Quantum-safe Digital Infrastructures: Challenges and Solutions for Governance

As quantum computers grow in capability, the cryptographic systems protecting most of the world’s digital infrastructure face a fundamental threat. The “harvest now, decrypt later” attack - collecting encrypted data today to decrypt it once a sufficiently powerful quantum computer exists - means the threat is already operational for long-lived sensitive data, even before quantum computers are powerful enough.

This course equips policy makers, managers, and governance professionals to understand the quantum threat and lead their organisations through the transition to quantum-safe digital infrastructure. Complementary to the technical course - together they form a comprehensive view of the quantum-safe transition challenge.

What you’ll learn

• What Shor’s algorithm does and why it threatens RSA, elliptic curve cryptography, and Diffie-Hellman key exchange - explained without requiring cryptographic expertise
• The harvest now, decrypt later threat: why sensitive data with long confidentiality lifetimes is at risk now, not just when quantum computers become powerful
• NIST post-quantum cryptography standardisation: what standards were finalised in 2024, what they replace, and why their adoption is urgent
• Quantum risk assessment: how to audit your organisation’s cryptographic dependencies, identify sensitive data with long lifetimes, and prioritise migration
• Governance frameworks for quantum-safe transition: policies, decision-making structures, procurement requirements, and board-level reporting
• The regulatory landscape: EU, US, UK, and other governmental guidance on quantum-safe requirements and timelines
• How to develop and communicate a quantum-safe roadmap to leadership and boards in clear, non-technical language
• How to engage effectively with technical teams and external vendors on quantum-safe implementations, asking the right questions
• International standards bodies and their roles: NIST, ETSI, ISO, and what compliance with their guidance means practically

Course structure

The course runs at four to five hours per week. It is explicitly designed for governance professionals without deep technical backgrounds - analogies and concrete examples replace cryptographic mathematics throughout.

The opening module establishes the threat without requiring technical knowledge. You understand why quantum computers threaten encryption through the concept of computational hardness and what Shor’s algorithm changes about it.

The risk assessment module covers how to audit your organisation’s cryptographic footprint: which systems use public-key cryptography, which data has long confidentiality requirements, and how to prioritise migration accordingly.

The governance frameworks module covers organisational structures and policy language: what a quantum-safe policy looks like, how to embed quantum risk into enterprise risk management, and what procurement clauses to add.

The regulatory landscape module reviews current and emerging government guidance from NIST, ENISA, and national bodies. You understand what compliance means and how to demonstrate it.

The final module focuses on communication and leadership: making the case for quantum-safe investment, managing the transition programme, and building the internal capability to sustain the migration.

Who is this for?

• CISOs and IT governance leaders building a quantum-safe strategy
• Policy professionals in government agencies, regulators, or standards bodies
• Risk and compliance officers assessing quantum threats to data security
• Board members and senior executives who need to understand the quantum threat without getting lost in cryptography
• Legal professionals advising on data protection and compliance obligations

Prerequisites

No technical background in cryptography, quantum physics, or information security is required. The course provides all necessary technical context through accessible explanations. Familiarity with organisational risk management (enterprise risk frameworks, policy development) is helpful. Some exposure to information security governance concepts (ISO 27001, GDPR, NIS2) is useful but not required.

Hands-on practice

The course uses scenario-based exercises rather than technical problem sets. You will:

• Work through a quantum risk assessment for a fictional financial services organisation
• Develop a prioritisation framework for quantum-safe migration across a multi-system technology landscape
• Review and critique draft quantum-safe policy language for completeness and clarity
• Prepare a board-level briefing document on quantum risk and recommended actions
• Analyse a case study of a government agency’s quantum-safe transition programme

Discussion forums allow you to apply course concepts to your own organisational context with peer feedback.

Why take this course?

The quantum threat to encryption is real, has a credible timeline, and is already causing governments and major organisations to act. NIST published its first post-quantum cryptography standards in 2024. The EU’s NIS2 directive addresses quantum risk. Major financial services regulators are beginning to issue guidance.

Organisations that wait until the threat is imminent before beginning their migration will face a far more costly and risky process than those who plan now. This course provides the governance knowledge to act proactively - and the Delft University pedigree gives its content credibility in conversations with technical teams, regulators, and leadership. The companion technical course covers cryptographic and infrastructure details for teams that need them.