UK, Ireland lag on quantum-safe crypto as certs shrink

Entrust has published research that points to slow preparation in the UK and Ireland for post-quantum cryptography, with many security teams reporting difficulty managing keys and certificates as certificate lifetimes shorten.

The study, carried out by the Ponemon Institute, surveyed more than 4,000 IT and security professionals worldwide. It included 573 respondents in the UK and Ireland. The findings focus on readiness for post-quantum cryptography and on operational pressure from shorter digital certificate validity periods.

Two-thirds of UK and Ireland respondents, or 68%, said their organisations had not started preparing for the post-quantum threat. The study puts the global average at 60%.

Quantum timelines

Half of UK and Ireland cybersecurity practitioners surveyed, or 50%, said they believe a quantum computer capable of breaking RSA and ECC encryption will emerge within five years. A larger group, 78%, said they expect this within the next decade.

The report also references the National Cyber Security Centre roadmap on post-quantum cryptography. It sets milestones to complete high-priority migrations by 2031. It also sets a further milestone to finalise the transition for all systems, services and products by 2035.

Respondents said a successful quantum attack would have high consequences for long-lived data. The most cited concern was exposure of long-term sensitive data such as health records and trade secrets, at 63%. The second concern was loss of access to encrypted critical infrastructure, at 52%.

"The fact that 68% of UK&I respondents report that their organizations are not preparing to transition to post-quantum cryptography is a sign that the cryptographic landscape is changing faster than most organizations can keep up," said Greg Wetmore, Vice President of Product Development, Entrust. "The clock is ticking, and the solutions are available now so enterprises can't afford to delay action. It's not a question of 'Will quantum computers disrupt us?' but 'How quickly can we adapt our infrastructure to withstand what's coming?'"

Certificate pressure

The research highlights a second deadline linked to the shrinking lifetime of public trust certificates. It cites a CA/Browser Forum mandate that moves certificate validity windows from 398 days to 200 days, then to 100 days, and then to 47 days by 2029.

Shorter validity periods increase the frequency of certificate renewals for organisations that run public-facing web services. Teams often manage certificates across multiple environments and suppliers. Failures in renewal processes can lead to service outages when certificates expire.

The study suggests that many organisations still lack visibility into where certificates and keys sit across their estates. It also points to difficulty in keeping an accurate inventory of cryptographic assets and their expiry dates.

In the UK and Ireland sample, 92% of respondents described the management of cryptographic assets as difficult, very difficult, or extremely difficult. The report says this is the highest rate of difficulty across the countries surveyed.

Budget barriers

UK and Ireland respondents also flagged constraints around investment. Budgetary concerns emerged as the most cited blocker to quantum preparation, at 42%. The report states that this was higher than the global average of 39%.

Operational fragmentation also featured. In the UK and Ireland, 49% of respondents said isolated and fragmented systems make credential management difficult. A further 49% cited a lack of clear understanding of requirements.

The survey asked respondents to rate the adequacy of government policy and public-private coordination on quantum readiness. UK and Ireland respondents gave the lowest average score among the regions included in the study, at 4.86 out of 10. The report compares this with 5.72 in Singapore, 5.42 in Canada and 4.98 in the US.

"The gap between awareness of the quantum threat and action is widening. Teams around the world are struggling with the same foundational challenges: limited visibility into their keys and certificates, scarce expertise, and operational constraints that make it difficult to transition at the pace required," said Mike Baxter.

"The path forward starts with building cryptographic visibility and automation. Then it becomes about implementing quantum safe cryptographic infrastructure with PQ-ready HSMs and PQ-ready PKI, which are the fundamental building blocks organizations require to address the quantum threat. With these tools in place, organisations can begin implementing PQC to safeguard their organisations before quantum computers make traditional encryption obsolete," said Baxter.

Entrust sells hardware security modules, public key infrastructure products and certificate lifecycle management tools. The company positions these areas as relevant to both post-quantum planning and the move to shorter certificate lifetimes.

The survey covered respondents in the United States, Canada, the United Kingdom and Ireland, DACH, Indonesia, and Singapore. It included participants from financial services, healthcare, manufacturing, technology and the public sector.

The report's findings suggest UK and Ireland organisations face a combination of low post-quantum programme starts, persistent cryptographic asset management issues and funding constraints, while certificate validity windows continue to narrow over the coming years.