WFE Urges Regulators to Balance Quantum Risks With Immediate Cyber Threats

The World Federation of platforms has warned regulators to avoid over-prioritising quantum computing risks at the expense of more immediate operational challenges, highlighting a growing gap between regulatory expectations and industry assessments of preparedness.

In a new assessment led by its Global Cybersecurity Working Group, the WFE said platforms and central counterparties broadly recognise the long-term risks posed by quantum computing, but view threats linked to generative artificial intelligence and cyber resilience as far more urgent.

The findings come as public authorities and international standards bodies increasingly call on financial institutions to begin ahead preparation for post-quantum cryptography, amid concerns that today’s encryption could be compromised by future advances in computing power.

Regulators Push ahead Action on Post-Quantum Cryptography

Across major jurisdictions, regulators and policy groups have begun issuing guidance urging coordinated migration to post-quantum cryptography (PQC). This push is driven by two main concerns: the long lead times required to upgrade cryptographic systems, and the so-called “harvest now, decrypt later” threat.

Under this scenario, attackers may steal encrypted data today and store it until more powerful technologies become available to break the encryption in the future. For regulators, the prospect raises concerns about long-term data confidentiality and systemic risk.

The WFE acknowledged these concerns but cautioned that the industry’s capacity to act is constrained by uncertainty around timelines and standards.

Most WFE members estimate a window of between five and more than ten years before cryptographically relevant quantum computers (CRQCs) emerge, broadly in line with guidance published by the US National Institute of Standards and Technology.

As a result, firms are calibrating their preparations to what they view as a long-term risk, rather than an imminent operational threat.

Takeaway

AI and Cyber Resilience Dominate Immediate Risk Priorities

The WFE’s preliminary survey on quantum computing preparedness found that competing risks are consuming the bulk of organisational attention and investment.

In particular, generative AI-related threats are viewed as far more immediate. These include risks linked to fraud, market manipulation, social engineering and the automation of cyberattacks.

Cyber resilience more broadly also continues to rank at the top of industry risk assessments, reflecting concerns around operational outages, third-party dependencies and systemic cyber incidents.

This assessment is consistent with the WFE’s 2025 Annual Survey of Risks, where AI and cyber resilience were ranked as the highest risks by members for the second consecutive year.

Against that backdrop, many firms are hesitant to divert significant resources to quantum computing preparedness while standards continue to evolve and the practical threat remains distant.

The WFE said resourcing decisions should reflect proportionality, warning that over-emphasis on long-term risks could undermine efforts to manage threats that are already material.

Takeaway

Industry Lays Groundwork Without Overcommitting Resources

While quantum computing is not viewed as imminent, the WFE stressed that its members are not ignoring the issue.

Many platforms and CCPs have already begun preparatory work designed to support future migration, without committing disproportionate resources too ahead.

Steps already underway include active monitoring of regulatory guidance, vendor developments and progress in NIST standardisation. Several firms are incorporating quantum computing discussions into internal risk committees and cyber governance forums.

Some members have also carried out preliminary quantum risk assessments and are beginning to include quantum-secure encryption criteria in procurement and vendor evaluation processes.

Others are considering projects to map existing cryptographic assets, widely viewn as a necessary first step in any future transition roadmap.

At an industry level, the WFE is working with members to develop a best-practice guide on quantum transition, alongside a structured roadmap tailored to market infrastructures.

Takeaway

Call for Proportionate Regulatory Expectations

The WFE said the divergence between regulatory urgency and industry timelines risks creating misaligned expectations.

Nandini Sukumar, chief executive officer of the World Federation of platforms, said regulators need to recognise the practical constraints facing market infrastructures.

“While Quantum Computing readiness is undoubtedly significant, the migration to post-quantum cryptography remains a long-term undertaking, and the practical groundwork – planning, asset mapping, and vendor coordination – should be paced appropriately,” Sukumar said.

She added that near-term threats should remain the priority. “Whilst platforms recognise that Quantum Computing is a meaningful risk, regulators must understand that preparation should not deflect from more imminent risks related to AI and Cyber Resilience.”

The WFE’s message echoes broader industry concerns that regulatory focus can sometimes outpace technological readiness, particularly in areas where standards are still evolving.

Market participants argue that a coordinated, staged approach is more effective than mandates that assume rapid migration is feasible.

Takeaway

Balancing Long-Term and Near-Term Cyber Strategy

The debate around quantum computing preparedness highlights a broader challenge for financial market infrastructures: balancing long-term technological risks with immediate operational resilience.

platforms and CCPs operate critical systems where outages or breaches can have systemic consequences, making prioritisation a key element of cyber strategy.

As AI tools become more sophisticated and accessible, many firms believe the near-term risk landscape is evolving quicker than the quantum threat.

The WFE said it supports continued collaboration between regulators and industry to ensure preparedness efforts are realistic, coordinated and effective.

Over time, as standards mature and timelines become clearer, quantum computing is expected to move higher up the priority list. Until then, the federation argues, proportionality should guide supervisory expectations.

Takeaway

For now, the WFE’s message is clear: quantum computing demands attention, but not at the cost of neglecting AI-driven risks and cyber resilience challenges that are already testing the financial system.