Security vendors across sectors must successfully demonstrate quantum-safe capabilities to comply with new policy mandates and win over customers in critical industries (government, banking, defense, etc.). This means that vendors must prepare to get up-to-date with the latest certification versions and ensure that systems are flexible enough to adapt to evolving standards and hybrid implementations.
It’s October, and another Cybersecurity Awareness Month has arrived. While the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) spend this time educating the public on online safety, it’s also a time for security vendors to reflect on the latest trends shaping their industry.
One of the biggest trends is the progression in Post-Quantum Cryptography (PQC) algorithm standardization. PQC helps protect devices and network infrastructure from attack-capable quantum computers, which will be a threat within 10 to 20 years. While this may sound some ways off, there is real concern of “harvest now, decrypt later.”
While strategies defending against this threat vary, what is inescapable is the growing number of government mandates advocating for PQC migration over the next few years, with the U.S. National Institute of Standards and Technology (NIST) announcing the deprecation of classical algorithms RSA and ECC for federal use by 2030, whether a quantum computer is available or not. This will have a domino effect on other industries, as the status quo moves from classical to hybrid and eventually to PQC.
Organizations are already preparing for the post-quantum world.
According to ABI Research, PQC spending is forecast to nearly double from US$281 million in 2025 to US$530 million by 2028. This rapid increase signals the anticipated maturity of quantum-safe technology standards.
U.S. NIST 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA) came out last August, with more upcoming PQC algorithms in the near future (e.g., Falcon (FN-DSA) + HQC). Despite this progress, there is still some ambiguity in terms of PQC standards development, notably in protocol implementation, and undoubtedly, some algorithms are bound to break. As Standards Developing Organizations (SDOs) continue to iron out the kinks, cybersecurity providers and smart card vendors are cautious about adoption, focused on testing and suitability to individual use cases.
In the interim, what can be done?
This blog unpacks six questions that cybersecurity vendors should be asking about PQC standardization and how they can stay relevant during this disruptive shift.
Key Takeaways:
- PQC compliance is becoming urgent. With NIST deprecating RSA and ECC by 2030, cybersecurity vendors must begin certifying quantum-safe systems now to stay compliant and competitive in government and critical industry contracts.
- Start early with FIPS 140-3 certification. The validation process for PQC algorithms like ML-KEM and ML-DSA is complex and time-consuming. Therefore, vendors should begin quantum-resistant testing, firmware updates, and pre-validation pilots immediately.
- Design crypto-agile hardware and software. Vendors across sectors must support hybrid algorithms and modular updates to adapt quickly as PQC standards evolve.
- Future-proof for regulated industries. Travel, identity, and IoT vendors should prepare for new PQC-ready chipsets and hybrid certificates; government agencies are already testing quantum-safe pilots.
- Partnerships and flexibility are key to staying ahead. Collaborating with PQC Intellectual Property (IP) core developers and building agile, upgradable systems will help vendors deliver trusted, future-ready solutions while full standards are still in flux.
What Does FIPS 140-3 Require for Post-Quantum Cryptography?
Federal Information Processing Standards (FIPS) 140-3 replaces FIPS 140-2 and introduces validation support for PQC algorithms like ML-KEM, ML-DSA, and SLH-DSA. Several security vendors have obtained NIST Cryptographic Algorithm Validation Program (CAVP) certification for these three algorithms: Crypto4A, Entrust, Idemia, Kryptus, Marvell, Securosys, and Utimaco, and others have obtained FIPS 140-3 Level 3 Cryptographic Module Validation Program (CMVP) validation for their Hardware Security Modules (HSMs) (Entrust nShield 5, Marvell LSM2, Thales Luna G7 and K7, and Utimaco’s Atalla). None have yet obtained FIPS 140-3 Level 3 with PQC support combined, although all are currently in process (at the Modules in Progress (MIP) or Implementation Under Test (IUT) stage).
How this impacts security vendors: To manage the certification challenge effectively, vendors should
- Begin early on the certification process; it is long, complex, and time-consuming.
- Communicate clearly the status of quantum readiness and certification efforts.
- Offer pre-validation test environments for PQC algorithms, keeping prospects engaged and demonstrating that your organization is ahead of the curve.
- HSM vendors should issue firmware updates to support PQC in non-FIPS mode, allowing customers to test the algorithms in pilots, and easing future migration.
Some vendors are streamlining the transition with cryptographic asset discovery and inventory management, and others are already providing automated generation of Cryptographic Bills of Materials (CBOMs) that can also include PQC, as covered in Senior Analyst Aisling Dawson’s research.
How Is Common Criteria Influencing Quantum-Safe Hardware Development?
Common Criteria Evaluation Assurance Level (EAL) is an international standard (ISO/IEC 15408) and one of the most well-known for the security evaluation of Information Technology (IT) products and systems, especially in Europe. European cybersecurity bodies like ANSSI, BSI, and NSCIB have begun certifying products at EAL5+ and EAL6 levels with PQC implementations. These efforts are focused primarily on secure elements and controllers, using Protection Profiles that prioritize quantum resistance.
This development affects vendors across the industrial, IoT, payment, and identity spaces where Common Criteria compliance remains a critical requirement. In collaboration with BSI, Infineon became the first company to receive the Common Criteria EAL6 certification for a PQC-ready security controller. This certification will help protect data stored for embedded Subscriber Identity Modules (eSIMs) and smart cards.
