Daily Research Notes

Agentic Artificial intelligence is used in the construction of our daily research notes. They serve as a daily directional briefing for our team discussions. We are working to improve citing mechanisms and linking to articles.

Defence and Space Quantum Security 10 min read

CNSA 2.0 Rollout Timeline: A Supplier's Perspective

The 2025 milestone dates in the CNSA 2.0 transition timeline are not future planning items. For any defence supplier with an active national security system programme contract, those dates are now in the past. Suppliers reading this in mid-2026 who have not yet started on their applicable product categories are behind the NSA's published schedule.

Read article
Industry-Specific Quantum Risk 12 min read

Financial Institution PQC Readiness: The Five Pillars

Financial institutions face a more complex PQC readiness problem than most sectors. The combination of live regulatory obligations, unusually long data retention requirements, and high adversarial interest in financial records produces a risk profile where the standard enterprise migration timeline is insufficient. The pillar framework below gives CISO, CTO, and CRO audiences a structured tool for assessing programme status and communicating it to boards.

Read article
HNDL Risks 9 min read

The Mosca Inequality Calculator: A Walkthrough for CISOs

CISOs are asked to justify PQC migration investment against uncertain timelines, crowded security budgets, and a board that wants to understand the risk without understanding lattice cryptography. The Mosca inequality is the most concise argument that exists for starting now. Three variables. One calculation. If the sum of two exceeds the third, the organisation is already behind.

Read article
Defence and Space Quantum Security 9 min read

Defence Supplier PQC Compliance: CMMC Readiness

CMMC has been a moving target for years. The final rule (32 CFR Part 170) was published in October 2024 and became effective December 2024. Most contractors are still focused on getting to 110 practices compliant under NIST SP 800-171 Rev 3 at Level 2. Post-quantum cryptography is not on most CMMC compliance roadmaps. That is a defensible near-term prioritisation. But PQC migration is a long-lead-time programme, and the compliance window is narrowing.

Read article
Defence and Space Quantum Security 10 min read

CNSA 2.0 Suite Implementation: A Detailed Walkthrough

The CNSA 2.0 preferred dates for software and firmware signing (2025) and network equipment (2026) have either passed or are current. This article covers the implementation problem: how to deploy ML-KEM-1024 and ML-DSA-87 correctly across the range of protocol contexts in an NSS-connected system, where FIPS 140-3 validation requirements gate deployment, and what sequencing gets organisations to compliance without rework.

Read article
PQC Migration and Algorithm Selection 9 min read

FIPS 203 and 205 Implementation: C and Rust Library Maturity

Selecting ML-KEM or SLH-DSA as your post-quantum algorithm is the easy part. This article maps which C and Rust libraries implement the final FIPS 203 and 205 specifications, their FIPS 140-3 validation status, and how to apply a five-criterion selection framework for your deployment context.

Steven Vaile Read article
PQC Migration and Algorithm Selection 10 min read

PQC Migration Strategy Roadmap for Cybersecurity Leaders

Most organisations that have reached the CISO’s desk on PQC have the same problem: they have a list of exposures and no structure for acting on it. This article provides the programme architecture: the five-phase model, dependency structure, governance outputs, and what the board needs to see.

Steven Vaile Read article
Industry-Specific Quantum Risk 11 min read

Critical National Infrastructure: A Quantum Security Sector Protection Roadmap

The distinctive concern for CNI operators is not data confidentiality alone. It is operational continuity. A compromised authentication channel in an energy SCADA system does not produce a data breach notification; it produces a substation failure. This roadmap addresses the sector-specific constraints, regulatory frameworks, and migration sequencing that apply to CNI operators across energy, transport, water, and financial market infrastructure.

Read article
Supply Chain Quantum Security 10 min read

PQC Supply Chain Risk: Evaluating Vendor Quantum Readiness

An organisation's post-quantum cryptography migration plan is only as strong as its most cryptographically exposed supplier. When your own TLS endpoints are protected but your cloud ERP vendor still terminates connections with RSA-2048 key exchange, the harvest-now-decrypt-later risk for data in transit through that vendor is not mitigated by your own migration. This guide provides a structured five-question framework for evaluating vendor quantum readiness.

Read article
Compliance and Regulation 9 min read

NIS2 and Quantum Risk: Closing the Gap in Your Cyber Resilience Plan

NIS2 does not specify algorithms. What it does require, under Article 21(2)(h), is that entities implement the use of cryptography and, where appropriate, encryption as part of their cybersecurity risk management measures. The gap most compliance programmes have is treating that requirement as satisfied by existing TLS and VPN deployments, without assessing whether those deployments remain adequate against a cryptographically relevant quantum computer.

