2026-06-18

Added · Updated

Post-Quantum Cryptography Migration Reference Guide for the Financial Industry to Strengthen Preparedness for Quantum-Related Risks

The Financial Supervisory Commission (FSC) has released the Post-Quantum Cryptography (PQC) Migration Reference Guide for the Financial Industry to help financial institutions address cybersecurity risks from quantum computing and strengthen preparedness for quantum-related risks. This Guide provides key considerations and recommendations across areas such as governance, cryptographic asset inventory, crypto-agility, ecosystem collaboration, risk prioritization, supply chain management, and testing, enabling a risk-based and phased migration. It outlines seven strategic directions for PQC migration and suggests a phased implementation timeline, with initial governance and inventory work in 2026–2027, pilot testing and infrastructure upgrades in 2027–2029, and high-risk system migration through 2035.

Financial Supervisory Commission Taiwan logo

Taiwan

Financial Supervisory Commission Taiwan

Click to view thumbnail

:::

Bulletin Board

:::

HOME

Bulletin Board

Press Release

Press Release

_

FACEBOOK

Line

Twitter

Print Friendly

Previous

FSC releases Post-Quantum Cryptography Migration Reference Guide for the Financial Industry to guide financial institutions in strengthening preparedness for quantum-related risks

2026-06-18

To help financial institutions address the cybersecurity risks associated with the development of quantum computing technology, the Financial Supervisory Commission (FSC) has released the Post-Quantum Cryptography (PQC) Migration Reference Guide for the Financial Industry (hereinafter, “the Guide”). The Guide is intended to serve as a reference for financial institutions in planning and preparing for PQC migration. It provides key considerations and recommendations across such areas as governance mechanisms, cryptographic asset inventory, crypto-agility, ecosystem collaboration, risk prioritization, supply chain management, and testing and transition, enabling financial institutions to proceed with migration preparedness in a risk-based and phased manner.

At the end of 2025, the FSC released the Financial Operational Resilience on Cybersecurity Ecosystem Blueprint (FORCE-B). In this document, PQC migration was identified as one of the financial sector’s key initiatives. Given that financial services rely heavily on mechanisms such as identity authentication, transaction signing, interinstitutional connectivity, and data protection, continued advancements in quantum computing may pose risks to the security of existing public-key cryptographic systems. Such developments could give rise to threats such as “Harvest Now, Decrypt Later (HNDL),” where encrypted data is intercepted today and could be decrypted once quantum computing becomes sufficiently advanced, and “Trust Now, Forge Later (TNFL),” where currently trusted digital signatures or certificates could be forged in the future, potentially affecting transaction security, data confidentiality and integrity, and the stability of financial institution operations. It is therefore essential for financial institutions to initiate early planning and preparedness.

