This guide is general advisory content for board-level governance. It is not legal, financial, or regulatory advice. Specific compliance obligations vary by jurisdiction; consult qualified legal counsel and your audit committee for binding interpretation.

Getting quantum risk onto the board agenda is not the hard part. Most boards will hear "governments are retiring current encryption standards by 2030" and accept that it warrants attention. The hard part is giving the board something they can actually govern. A risk statement without a measurement, a cost without a migration plan, a compliance obligation without a timeframe, none of these produces a decision. This article gives CISOs the framework to translate a technically complex threat into the five questions a board can answer and the governance structure that keeps it moving.

Why quantum risk belongs on the board agenda now

Three external signals have moved quantum risk from a research topic to an execution programme. The CISO's job is to put all three in front of the board clearly.

NIST published four final post-quantum cryptographic standards in August and October 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), and FIPS 206 (FN-DSA). The publication date matters for the board conversation because it marks the end of the "waiting for the standard" phase. Before August 2024, a CISO could reasonably tell the board that the standards were not yet finalised and the migration target was unclear. That framing is no longer available. The algorithms are published, the migration targets are known, and the programme can begin.

NIST IR 8547 (November 2024) sets the formal deprecation calendar: RSA, ECDH, ECDSA, DSA, and finite-field Diffie-Hellman deprecated in new deployments by 2030, full legacy retirement by 2035. This is the external technical baseline against which the organisation's current cryptographic posture is measured. For a board risk register, it provides the deadline structure that makes the risk quantifiable: systems that continue using deprecated algorithms after 2030 will sit outside the NIST baseline.

NSA CNSA 2.0 (September 2022) mandates full retirement of RSA and ECC from US National Security Systems by 2033. For the board of any organisation that is a defence contractor, intelligence community partner, or supplier to NSS, this is a contractual and compliance deadline. For organisations without NSS relationships, it is the strongest public evidence of the US government's embedded Q-Day planning assumption. Governments do not set hard cryptographic retirement deadlines a decade in advance unless they believe the threat is plausible within that window.

US-listed public companies face a fourth obligation. The SEC cyber disclosure rule (effective December 2023) requires disclosure of material cybersecurity incidents within four business days of determining materiality, and description of cybersecurity risk management processes and governance in annual 10-K reports. A board that has not documented its quantum risk posture faces disclosure risk if a quantum-related incident occurs or if the governance gap is identified in an audit. The rule does not specifically name quantum risk, but the risk management disclosure obligation under 17 CFR 229.106 covers material cyber risks including forward-looking technology threats. [INFERRED, this risk disclosure argument is legally grounded but has not been tested in quantum-specific enforcement as of the knowledge cutoff for this article.]

How to frame quantum risk for a board audience

The language that works at board level is infrastructure end-of-life risk. Not "post-quantum cryptographic migration," not "cryptographically relevant quantum computer." Boards make decisions about asset depreciation, technology refresh cycles, and the risk of running systems beyond their supported lifecycle continuously. This framing is immediately tractable.

The statement that works: "Our current encryption algorithms have a published deprecation schedule from the body that sets the US cryptographic baseline. Migrating complex enterprise systems to the replacement algorithms takes five to seven years. We need to begin a structured programme now or we will not complete migration before the deprecation dates take effect."

The correct risk register entry is not "quantum attack on our systems." It is "cryptographic posture insufficient for the post-CRQC environment, with migration programme not yet initiated." The distinction matters. "Quantum attack on our systems" sounds like a science fiction film. "Migration programme not yet initiated against a known deprecation schedule" sounds like a governance failure, which is exactly what it is.

The NACD Cyber Risk Director's Handbook, in its 2023 edition, frames board oversight of cyber risk as requiring three things: understanding of the risk landscape relevant to the organisation, alignment of security strategy with business strategy, and adequate time, expertise, and access to management. Quantum risk fits within this framework. It is a long-horizon cyber risk requiring board-level prioritisation of a multi-year programme. The board does not need to understand lattice cryptography. It needs to understand why the programme cannot wait until 2029.

The governance framework: what needs board approval

ISO 27001:2022 Clause 8.3 requires that the information security management system includes a risk treatment plan and that the plan is approved by appropriate authority. A post-quantum migration programme is a multi-year information security initiative. It requires documented risk treatment, budget approval in cycles, and assigned ownership. That is a board-level decision, not a CISO-level one.

The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) provides a governance model for emerging technology risk that is instructive for quantum risk governance even though it concerns AI rather than cryptography. The AI RMF's Govern function establishes that risk management policies must address the full lifecycle of the technology risk, that senior leadership must define risk tolerance and accountability, and that risk management activities must be documented and repeatable. Apply the same governance requirements to quantum risk programme management. The structural parallel holds.

For NIS2-covered entities, the supervisory assessment under Article 32 (essential entities) evaluates whether risk management measures including cryptographic controls are documented and proportionate to the risk. A quantum risk item in the board risk register, supported by a documented migration programme and a Cryptographic Bill of Materials, is the evidence posture that demonstrates compliance with NIS2 Article 21(1)'s "appropriate and proportionate" standard. The supervisory question is whether the risk has been assessed and a proportionate response is underway. Documentation of that assessment is the board's governance contribution. For the full NIS2 compliance gap analysis, see NIS2 and post-quantum cryptography: the gap in your cyber resilience plan.

What the CISO needs to bring to the board

A board presentation on quantum risk covers five questions in sequence. Each question has a corresponding CISO deliverable. The sequencing matters: it tracks the board's natural reasoning from external threat to organisational exposure to regulatory obligation.

