FINMA ·

FINMA issues quantum computing guidance, expecting institutions to plan quantum-safe migration

Swiss financial institutions must build quantum-safe migration into their operational-risk processes — roadmap, cryptographic inventory and crypto-agility — to keep meeting FINMA's resilience requirements

Change
On 9 July 2026 FINMA published Guidance 05/2026 on quantum computing, stating that action is needed in many institutions' risk-management processes to continue meeting operational-risk and resilience requirements, and outlining measures including a migration roadmap to quantum-safe encryption, an institution-specific risk analysis, a cryptographic inventory, protection against 'harvest now, decrypt later' attacks, and a transition to crypto-agility.
Why it matters
FINMA's guidance ties quantum-safe migration to institutions' existing operational-risk and resilience requirements: it considers that numerous institutions must act in their risk-management processes to continue meeting those requirements. The outlined measures — documented migration strategy and roadmap, institution-specific risk analysis, a complete cryptographic inventory, protection of critical data against pre-harvested-ciphertext ('harvest now, decrypt later') attacks, involvement of external service providers, and a transition to crypto-agility — set out how FINMA expects institutions to address the risk. The survey of 60 Swiss financial institutions found awareness of the risk but a widespread lack of forward-looking migration planning.
Implications
  • Chief risk officers and operational-risk teams at Swiss financial institutions must build a documented roadmap for migrating to quantum-safe encryption into their risk-management framework — FINMA considers action necessary here for institutions to continue meeting operational-risk and resilience requirements, so absence of planning is a gap against those requirements.
  • Information-security and cryptography teams at Swiss financial institutions must create a cryptographic inventory and implement protections for critical data against 'harvest now, decrypt later' attacks — data not protected now can be captured for later decryption once cryptographically relevant quantum computers become available.
  • Third-party risk and vendor-management teams at Swiss financial institutions must obtain and assess external service providers' quantum-migration readiness and crypto-agility — unaddressed provider dependencies leave the institution's migration incomplete against FINMA's expectations.
Who is affected
  • Chief risk officers and operational-risk teams at Swiss financial institutions
  • Information-security and cryptography teams at Swiss financial institutions
  • Third-party risk and vendor-management teams at Swiss financial institutions
View on FINMA
Clarify this change

Grounded in this brief and its source — your questions stay private.

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Create a free account to keep clarifying

You asked:

You've used your free guest questions for now. A free account gives you more every month and saves your history — or start a Pro trial for unlimited Clarify and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

Free account: no card, ever. Pro trial: $29/month after 14 days, no card to start, cancel anytime.