Quantum security in education and research: awareness is there, action is needed

In the spring of 2026, SURF presented a short questionnaire to more than 50 security professionals from vocational colleges, universities of applied sciences, universities and research institutions. The key questions were: to what extent is the topic of quantum security on people’s minds, what makes it difficult to get started, and what would help to take further steps? In this article, you can read the main findings.

Awareness of quantum security is limited within organisations

The survey reveals that, in most organisations, knowledge of quantum technology and cybersecurity is still limited to a small group of specialists. For nearly a third of respondents, the topic is scarcely known within their own organisation – not even at management or board level. This makes it difficult to prioritise internally something that still feels abstract.

Impact of quantum technology unclear

That sense of abstraction is understandable. Quantum technology is a complex subject, and the timeline is uncertain. Some respondents compare it to the Y2K problem: everyone knows something is coming, but no one knows exactly when it will materialise or what the actual impact will be on current encryption standards.

‘Store-now, decrypt-later’: why quantum is already a risk

Yet there is a key difference from a future risk: ‘store-now, decrypt-later’ is already happening today. Encrypted data and data traffic using current encryption standards can already be intercepted and stored, to be decrypted later – as soon as quantum computing makes this possible.

This is something to consider right now, particularly for data that must remain confidential for the long term, such as research data, personal data or intellectual property. In addition to this immediate risk, there is the future risk that quantum computing will become widely available as a means of attack. The question is not whether you should do something, but whether you are preparing in time for quantum security and post-quantum cryptography.

Dependence on suppliers in post-quantum cryptography

Another risk mentioned by several respondents is dependence on external suppliers. Many organisations have little insight into what their cloud providers and software partners are doing in the field of quantum security and post-quantum cryptography – and how to engage in dialogue about this as an organisation.

Some respondents raise a more fundamental question: if encryption will soon no longer offer the protection we expect from it, shouldn’t we also rethink how we handle data?

Quantum security: looking for a starting point

Of the respondents, 69% indicate that their own institution is not currently actively engaged in quantum security. The main reason is not unfamiliarity with the risk, but competition with other obligations: the Cyber Security Act (Cbw) and the future of the SURFaudit Information Security Assessment Framework are currently demanding a great deal of attention. Quantum comes on top of that, and that makes prioritisation difficult.

Institutions are not yet taking concrete steps towards post-quantum cryptography

Of the institutions that are indeed exploring the issue, activity is limited in almost all cases to monitoring developments. Concrete steps – an impact analysis, coordination with suppliers, or a pilot – are still rare.

The will to move forward is there, but the starting point is missing. Where do you begin, how do you create internal urgency, and how do you prioritise this alongside everything else already on the agenda? These are the questions that keep coming up.

Anticipating incidents

For most cybersecurity risks, an incident is a painful but effective wake-up call. Following a ransomware attack, budgets are released, processes are tightened and policies are reviewed. That logic – reacting after an incident – is often reflected in how the sector approaches security.

With quantum, it works differently. The moment a quantum incident becomes apparent is not the start of the problem – it is the end of the preparation time. The data that is then decrypted was intercepted years ago. The encryption that is then cracked should have been replaced long ago.

Quantum security: a different way of thinking

A transition to post-quantum cryptography takes time: time to map systems, consult suppliers, test solutions and carry out migrations. That time is no longer available once an incident occurs.

Quantum therefore calls for a different way of thinking about risk and urgency. Not reacting, but anticipating. Not waiting for the trigger, but starting preparations before that trigger occurs.

This is what institutions expect from SURF regarding quantum security

75% of respondents indicate that they would benefit most from clarification: when is action realistically necessary, for which systems and data, and on what timeline? In addition, they are asking for a concrete step-by-step plan tailored to the sector, examples of what other institutions are already doing, and sector-wide coordination.

How SURF will help institutions with quantum security

SURF is taking these findings as a starting point. In the coming period, we will be working on clarifying the timeline and urgency, in collaboration with parties who can provide more substantive input on these matters. We will bring together institutions that are already taking their first steps, so that experiences can be shared. And we will use the findings of this survey as a basis for our further development of this theme.

Would you like to contribute your ideas or share your experiences in the field of quantum security? Please send an email to sec@surf.nl.

The original article can be found on the website of the Security Expertise Centre (the article is in Dutch).