Read article
Compliance and Regulation 10 min read

DORA Implementation Guide: A Step-by-Step Plan for Financial Services CTOs

The Digital Operational Resilience Act entered into application on 17 January 2025. Unlike GDPR, there was no two-year run-up between publication and enforcement. The obligations became live on a single date, and they apply directly across all EU member states without national transposition. This guide maps the five implementation steps CTOs and CISOs at EU financial entities need to work through, with specific article references and cryptographic resilience obligations included.

Read article
PQC Migration and Algorithm Selection 10 min read

Key Encapsulation Mechanisms Explained for Security Architects

Most post-quantum cryptography literature describes ML-KEM as "the NIST post-quantum key exchange." That framing is close enough for a headline, and wrong enough to cause real implementation errors. ML-KEM is not a key exchange protocol in the sense that ECDH is. It is a key encapsulation mechanism, a formal cryptographic primitive with a different API, a different security model, and different composition properties.

Steven Vaile Read article
PQC Migration and Algorithm Selection 9 min read

Post-Quantum TLS: What Changes and What Stays the Same

Post-quantum TLS migration changes two things: the key exchange algorithm and, eventually, the certificate signature algorithm. The record layer, the handshake state machine, session resumption, and OCSP stapling are structurally unchanged. An engineer who understands what is not changing is in a much better position to sequence the migration.

Steven Vaile Read article
Defence and Space Quantum Security 9 min read

CNSA 2.0 for Defence Contractors: Which Obligations Apply to Your Programmes

The common problem in defence contractor CNSA 2.0 planning is not a lack of awareness that the requirement exists. It is the gap between knowing it exists and knowing which specific programmes it applies to, which milestones are immediately operative, and how CNSA 2.0 interacts with CMMC certification.

Steven Vaile Read article
HNDL Risk 9 min read

The Data Lifetime Problem: When Encryption Decisions Outlast the Threat Model

Every encryption decision is made against the threat model that exists at that moment. The data it protects may need to remain confidential for a decade beyond that point. This article applies the Mosca inequality to classify existing encryption decisions as immediate, deferred, or irreversible, with worked examples across NHS records, ICS firmware, and enterprise email archives.

Steven Vaile Read article
Governance 9 min read

Quantum Security Governance: Building a Board-Level Framework

Quantum risk briefings are now common at board level. Governance is not. This article sets out a five-element framework using NIST CSF 2.0 as the governance architecture, covering named accountability, CBOM as the Map deliverable, board-level metrics, escalation protocols, and regulatory obligations under NIS2, ISO 27001, and SEC 17 CFR 229.106.

Steven Vaile Read article
HNDL Risks 10 min read

HNDL in Financial Services: Regulatory and Operational Implications

Financial services institutions hold the data categories with the longest regulatory retention periods, are documented targets of nation-state cyber operations, and already operate under ICT risk management frameworks carrying technology-currency obligations on cryptography. The interaction of these three factors means HNDL is not a future consideration for this sector.

Steven Vaile Read article
Compliance 11 min read

CNSA 2.0 Compliance Guide: What US Defence Contractors Must Do

The NSA's preferred schedule had 2025 as the target year for software and firmware signing. That date has passed. This article works through each CNSA 2.0 requirement as a compliance guide: what the mandate actually requires, where contractors stand in 2026, and how to sequence the work from cryptographic inventory through to RMF documentation.

Steven Vaile Read article
Risk Assessment 9 min read

How to Calculate Your Organisation's HNDL Exposure

Harvest-now-decrypt-later exposure is calculable, not qualitative. An organisation that knows its network topology, data retention requirements, and current key exchange algorithms can produce a scored HNDL exposure assessment for any system in its estate. This article explains the I x L x A calculation methodology, works through three concrete examples, and shows how the score drives migration priority sequencing.

Steven Vaile Read article
Strategy 10 min read

The PQC Readiness Checklist Every CISO Should Run Through

Post-quantum cryptography readiness has a specific structure. Six areas must all advance for a migration to succeed: cryptographic discovery, algorithm selection, programme management, hybrid deployment, governance, and supply chain coverage. This 16-item checklist provides the self-assessment instrument every CISO needs before the 2028 Phase 1 deadline.

Steven Vaile Read article
Compliance 9 min read

NCSC PQC Migration Guidance: The UK Position Explained

On 20 March 2025 the NCSC published its first dedicated PQC migration timeline, setting milestones at 2028, 2031, and 2035. For operators of essential services under the UK NIS Regulations 2018, those dates define the technical baseline competent authorities will use. This article explains what each phase requires, how it connects to UK legal obligations, and why 2028 is the milestone that demands attention now.

Steven Vaile Read article
Compliance 11 min read

How DORA Shapes Quantum Security Preparedness in Financial Services

DORA's ICT risk management obligations are live. This article maps the specific Articles 6 and 9 obligations and their RTS implementations to post-quantum cryptography requirements, and provides a five-component programme linking each deliverable to the DORA Article it satisfies.