How this impacts security vendors: Vendors should align certification plans with PQC-friendly Protection Profiles. Failing to account for PQC in secure hardware designs now could risk regulatory friction in key markets later.
How Are Trusted Platform Modules Integrating PQC?
The Trusted Platform Module (TPM) is a de facto standard used in PCs and servers, and increasingly in the IoT as edge computing deployments are on the rise. TPM 2.0 version 1.85 adds support for ML-KEM and ML-DSA, bringing PQC to the root of trust in computing and embedded systems. That includes secure boot, firmware signing, and attestation.
With TPMs widely deployed across enterprise IT, data centers, and industrial settings, this update is integral to broader PQC migration.
How this impacts security vendors: TPM hardware providers must ensure they update TPM firmware and support tools to handle PQC. Customers managing long-lifecycle devices (e.g., hospitals, manufacturers, etc.) will demand this functionality soon, and vendors that offer early, PQC-ready TPM modules will have a strong first-mover advantage.
How Is ISO Addressing PQC for Smart Cards and Identity Systems?
The ISO/IEC JTC 1/SC 17 committee is evaluating how smart cards and ID systems can support PQC. Crypto-agility and hybrid schemes are on the table, but no final standard exists yet.
While the smart card market may not be immediately impacted by PQC, ABI Research Director Phil Sealy reminds us that most payment cards operate on a 4 to 5-year expiration. This aligns well with when quantum-capable computers are expected to be readily available, so it’s vital to take steps toward PQC standardization immediately.
This urgency is compounded by the additional challenges in implementing PQC in constrained hardware, with smart cards often lacking the memory capacity and processing speeds required in mainstream PQC implementations. As adaptations will need to be made, it is especially critical that smart card vendors engage with this development process in a timely manner.
Thales is already pioneering this space, launching the first quantum-resistant smart card (MultiApp 5.2 Premium PQC) in Europe in October 2025.
How this impacts security vendors: Smart card manufacturers will be wary of fully committing to any PQC standards, as the market is still in flux. Crypto-agile architectures, modular firmware, and hybrid signature support will position products for fast adaptation once standards are finalized.
Do Vendors Need to Future-Proof Their Chipsets and Certificates for Travel Security?
The short answer is yes. Current ePassport security algorithms, such as RSA and ECC, will soon be deprecated. In response, the International Civil Aviation Organization’s (ICAO) New Technologies Working Group (NTWG) is reviewing how to update ePassports and other travel documents for PQC. This includes support for hybrid signatures, new chipset requirements, and interoperability with legacy systems. Vendors can’t wait for full clarity, as governments and border agencies are already requesting roadmaps and testing pilots.
Agility is essential, and implementations must support future changes as guidance crystallizes. Additionally, cryptographic sovereignty is a key concern within PQC development, and vendors seeking to supply travel documents must maintain flexibility to accommodate regional variations.
How this impacts security vendors: Support for hybrid certificates and upgradable chips is critical. Vendors should run Proofs of Concept (PoCs) with early adopters and engage in standardization work to chronicle success stories and influence outcomes, continuously exploring different avenues for partnership and collaboration.
How Can Security Vendors Stay Competitive While Waiting for PQC Standards Evolution?
PQC certification queues are long, but the market isn’t waiting. Vendors like Crypto4A already offer production firmware with ML-KEM and ML-DSA support. Similarly, Palo Alto Networks upgraded its PA-5500 series Next-Generation Firewall (NGFW) with a 256-core ASIC to handle PQC workloads. Entrust is planning for flexible classical and PQC hardware acceleration for its HSMs.
Complex PQC solutions will demand improved compute, memory, and flexibility. Customers expect early support for Transport Layer Security (TLS), Virtual Private Networks (VPNs), and Internet Protocol Security (IPsec), even if they’re not quite ready to deploy fully. Many customers invest in devices and systems that last more than a decade, making future-proofed security an attractive feature.
How this impacts security vendors: Start with software updates and give customers testing tools. Partner with PQC IP core vendors to adapt faster, as these organizations possess excellent PQC expertise, which they tailor for specific use cases and applications. Moreover, building crypto-agile systems will appease customers who need to quickly swap algorithms as standards evolve.
Final Thoughts
The cybersecurity industry is under immense regulatory pressure, particularly in sectors like energy, government ID, banking, and healthcare. Technology providers of HSMs, Public Key Infrastructure (PKI), smart cards, and networking equipment are being compelled to support PQC now, even if stabilized and certified compliance is years away.
Getting ahead of PQC support will build trust with customers early on and solidify positioning in this fledgling market. Trust building requires security vendors to understand intricate enterprise environments, encompassing device types, applications, and region/industry-specific algorithm preferences.
Beyond ensuring crypto-agility, ABI Research foresees the need for network security vendors to complement hardware portfolios with comprehensive software offerings that tailor hardware for certain PQC algorithms. As with all security threats, defense is only as robust as the weakest link in the chain, requiring engagement across the stack to protect customers fully. Collaboration will continue to be the name of the game for even the largest cybersecurity vendors on the quest to protect from Cryptographically-Relevant Quantum Computers (CRQCs).
Does your company need guidance on its post-quantum transition? Contact us today to learn how our Digital Security analyst team is helping clients prepare for PQC.
