FINMA guidance warns Swiss financial institutions should prepare for post-quantum cyber risks
Key contacts
On 9 July 2026, FINMA published Guidance 05/2026 on quantum computing, which summarises the results of FINMA's survey of 60 Swiss financial institutions and sets out recommendations for managing quantum-related cyber risks.
Although cryptographically relevant quantum computers do not yet exist, FINMA considers the related risks sufficiently foreseeable to be addressed now. In FINMA's view, existing technology-neutral and principle-based requirements on governance and risk management already cover risks arising from the development of powerful quantum computers.
Background
Quantum computing may create future opportunities for financial institutions, including in risk and portfolio analysis, transaction monitoring, algorithmic trading and the generation of better random numbers. FINMA's guidance, however, focuses on cyber risks arising from potentially vulnerable cryptographic methods, including public-key cryptography, digital signatures, authentication mechanisms and key management systems. FINMA refers to algorithms such as RSA, ECDSA, EdDSA, DH and ECDH.
A further concern is the "harvest now, decrypt later" scenario, where attackers steal encrypted data today to decrypt it in the future once sufficiently powerful quantum computers become available. This is particularly relevant for data for which confidentiality, integrity or non-repudiation must be preserved over a longer period.
FINMA survey: Awareness is high, implementation remains limited
FINMA conducted its survey between November 2025 and January 2026 among 60 authorised banks, insurance undertakings, managers of collective assets and financial market infrastructures.
The results show a clear gap between risk awareness and implementation. Around two thirds of surveyed institutions expect quantum-related cyber risks to become directly relevant for their institution within seven years. Around two thirds expect that by 2036 a quantum computer could have the ability to break RSA-2048 encryption within a 24-hour period.
At the same time, 72% of surveyed institutions have not yet planned or implemented measures for quantum-safe cryptography. As many as 28% have taken a strategic decision at executive management or board level, including 20% that also have an ongoing project, and only 8% already have a concrete roadmap. FINMA's survey also shows that institutions consider crypto-agility, cryptographic inventories and engagement with software providers important for the transition to PQC.
FINMA's recommendations
FINMA's recommendations focus on the migration to quantum-safe algorithms. They do not address quantum key distribution or broader questions arising from the future use of quantum computing applications.
Supervised institutions should adopt a strategy approved by the governing body and derive from it an implementation plan with milestones, priorities and target dates. FINMA specifically recommends preparing a PQC roadmap by mid-2027.
FINMA recommends a risk analysis covering both cryptographic methods currently used and data requiring long-term protection. This should include business processes, ICT systems, applications, infrastructure and new technologies such as distributed ledger technologies, irrespective of whether they are operated internally, outsourced or obtained as a service.
The outcome should be a comprehensive and maintained cryptographic inventory identifying the cryptographic methods used, including encryption in transit, encryption of stored data, digital signatures, key management and authentication mechanisms. It should also indicate whether the algorithms used are vulnerable to quantum attacks, and therefore should be replaced.
Institutions should also identify critical data and assess whether long-term guarantees of confidentiality, integrity or non-repudiation are required. Data requiring long-term protection should be prioritised in the migration to PQC. FINMA notes that hybrid solutions combining classical and PQC algorithms may be relevant, particularly for critical data exposed to "harvest now, decrypt later" risks.
Crypto-agility is another key element of FINMA's guidance. It describes the ability of an ICT system or application to replace cryptographic algorithms flexibly and without fundamental changes to the software architecture. FINMA recommends that crypto-agility be included as a requirement for newly procured or newly developed ICT systems and applications.
Finally, FINMA highlights dependencies on external IT service providers, software vendors and outsourcing partners. Responsibility for outsourced functions remains with the outsourcing institution. FINMA recommends requiring crypto-agility in new software and data outsourcing relationships and incorporating corresponding requirements into existing outsourcing arrangements.
Outlook
FINMA's guidance does not require an immediate full migration to PQC. It does, however, make clear that quantum-related cyber risks are becoming relevant for supervisory purposes. For Swiss financial institutions, the immediate priority is structured preparation: institutions should identify relevant risks, allocate responsibility, assess exposure and start credible planning.
In practice, institutions should review their cyber and operational resilience frameworks, initiate or update their cryptographic inventories, identify data requiring long-term protection and engage with key technology and outsourcing providers. FINMA has announced that it will actively monitor developments in quantum computing and include the topic in its ongoing supervisory activities.
For more information on the regulatory implications of FINMA's guidance and its impact on governance, risk management and outsourcing arrangements, contact your CMS client partner or the CMS Switzerland Banking & Finance team.
The legal or economic context of this content might have changed since its publication.