Steven Vaile Read article
Technical 10 min read

ETSI Quantum Safe Cryptography Standards: A Guide for European Organisations

For organisations operating in the EU, ETSI standards are not an alternative to NIST — they are the regulatory translation layer. This article maps the three primary ETSI quantum-safe cryptography documents, explains where each fits in the European regulatory structure, and addresses the naming problem that continues to cause confusion.

Steven Vaile Read article
Strategy 9 min read

The CISO's Case for Quantum Security Investment in 2026

The board case for PQC investment changed materially in August 2024 when NIST published final standards and opened the deprecation clock. This article gives CISOs the framing, the financial exposure proxies, and the specific investment ask needed to move quantum security from the risk register to the project list.

Steven Vaile Read article
Strategy 9 min read

Long-Lived Data and Quantum Risk: What to Protect First

Not all data needs migrating at the same urgency. This article applies the Mosca inequality to specific data categories with specific confidentiality lifetimes and migration complexity estimates, so organisations can tell their board which data is exposed, why, and in what order to act.

Steven Vaile Read article
Compliance 10 min read

What the EU Cyber Resilience Act Means for Quantum-Vulnerable Products

The EU Cyber Resilience Act's main conformity obligations apply from December 2027. For manufacturers whose products use quantum-vulnerable cryptography, that date is closer than it sounds. This article maps the essential requirements, which product categories are most exposed, and what to do before the conformity deadline.

Steven Vaile Read article
Compliance 9 min read

Why Your GDPR Data Retention Schedule Needs a Post-Quantum Review

The obligation to protect personal data with measures 'appropriate to the risk' under UK GDPR Article 32 includes the current threat model. That model now includes harvest-now-decrypt-later attacks. The compliance exposure attaches today, not at Q-Day. This article explains what DPOs and CISOs need to do.

Steven Vaile Read article
Migration 8 min read

How to Build a Cryptographic Asset Register for Your Organisation

The most common reason PQC migration programmes stall at planning is the absence of a reliable answer to one question: what cryptographic assets do we actually have? A Cryptographic Bill of Materials (CBOM) solves that. This article describes how to build one, from discovery through to maintained programme tracking.

Steven Vaile Read article
Compliance and Regulation 11 min read

PQC Compliance Readiness: A Gap Analysis Framework for Security Teams

Multi-framework PQC compliance is the problem most organisations face in 2026. NIST IR 8547, CNSA 2.0, DORA, and NIS2 share a technical foundation but differ in scope, parameter requirements, and timeline. A structured gap analysis methodology for organisations operating across multiple frameworks simultaneously.

Steven Vaile Read article
HNDL Risk 9 min read

HNDL Risk Assessment Framework for Enterprise Security Teams

The Harvest Now, Decrypt Later attack is not a theoretical concern for 2033. The interception is happening now. A five-component operational framework for assessing HNDL risk against your data estate, producing a prioritised migration register, transmission exposure map, and remediation roadmap.

Steven Vaile Read article
Compliance and Regulation 9 min read

Quantum Risk on the Board Agenda: A Practical Guide for CISOs

Getting quantum risk onto the board agenda is not the hard part. Most boards will hear "governments are retiring current encryption standards by 2030" and accept that it warrants attention. The hard part is giving the board something they can actually govern. A risk statement without a measurement, a cost without a migration plan, a compliance obligation without a timeframe — none of these produces a decision.

Steven Vaile Read article
PQC Migration 9 min read

ML-KEM Key Sizes and Performance: What Enterprise Architects Need to Know Before Deployment

FIPS 203 defines three parameter sets for ML-KEM. The choice between them carries real implications for performance, security margin, and integration architecture. This article works through what each set provides, where the actual performance cost sits (not where architects typically assume it sits), and which set belongs in which deployment context.

Steven Vaile Read article
Compliance and Regulation 8 min read

NIS2 and Post-Quantum Cryptography: The Gap in Your Cyber Resilience Plan

Most NIS2 implementation programmes treat cryptography as a checklist item: TLS version current, certificates valid, data encrypted at rest, multi-factor authentication deployed. That checklist addresses your present state. It says nothing about whether the cryptographic controls protecting your most sensitive data will still be adequate in 2033, when the threat environment changes in a fundamental way.

Steven Vaile Read article
HNDL Risk 9 min read

Which Data Is Most at Risk from HNDL Attacks Today

Not all encrypted data is equally exposed to Harvest Now, Decrypt Later attacks. A retail transaction from last Tuesday carries effectively no HNDL risk. A genomic database record from the same day may carry HNDL risk for the lifetime of the person it describes. This article provides a structured framework for identifying which data categories in your organisation warrant immediate action.

