Quantum computers could break your encryption. Here's what the government's new research says you should do about it

The government has just published a major research report on quantum computing and encryption. It contains a warning that every business owner needs to understand — and a clear recommendation on what to do.

At Prestige Cyber Guard, we keep a close eye on what's coming next in cyber security — not just the threats businesses face today, but the ones that are on the horizon. The Department for Science, Innovation and Technology (DSIT) published a significant piece of independent research this month on Quantum Key Distribution. It's a long, technical document. Here's what it actually means for your business in plain English.

First, the threat you need to understand

Right now, most of the encryption that protects your data — your emails, your financial transactions, your cloud storage, your website's HTTPS connection — relies on mathematical problems that are extremely hard for today's computers to solve.

Quantum computers are different. They don't solve problems the same way classical computers do. And the concern — well-established in the research and security communities — is that a sufficiently powerful quantum computer could break the mathematical foundations of current encryption methods.

This isn't happening tomorrow. But it isn't science fiction either. The government is funding research into this threat right now because the timeline to when it becomes a real-world risk is uncertain — and because some of the most sensitive data being transmitted today could be harvested by adversaries now and decrypted later, once quantum computing matures.

The government calls this the "harvest now, decrypt later" problem. If someone is collecting your encrypted communications today with the intention of reading them in five or ten years when the technology exists to break the encryption, that's a risk that exists right now — even before quantum computers arrive.

What is Quantum Key Distribution?

Quantum Key Distribution (QKD) is one approach to solving this problem. Rather than relying on mathematical hardness, it uses the fundamental laws of quantum physics to distribute encryption keys in a way that makes eavesdropping detectable.

The principle is elegant: if anyone intercepts a quantum communication, the act of interception disturbs the quantum state and alerts both parties. The key exchange can't be silently observed.

Current QKD does not constitute a single technology, but a family of approaches that vary in hardware, protocols, and network architecture and are at varying stages of technical and commercial maturity. Most systems currently in use are point-to-point implementations over fibre or free-space optical links — essentially, they work between two specific locations connected by a dedicated link.

What the government's research found

DSIT commissioned independent researchers to interview 38 experts across the QKD field — technology suppliers, end users, academics, and cyber security professionals. Here's what they found:

QKD is real, but it's early stage. There are only a small number of current end-users of QKD globally outside academia, with these confined to banking and aerospace. For all examples identified, QKD use is limited to research, testbeds, and pilot deployments rather than fully-fledged operational systems.

QKD is not the government's recommended approach right now. This is the most important point for most businesses. At present, the UK National Cyber Security Centre (NCSC) advises post-quantum cryptography (PQC) as the preferred approach. The NCSC does not support the use of QKD for government or military applications at this time.

Most experts expect QKD to complement, not replace, other security. Most interviewees expect QKD to be deployed as an additional security layer alongside PQC and conventional controls.

The future is uncertain but three scenarios are likely. QKD's value proposition and commercial model is still uncertain, though there was a broad consensus that QKD was unlikely to become a dominant or standalone security technology. It may become part of hybrid post-quantum security solutions, remain a niche solution for high-value point-to-point connections, or not be adopted widely at all.

So what should your business actually do?

For the vast majority of UK SMEs, QKD is not something you need to worry about deploying right now. It requires specialist hardware, it's expensive, it's limited in range, and the government's own security centre isn't recommending it yet.

What you do need to understand is the broader picture — and start thinking about post-quantum cryptography (PQC).

PQC is different from QKD. It doesn't require new hardware. It works at the software level and can be implemented within existing networks. It uses new mathematical approaches that are resistant to quantum computing attacks. The US National Institute of Standards and Technology (NIST) finalised its first set of post-quantum cryptographic standards in 2024, and the NCSC is actively guiding UK organisations towards migration planning.

For most businesses, the practical steps are:

Right now — get your basics right. The quantum threat is a future concern. The threats that are costing UK businesses money today are phishing emails, unpatched systems, weak passwords, and misconfigured devices. These are the threats Cyber Essentials is designed to close. If you haven't got the fundamentals in place, that's where to start.

In the next 1–2 years — understand your cryptographic exposure. Start mapping what encryption your business relies on. Your website certificate, your email encryption, your VPN, your cloud provider's security. Not to replace them immediately, but to understand what a migration to post-quantum standards would involve when the time comes.

In the next 3–5 years — plan your migration to PQC. Most major technology providers — Microsoft, Google, AWS — are already building post-quantum capabilities into their platforms. Staying current with your software and cloud providers will go a long way towards managing this transition naturally.

Why this matters even if you're a small business

You might be thinking: this feels like a problem for banks and governments, not for a business my size.

The government's report makes clear that the initial QKD users are in banking and aerospace — high-value targets with sensitive long-term data. But the underlying threat — that current encryption may eventually be breakable — applies to any organisation that transmits sensitive data.

And here's the supply chain angle that matters right now: the organisations you work with, supply to, or buy from are increasingly being asked to demonstrate robust cyber security practices. The shift towards post-quantum readiness will follow the same path that Cyber Essentials has — starting with regulated sectors and large organisations, then cascading into supply chain requirements for their smaller partners.

Being ahead of that curve, understanding the landscape, and being able to speak confidently about your security approach is a genuine commercial differentiator.

The government's three policy recommendations

For businesses and technology providers interested in the detail, DSIT's research makes three policy recommendations:

1. Fund an assurance infrastructure for QKD — standards, testing protocols, and certification processes so that when QKD is deployed, there's a framework to verify it's genuinely secure.

2. Support QKD demonstrators and trials — making demonstration capabilities available to commercial and government users to build real-world understanding.

3. Increase awareness of post-quantum threats — awareness of the post-quantum threat, and the potential implications of using quantum technologies like QKD as part of the solution to address it, appears to vary, and misconceptions about its strengths and weaknesses remain even among those who are reasonably well-informed.

That third recommendation applies directly to businesses. The more informed you are now, the better placed you'll be to make good decisions as this technology matures.

Start with the fundamentals

The quantum computing threat is real and the government is taking it seriously. But for most UK SMEs, the most impactful thing you can do today isn't research into QKD — it's making sure you have the cyber security basics right.

Unpatched systems. Weak passwords. No antivirus. Open firewall ports. These are the vulnerabilities that are costing UK businesses money right now, today. Cyber Essentials closes those doors.

If you'd like to understand where your business stands across all five Cyber Essentials controls — for free, in under a minute — our checker tool is available at the link below. And if you'd like a conversation about what certification involves and how to plan for the longer-term security landscape, we're always happy to help.

Get in touch: 📧 hello@prestigecyberguard.co.uk 🌐 www.prestigecyberguard.co.uk

Source: Quantum Key Distribution Research Report, Department for Science, Innovation and Technology, published June 2026. This blog represents Prestige Cyber Guard's plain-English interpretation of the report findings and does not represent HM Government policy.