The FSC indicated that the Guide focuses on sector-specific application scenarios, interinstitutional dependencies, and the high-availability operational requirements of the financial industry. Toward these ends, it outlines seven strategic directions for PQC migration, as follows: 1. PQC policy and governance—integrating the risks of cryptography into overall enterprise risk management: PQC migration will be a long-term, multi-year, cross-departmental undertaking. Financial institutions should elevate quantum-related risks to the board level and consider this a strategic enterprise risk management issue. They should also establish a cross-functional PQC migration task force led by their chief information security officer (CISO), chief information officer (CIO), or equivalent executive, with clearly defined roles and responsibilities. 2. Inventory of cryptographic applications–establishing a Cryptographic Bill of Materials (CBOM): A cryptographic inventory should consist of a maintainable asset list linked to business use cases and external dependencies. A phased approach is recommended. It can start by addressing risks and priorities and be gradually expanded. Data quality must remain a core emphasis. Practical approaches could include establishing baseline inventories, adopting use-case-driven analysis, developing maintainable CBOMs, implementing layered inventory methodologies, and institutionalizing inventory processes, as well as leveraging AI and other automation tools. 3. Enhancing crypto-agility and eliminating cryptographic anti-patterns: In light of the evolving nature of PQC standards and products, migration strategies should not focus solely on one-time algorithm replacement. Instead, financial institutions should enhance crypto-agility to enable efficient and routine updates of algorithms and parameters. Cryptographic mechanisms should be modularized and supported by automated certificate management. Priority should also be given to addressing cryptographic anti-patterns, such as manual TLS certificate management, use of weak cipher suites, and hard-coded keys or certificates. 4. Establishing ecosystem collaboration and common risk profiles: Given the highly interconnected nature of the financial ecosystem, the Guide promotes cross-institutional alignment via a four-stage approach. Hub organizations (e.g., financial infrastructure entities) are expected to take a leading role by formulating ecosystem-level migration roadmaps and coordinating collaboration mechanisms. Key institutions may provide common inventory frameworks and risk profiles as reference baselines for adoption across the industry. 5. Risk-based prioritization of migration: Priorities for migration should be determined through a twin assessment framework addressing both “quantum risk scoring” and “migration timeline scoring.” These scores should be used to categorize systems by risk level and migration complexity, enabling prioritization and resource allocation. Constraints such as ecosystem-wide timelines should also be incorporated to develop executable, phased, verifiable, and continuously updatable migration roadmaps. 6.Enhancing procurement and supply chain management requirements: Financial institutions should incorporate PQC readiness and crypto-agility into their procurement, outsourcing, and contract management frameworks. Recommended practices include initiating PQC readiness assessments of key vendors; updating procurement, technical specification, and acceptance requirements; revising contractual provisions (e.g., responsibilities and service levels); establishing early remediation mechanisms for critical components; implementing joint validation processes; and using supply chain information to inform migration prioritization. 7. Establishing testing, transition, and operational resilience mechanisms: The secure deployment and stable operation of PQC or hybrid solutions will depend on effective testing governance, transition strategies, rollback planning, and observability. Such processes should be institutionalized to ensure repeatable, auditable evidence chains. This will reduce the risk of service disruption, interoperability failures, or exception handling during migration. Implementation may include structured approaches to testing governance, transition and rollback planning, monitoring and observability, and audit-ready documentation.

Regarding the implementation timeline, the Guide draws on migration roadmaps proposed by international organizations such as the National Institute of Standards and Technology(NIST), the G7, and FS-ISAC, as well as trends in the development of international standards. In it, a suggested phased approach is outlined:  Short-term (2026–2027): establish governance frameworks, inventory methodologies, cryptographic asset inventories, and foundational crypto-agility capabilities;  Medium-term (2027–2029): advance pilot testing, infrastructure upgrades, and joint testing mechanisms;  Medium- to long-term (through 2035): prioritize migration of high-risk and critical systems, and progressively expand migration scenarios.

The FSC noted that the current focus is on encouraging financial institutions and key suppliers to initiate early-stage planning and preparedness. Going forward, efforts will concentrate on three main areas: ecosystem alignment, supply chain governance, and pilot implementation and validation. This will include the formulation of ecosystem-level migration plans by hub organizations, the establishment or integration of common supply chain assessment and tracking mechanisms, and the promotion of pilot programs and experience sharing.

The FSC will continue to review and refine the implementation timeline and the contents of the Guide in response to technological developments, evolving standards, and industry practices. Through pilot testing, knowledge sharing, and ecosystem collaboration, the FSC aims to consolidate a common understanding and approach to PQC migration for the financial industry, enabling alignment with international trends and ensuring a smooth transition at the ecosystem level.

Contact: Information Services Department Tel: +886 2 8968 0806 For any further questions, please contact us through FSC MAIL

Update: 2026-06-30

:::

Privacy and Security Policy

Open Government Declaration

18F., No.7, Sec. 2, Xianmin Blvd., Banqiao Dist., New Taipei City 220232, Taiwan(R.O.C.)

Financial Supervisory Commission, R.O.C. Copyright © 2021

Representative Office in New York : 1 E.42 Street, 13F, New York, NY 10017, U.S.A. TEL:(1-212) 317-7326

Representative Office in London : 46-48 Grosvenor Gardens London SW1W 0EB, UK TEL:(44-20)7628-1501

Tel:886-2-8968-0899;Fax:886-2-8969-1215

Update Date:2026-06-30

Visitor: 12841741

Top