Quantum Readiness: Why 2026 Will Be the Year of Encryption Audits

Quantum readiness is no longer an abstract or academic concern. Most organisations are already aware that today’s cryptography has a shelf life, and that post-quantum transition is coming. Still, in many organisations, quantum risk sits in the category of “we’ll cross that bridge when we get there”, despite the fact that the bridge itself requires years of preparation.

This sense of deferred inevitability has been explored repeatedly in recent reflections on cryptography’s lifecycle: algorithms do not fail suddenly, they age quietly, often remaining in production long after their original assumptions no longer hold.

This is why 2026 matters. Not because quantum attacks suddenly become practical, but because governments have moved from signalling intent to setting transition structures. The European Commission’s coordinated roadmap for post-quantum cryptography makes it explicit that the early phase is discovery and inventory, with Member States expected to begin concrete transition activities by 2026. That phase assumes organisations already know their cryptographic dependencies, or are actively building that knowledge now.

The same logic appears in the UK and the US. The UK National Cyber Security Centre frames the post-quantum transition as a multi-stage process starting with discovery and planning, long before any algorithm replacement is expected. In the US, NIST has already finalised its first post-quantum cryptography standards and published guidance on how organisations should approach migration. You cannot plan a transition if you do not know what you are transitioning from.

Many organisations acknowledge the problem, but lack a starting point. They do not know which teams own cryptographic decisions, which dependencies introduce encryption indirectly, or which systems will be hardest to change. Encryption is still treated as an implementation detail. That is why the default response becomes postponement. 

This “invisible encryption” problem is particularly acute in environments where cryptography arrives indirectly through open source libraries or long-lived components, a dynamic examined in What Happens When Encryption Expires.

In reality, postponement increases risk. Not because quantum computers will suddenly break everything tomorrow, but because discovery takes time, coordination takes time, and budgeting follows visibility. By the time “we’ll deal with it later” turns into “we need answers now”, organisations often find themselves constrained by legacy products, supplier contracts, and undocumented dependencies.

This is where encryption audits come in, as the only credible entry point. An encryption audit establishes facts: which algorithms are used, where they are implemented, how they enter the codebase, and whether any are already considered weak or problematic. It turns quantum readiness from a vague future concern into a governed, manageable programme.

This shift is already visible in how organisations are approaching tooling. Rather than waiting for full post-quantum migrations, teams are investing in cryptographic detection and inventory capabilities that can surface where and how encryption is actually used. The joint work SCANOSS is doing with IBM on cryptographic intelligence reflects this direction: prioritising detection and classification before any migration decisions are made, particularly for cryptography introduced via open source.

Seen this way, 2026 is not a deadline. It is the point at which organisations that delayed discovery will feel the cost of that delay, while those that invested early will still have room to choose, prioritise, and adapt. The clock is ticking not because of panic, but because complexity does not disappear just because it is postponed.

As explored in A Personal Reflection on Obsolete Algorithms and the Coming Age of Exposure, transparency in this context is operational. Auditability becomes the mechanism through which trust is maintained as cryptography evolves.

Quantum readiness, then, is not about fear. It is about recognising that the bridge cannot be crossed at speed — and that the only mistake left is waiting until you are already standing at its edge.