In October 2021, Germany’s Federal Office for Information Security published a 70-page guide called Quantum-safe cryptography — fundamentals, current developments and recommendations. It was thorough. It covered quantum computing hardware, post-quantum algorithm families, protocol adaptation strategies, quantum key distribution limitations, and a full chapter of migration recommendations. The BSI president wrote the foreword. The citations were impeccable.
It was, in other words, the perfect shop manual.
Four years later, BSI and KPMG sent a survey to over 150 German companies asking what they’d actually done about post-quantum migration. They got 28 responses. Both the response rate and the answers were, in BSI’s own words, “worrying.”
The manual was on the shelf. The engine was developing a knock. Nobody was listening.
The Shop Manual Problem
The BSI guide wasn’t wrong. Its QKD skepticism aged beautifully — the joint position paper BSI published with ANSSI, the Dutch NCSA, and the Swedish Armed Forces in January 2024 said essentially the same thing with more European co-signatories. Its emphasis on hybrid mode was directionally correct. Its framework for thinking about migration timelines — Mosca’s theorem, where you add the shelf life of your data to the time migration will take and compare it to when quantum computers arrive — remains the clearest articulation of why the math demands urgency.
Some things broke. SIKE, listed as a viable alternate candidate, was destroyed by a classical attack in 2022. Rainbow, listed as a signature finalist, also fell. FrodoKEM, one of BSI’s two headline recommendations for key agreement, was never standardized by NIST — though BSI still recommends it in TR-02102-1 as of January 2025, insisting the decision was about efficiency, not security. And the BSI president who signed the foreword was fired in 2022 over his connections to a cybersecurity association with alleged Russian intelligence ties.
But the big miss wasn’t any specific algorithm or personnel scandal. The big miss was a theory of change.
The implicit model was: publish authoritative guidance → organizations read it → organizations act on it. The survey results prove this pipeline is broken at step one. And not because the guidance is bad. Because a shop manual, no matter how precise, doesn’t make you a mechanic.
Trophies
SOC 2. ISO 27001. PCI-DSS. These are trophy ceremonies. You train for the audit, you pass, you frame the certificate, you go back to whatever you were doing before. Nobody’s confused about this. The compliance industry exists because organizations need to demonstrate security posture to third parties, and demonstrations require artifacts. The artifact becomes the goal.
PQC migration is headed for the same shelf.
The buyer wants to get the trophy and retire. That’s not a character flaw — it’s how organizations allocate attention across hundreds of competing priorities. You check the box because boxes exist to be checked. But the checkbox approach to cryptographic migration has a specific failure mode: it assumes cryptographic posture is a state you can achieve and then preserve through inertia. You migrate. You’re done. Trophy on the shelf.
Except the landscape shifts under you continuously. Libraries update and re-introduce classical defaults. Certificates rotate with old parameters. New endpoints deploy without the configurations you carefully specified. Vendor support for PQC changes quarter to quarter — a platform’s cryptographic library might support ML-KEM while the actual product built on it doesn’t negotiate it. Microsoft’s SymCrypt library is a real example: it supports post-quantum key encapsulation, but SQL Server doesn’t use it.
The trophy expires the day you win it.
The Romantic and the Classical
Robert Pirsig’s Zen and the Art of Motorcycle Maintenance is built around a split. On one side: the romantic, who wants the machine to simply go. On the other: the classical mechanic, who understands why it goes. Pirsig’s argument was that quality lives in neither camp. It lives in the ongoing relationship between the rider and the machine. The caring about it. The sustained attention.
The trophy buyer is the romantic rider. “I bought a Honda because Hondas are reliable. I’m done thinking about this.” And they’re not wrong that Hondas are reliable. They’re wrong that reliability is a permanent state rather than an ongoing condition.
BSI’s 70 pages are the classical manual. Technically precise. Necessary. And gathering dust.
What’s missing is the practice Pirsig actually wrote about — the person who hears the engine differently on a cold morning and thinks: that’s new. What changed? Not the trophy. Not the manual. The attention.
