief Ireland - Technology news for CISOs & cybersecurity decision-makers
Ireland
MHP survey finds firms racing to prepare for Q-Day
Data Protection Digital Transformation Encryption

MHP survey finds firms racing to prepare for Q-Day

Fri, 8th May 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

MHP Consulting UK has published survey findings showing that most large companies in Germany and the US are working on post-quantum cryptography, as the window for replacing current encryption before quantum computers can break it narrows.

The survey of 1,060 IT experts at companies with at least 500 employees found that 86.6 per cent of organisations in Germany and 87.3 per cent in the US are taking action on post-quantum cryptography, from planning and pilot projects to full migration. A smaller group reported that they had already moved critical systems to quantum-resistant encryption, with 14.3 per cent in Germany and 15.4 per cent in the US saying the work was complete.

The research reflects growing concern over what the industry calls Q-Day, the point at which quantum computers can defeat widely used encryption methods. It also highlights the "store now, decrypt later" risk, where data stolen today could be held and read once quantum systems become powerful enough.

Many respondents believe that point is not far away. In Germany, 45.3 per cent expect Q-Day within the next five years, while 39 per cent place it within 10 years. In the US, 55.2 per cent expect it within five years and 33.5 per cent within 10.

That timetable matters because migration is expected to take time. More than half of German respondents, 53.4 per cent, said a technical move to post-quantum cryptography would take between two and five years, while 27.5 per cent said it would take five to 10 years. In the US, 51.8 per cent said two to five years and 21.8 per cent said five to 10.

For companies that have not started or are still at the planning stage, those estimates suggest some may struggle to finish before existing encryption becomes vulnerable. Almost all participating companies also said they hold significant amounts of sensitive data that must remain secure for at least 10 years.

Different approaches

Although overall activity levels were similar in both countries, the findings showed differences in how companies are organising the work. One example was how they track cryptographic assets across their IT estates.

Among German businesses, 41.7 per cent said they rely on manual lists of critical systems, while 32.7 per cent use automated inventories. In the US, 30.1 per cent said they still use manual methods and 50.8 per cent said they use automated inventories.

That gap suggests US organisations are further ahead in an operational area that can shape the speed of migration. Without a clear record of where encryption is used, companies may find it harder to replace vulnerable methods across legacy systems, products and internal networks.

Legacy burden

The survey identified complex legacy systems as the main factor slowing implementation. It was cited by 33.8 per cent of respondents in Germany and 35 per cent in the US, making it the most common barrier in both markets.

Other obstacles differed. In Germany, 19.6 per cent pointed to a lack of budget or resources. In the US, 21.5 per cent said a shortage of internal cryptography expertise was a key problem.

By contrast, lack of awareness ranked relatively low. It was cited by 13.8 per cent of respondents in Germany and 11.3 per cent in the US, suggesting that most large organisations now recognise the issue even if they are not equally prepared to act.

Dr Jan Wehinger, partner at MHP, said the results show companies can no longer treat quantum risk as remote. "This development cannot be halted, which makes it all more important to focus even more on the subject of PQC. The impact of quantum computing on cybersecurity is real and not some distant future scenario," he said.

The findings point to a strategic problem for businesses with long data retention needs, especially in sectors that handle intellectual property, personal data or industrial secrets. If hostile actors can collect encrypted information now and unlock it later, delays in migration could expose data long before systems are formally upgraded.

That is one reason the work goes beyond software updates. Moving to post-quantum cryptography can require companies to identify where encryption is embedded, test replacements, update hardware and software, and ensure compatibility across suppliers and internal systems.

Christian Zgardea, partner at MHP, linked the problem directly to older infrastructure. "Those who manage to bring their legacy systems under control can also make the transition to PQC in a timely manner - but they shouldn't lose any more time," he said. "There is nothing to lose. Even aside from the issue of PQC, it is worth keeping your own systems under control at all times and preventing things getting out of hand."

Related stories
HPE unveils AI security tools & quantum-ready updates
Entrust & IBM Consulting team up on quantum-safe security
Dell launches PowerMaxOS 10.4 with faster, safer storage
Cyber security chiefs split on quantum threat urgency
Survey finds organisations struggle to secure unstructured data
Top stories
UK consumers urged to secure passwords & digital assets
Infoblox completes Axur buy to boost digital risk protection
Cognizant launches Secure AI Services for enterprises
Acceldata & ServiceNow tie data quality to AI workflows
Why trust is the bottleneck for AI-driven operations