> **来源:[研报客](https://pc.yanbaoke.cn)** # 2026 Global State of Post-Quantum and Cryptographic Security Trends Summary ## Core Content The 2026 Global State of Post-Quantum and Cryptographic Security Trends report highlights the growing urgency for organizations to prepare for the post-quantum (PQ) threat and enhance their cryptographic security management. With quantum computing advancing rapidly, the potential for traditional encryption methods like RSA and ECC to be broken is imminent, creating a critical need for quantum-safe encryption (PQC). The report is based on a survey of 4,149 senior IT, security, and risk leaders across six regions: the United States, United Kingdom/Ireland, Canada, DACH (Germany, Austria, Switzerland), Indonesia, and Singapore. ## Key Findings - **PQ Threat Perception**: - 75% of respondents believe the PQ threat is imminent, with 51% expecting it within 5 years and 24% within 5–10 years. - Only 12% think it will never happen. - 50% of respondents believe a successful quantum attack would have a serious impact on their organizations and industries. - **PQ Preparedness**: - 38% of global respondents are actively preparing for PQ, a 3% decline from last year. - 29% have evaluated the potential impact of PQ, while 31% have not even considered it. - The DACH region leads with 45% actively preparing for PQ, overtaking the U.S. (40%) in readiness. - **Government Guidance**: - The U.S. has strong guidance from NSA, NIST, and CISA, with the NSA targeting quantum-safe systems by 2033. - NIST aims to deprecate classical asymmetric algorithms by 2030 and fully disallow them by 2035. - The EU requires a quantum threat analysis by 2026, migration of high-risk use cases by 2030, and all use cases by 2035. - The UK’s NCSC recommends a full cryptographic inventory and PQC migration plan by 2028, with critical systems migrated by 2031. - **Crypto-Agility Challenges**: - Only 26% of organizations have a fully implemented crypto-agility strategy, while 31% have a partially implemented one. - 44% are building a PQC strategy, and 32% are compiling an inventory or ensuring crypto-agility. - The inability to improve visibility into cryptographic assets is the top challenge, cited by 41% of respondents. - **Cryptographic Inventory and Management**: - Only 43% of organizations have full visibility into their cryptographic estate. - 43% have full visibility into certificates, and 40% into keys and secrets. - 68% of respondents find managing cryptographic assets extremely or very difficult. - Common concerns include insufficient staff (45%), lack of skilled personnel (42%), fragmented systems (41%), and unclear ownership (36%). - **PKI and HSM Trends**: - PKI remains central to identity and access management, especially in Zero Trust environments. - The top PKI use cases are: - Private networks and VPNs (52%) - SSL certificates for public-facing websites (50%) - Document/message signing (45%) - Use of PKI in private cloud applications and mobile device authentication has declined significantly. - HSMs are increasingly used to secure PKI, with 63% of organizations using them for this purpose (up from 51% last year). - The top HSM use cases are database encryption (49%) and encryption/tokenization solutions (49%). - Online roots and offline roots are the primary areas for HSM deployment to secure PKI. - **Security Certifications**: - Common Criteria EAL Level 4+ is the most important certification for PKI infrastructure, cited by 54% of respondents. - FIPS 140-2 Level 3 is the second most important, but its importance has dropped from 55% to 32%. - **New Challenges and Concerns**: - Budget and in-house expertise have become top concerns, with 39% and 38% of respondents citing these as significant issues, respectively. - The concern over insufficient scale and technology to support new algorithms has decreased from 38% to 31%. - Concerns over the security of new algorithms have also decreased, from 40% to 32%, likely due to increased trust in NIST PQC standards. - **Migration Strategies**: - 71% of respondents are testing or implementing PQC. - 35% plan to implement a pure PQC approach, while 36% will use a hybrid model combining PQC with traditional cryptography. - NIST’s draft standard (NIST IR 8547) supports a hybrid migration approach to ease the transition. - **Compliance and Governance**: - Only 36% of organizations rate government policy and public-private coordination on PQ readiness as more than adequate. - Few organizations have well-defined compliance programs for cryptographic security. - 48% report having steps in place to secure data for more than 10 years, highlighting a gap in long-term data protection. ## Conclusion The report underscores that cryptographic security is at a critical juncture, with the need for quantum resistance becoming more pressing. Visibility, governance, and crypto-agility are essential to managing the transition to PQC and mitigating risks. While progress is being made, many organizations still lack the resources, expertise, and strategic frameworks needed to fully prepare for the quantum threat. The CA/Browser Forum’s new rules for shorter certificate lifecycles (down to 47 days by 2029) further complicate the landscape, emphasizing the need for automation and real-time monitoring. The shift toward cloud-enabled and PQ-ready platforms is a key trend, as organizations seek to meet evolving operational and compliance demands.