Athletes know this intuitively. Nobody runs a 4:02 mile and stops training. The 4:02 is data. It tells you where you are. Tomorrow it tells you whether you’re getting faster or slower. The only athletes who stop measuring are the ones who’ve retired.
Two Numbers That Measure Different Things
BSI’s 2021 report used “early 2030s” as its planning assumption for when quantum computers could threaten high-security systems. This was not a prediction. BSI was explicit: this was a risk management benchmark. The question it answered was when should you behave as if quantum computers exist?
By late 2025, BSI’s own quantum computing study (version 2.2) estimates cryptographically relevant quantum computers will arrive by approximately 2040 — with the caveat that disruptive developments could compress that to under a decade. This number answers a fundamentally different question: when will they probably exist?
One is a planning parameter. The other is an engineering estimate. The planning parameter tells you when to have your migration complete. The engineering estimate tells you when you’ll definitely wish you had. These are not the same question, and treating the 2040 number as permission to delay is exactly backward from BSI’s intent. The 2040 estimate makes Mosca’s theorem more urgent, not less, because it sharpens the denominator without changing the numerator — your data’s shelf life and your migration timeline haven’t gotten shorter just because the threat got a date.
But here’s what’s interesting: not everyone is publishing estimates. Some agencies are setting deadlines.
Who Knows What
Australia banned RSA by 2030. The NSA issued CNSA 2.0 with hard cutoff dates for national security systems. The November 2024 joint statement signed by 20 EU member states says to protect the most sensitive use cases from store-now-decrypt-later attacks “as soon as possible, latest by the end of 2030.”
Notice the pattern. The agencies with actual signals intelligence visibility — Five Eyes members with direct access to adversary communications — are setting deadlines. The agencies without it are publishing recommendations.
That asymmetry deserves more attention than it gets. Public threat timelines are constrained by what can be said without revealing collection capabilities. When an intelligence agency sets a hard deadline instead of publishing a risk framework, they’re telling you the answer to a question they can’t publicly discuss. Australia didn’t ban RSA by 2030 because they ran Mosca’s theorem on a whiteboard. They banned it because someone in a classified briefing made it clear that the planning parameter and the engineering estimate were converging faster than the public literature suggests.
BSI, for its institutional role, publishes the public literature. That’s appropriate. But organizations reading BSI’s guidance should understand what they’re reading: the unclassified layer of a threat assessment that has classified layers they will never see. The comfortable distance between “plan as if it’s the 2030s” and “expect it around 2040” may not exist in rooms those organizations are not invited to.
Listening to the Engine
BSI’s 2021 report introduced Mosca’s theorem as the framework for urgency. But calculating y — your migration time — requires knowing what cryptography you’re actually running, across every protocol, library, certificate chain, and endpoint in your organization.
The report said “take inventory” as step one. Four years later, most organizations haven’t. And even the ones that have don’t know whether their inventory is still accurate, because it was a point-in-time snapshot that started degrading the moment it was completed.
The entire BSI framework, from the 2021 guide through the 2024 joint statement through the January 2025 technical guideline update, treats migration as an event. Inventory → plan → execute → done. But cryptographic migration isn’t an event. It’s a condition. The question isn’t did you migrate but are you still migrated — and is the direction right?
What’s missing isn’t better guidance. BSI’s guidance is good. What’s missing is the ongoing act of listening. Not a one-time audit. Not a quarterly compliance exercise. A continuous practice of measuring where you are and whether the trajectory is improving or degrading.
The manual matters. Read it. But then go listen to the machine. A trophy tells you where you were. Only the practice of measurement tells you where you’re going.
Sources
- BSI: Quantum-safe cryptography — fundamentals, current developments and recommendations (December 2021)
- BSI & KPMG: Market Survey on Cryptography and Quantum Computing (2023)
- ANSSI, BSI, NLNCSA, Swedish Armed Forces: Position Paper on Quantum Key Distribution (January 2024)
- BSI et al.: Securing Tomorrow, Today: Transitioning to Post-Quantum Cryptography (November 2024)
- BSI: TR-02102-1: Cryptographic Mechanisms — Recommendations and Key Lengths (Version 2025-01)
- BSI: Status of Quantum Computer Development (Version 2.2, December 2025)