Steven Vaile Read article
PQC Migration 9 min read

PQC Migration Timeline: What to Do in 2025, 2026, 2027, and Beyond

The waiting period is over. NIST finalised FIPS 203, 204, and 205 on 13 August 2024. The NCSC published its phased UK migration timeline in March 2025. This article works through what must happen in each phase from 2025 through 2033, identifies the dependencies that make sequencing non-trivial, and closes with a framework for deciding which systems to migrate first.

Steven Vaile Read article
PQC Standards 9 min read

FIPS 203, 204, and 205: An Enterprise Implementation Decision Map

Knowing what each NIST post-quantum standard requires is the first problem. Sequencing them correctly is the second. This article provides the decision logic for which standard to implement first and how to avoid the dependency traps that stall most PQC migration programmes.

Steven Vaile Read article
Membership 7 min read

Expert Membership FAQ

Common questions from prospective QSECDEF expert members: which category applies, what the application process looks like, what happens at each tier outcome, how personal data is handled, and what membership signals.

Steven Vaile Read article
Membership 8 min read

How Expert Membership Works

QSECDEF runs a structured vetting process before listing any organisation in its directory. This post explains the categories, the question sets, the tier outcomes, and what being listed does and does not mean.

Steven Vaile Read article
Quantum Threat Assessment 7 min read

Why 2030 Is Not the Safe Deadline Most Enterprises Think It Is

Most enterprises that have engaged with quantum risk planning have encountered 2030. It appears in NIST's deprecation schedule. It appears in NSA CNSA 2.0. It appears in BSI and ANSSI guidance. From a distance it reads as: do this by 2030. But that is not what it says.

Steven Vaile Read article
PQC Migration 8 min read

How to Start a PQC Migration Programme in Your Organisation

NIST finalised its first post-quantum algorithm standards on 13 August 2024 — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). The algorithm selection phase of the post-quantum transition is, for practical purposes, settled.

Steven Vaile Read article
Quantum Threat 7 min read

Q-Day Timeline Risk Calculator: How Long Does Your Organisation Have?

The question 'will quantum computers break encryption?' has an answer: yes, with a sufficiently large cryptographically relevant quantum computer, the public-key algorithms that protect most sensitive data will fail. The more pressing question is how long your specific organisation has.

Steven Vaile Read article
Quantum Threat 7 min read

Harvest Now Decrypt Later Risk Calculator: Quantify Your HNDL Exposure

Understanding the Harvest Now, Decrypt Later threat is not the same as knowing which of your data is already at risk. Most organisations that have absorbed the HNDL concept have not taken the next step: mapping their specific data categories against sensitivity, longevity, and current encryption strength.

Steven Vaile Read article
Tools 7 min read

PQC Migration Decision Tree: Where Should Your Organisation Start?

PQC migration is not a bounded project with a clear entry point — it is a programme that cuts across every layer of infrastructure, with interdependencies that mean the wrong starting point generates rework, scope conflicts, and wasted budget. The PQC Migration Decision Tree gives you a structured recommendation.

Steven Vaile Read article
Tools 8 min read

PQC Readiness Checklist: 40-Point Assessment for Security Teams

Readiness in the context of PQC migration means something more specific than awareness of the quantum threat. Most organisations that consider themselves PQC-aware have not assessed whether their organisation is actually equipped to migrate — whether the cryptographic inventory is complete, whether vendors have defined upgrade paths.

Steven Vaile Read article
PQC Standards 8 min read

NIST PQC Algorithm Selector: Which Algorithm Is Right for Your Use Case?

NIST finalised three post-quantum cryptographic standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). For a security architect implementing PQC migration, the question is not which standard is best — it is which algorithm is appropriate for this specific use case.

Steven Vaile Read article
Industry 8 min read

OT Cryptographic Asset Prioritisation Matrix: Sequencing Quantum-Safe Migration for Industrial Systems

The conversation about OT quantum security migration tends to start in the same place: an asset with no upgrade path. The OT Cryptographic Asset Prioritisation Matrix is built for this reality — it prioritises the assets that can migrate, flags the assets that cannot, and gives you the constraint data needed to plan replacement procurement for the rest.

Steven Vaile Read article
Sales 7 min read

PQC Opportunity Qualifier: Identify Which Prospects Are Ready to Buy Quantum Security Solutions

Quantum security is an emerging solution category with a large but unevenly distributed market. A pre-sales team without a structured qualification approach wastes discovery time on organisations that are 18 months from a budget decision, while missing organisations that have a compliance mandate, a funded programme, and no vendor relationship.

Steven Vaile Read article
Governance 9 min read

How to Brief Your Board on Quantum Security Risk

Most board quantum security briefings produce awareness, not decisions. The CISO's challenge is translation. This is a practical guide to structuring a briefing that produces a budget approval and a mandate.

Steven Vaile Read article