Question 1: What is the external threat and timeline? The CISO deliverable is a one-page summary: the CRQC probability distribution from GRI 2024, the NIST IR 8547 deprecation dates, and the NSA CNSA 2.0 2033 mandate as the planning anchor. Frame it in probability and timeline terms the board uses for other technology risks.

Question 2: What is our current exposure? This requires the Cryptographic Bill of Materials (CBOM). Without a CBOM, the CISO cannot answer this question. A board presentation without a CBOM is a risk statement without a risk measurement. If the CBOM has not been initiated, the first ask from the board is approval and resourcing to complete it, not approval of a full migration programme.

Question 3: What is the harvest-now-decrypt-later risk to our data specifically? The deliverable is a data classification summary: which data categories we hold, their confidentiality lifetimes, and whether the systems protecting them have a migration path. For a bank, insurance company, or healthcare organisation, this conversation is immediate. For a business whose data has no meaningful value beyond three years, it is shorter.

Question 4: What does the migration programme look like and what does it cost? The deliverable is a phased roadmap with resource requirements, dependencies, and decision points. Complex migrations run five to seven years. The board needs to see the phasing, not just the total cost. Phase 1 (inventory and high-risk hybrid deployment) has a different cost profile to Phase 3 (embedded device and legacy system retirement).

Question 5: What are our regulatory and contractual obligations? The deliverable is a regulatory exposure summary. NIS2 Article 21 for EU essential and important entities. DORA Article 9(2) for EU financial entities, the DORA obligations are covered in detail at DORA and post-quantum cryptography: what financial services ICT risk managers must know. CNSA 2.0 for US NSS contractors. Data protection regulatory obligations apply by jurisdiction: UK businesses operate under UK GDPR (a retained instrument under the Data Protection Act 2018); EU businesses operate under EU GDPR (Regulation (EU) 2016/679). Both instruments require "appropriate technical measures" under Article 32 for organisations holding personal data. Sector-specific frameworks as relevant. [ASSUMED, verify current HHS healthcare quantum risk guidance status before including healthcare-specific obligations; as of the knowledge cutoff, HHS guidance was in development.]

Boards respond to sector comparables. The CISO should be prepared to benchmark the organisation's posture against peers: what are regulators asking, what has the sector body published, what are large comparable organisations doing? In financial services, the DORA implementing regulation and ECB supervisory expectations create a visible baseline. In defence, CNSA 2.0 is the peer standard. The comparison does not require naming specific competitors; it requires characterising where the sector is moving.

The migration programme ask is not a one-time board approval. It is a multi-year programme requiring annual progress reporting, budget approval in cycles, and escalation authority for material scope changes. The CISO should propose a governance cadence at the initial presentation: board-level quantum risk review at least annually, audit committee oversight of the programme quarterly. This is standard programme governance for any multi-year technology initiative. The board is familiar with the model.

Board-level metrics and risk quantification

Boards assess progress through metrics, not technical briefings. The metric set for quantum risk should include both lagging and leading indicators.

Lagging indicators: percentage of cryptographic inventory completed; percentage of high-priority systems with hybrid key exchange deployed; number of systems still running deprecated algorithms after each migration phase.

Leading indicators: supplier PQC roadmap coverage (what percentage of critical suppliers have confirmed PQC migration timelines); number of systems identified as requiring migration in the next 12 months; estimated cost and resource to complete phase 1. These allow the board to track whether the programme is on schedule without requiring any cryptographic knowledge.

For risk quantification, the relevant approach is a modified expected loss model: probability of CRQC by target year, multiplied by the value of exposed data, multiplied by recovery cost and regulatory exposure. The most quantifiable ceiling for EU organisations is the GDPR Article 83(5) maximum fine: 4% of global annual turnover or €20 million, whichever is higher, for violations of basic processing principles including security. An organisation whose long-lived personal data is decrypted post-Q-Day because the migration programme was not initiated faces a regulatory exposure that can be expressed in board-comprehensible financial terms.

The insurance dimension is changing. Cyber insurers are beginning to ask about quantum risk posture in renewal processes. [ASSUMED, verify specific insurer underwriting requirements as of May 2026; the direction of travel is clear but standardised underwriting requirements may have evolved since the knowledge cutoff for this article.] The CISO should anticipate the question from the insurance broker and have a documented migration plan ready. Absence of a migration plan is becoming a risk factor for long-lived sensitive data exposures. The programme documentation that satisfies the board also satisfies the insurer.

For the CNSA 2.0 compliance audit framework and the practical mechanics of demonstrating cryptographic posture against regulatory requirements, see our analysis at the CNSA 2.0 compliance audit framework checklist. For the broader EU regulatory stack covering both NIS2 and AI Act obligations for critical infrastructure operators, see the EU AI Act and quantum security for critical infrastructure.

Governance checklist for CISOs

  • Is quantum risk documented in the corporate risk register with a risk owner and treatment plan?
  • Has a Cryptographic Bill of Materials (CBOM) been initiated or completed?
  • Is there a documented migration programme with phasing, ownership, and budget approval?
  • Has the board been briefed on the programme and its rationale?
  • Are we tracking critical suppliers' post-quantum cryptography migration roadmaps?
  • Do our cyber insurance terms recognise PQC migration status as relevant to coverage?
  • Are we monitoring regulatory developments, NIST IR 8547, NIS2, CNSA 2.0, DORA, for updates that affect programme timelines or obligations?

Sources