[Blog] PQC & Cyber Resilience: Protecting Data in the Quantum Era
Posted 05/23/2025 by Mamta Gupta, Senior Director of Security, Datacenter and Comms Segment Marketing; Eric Sivertson, VP of Security Business
Quantum computing has long been discussed as a far-off development in computer science. The claim that widespread accessibility and use is “just five years away” is a common refrain among many practitioners. But with recent advancements in the field—including Microsoft’s Majorana 1, Google’s Willow chip, and IBM's plans to release the largest-ever quantum computer in 2025— we are closer to realizing its potential than ever before.
While exciting, these advancements have significantly condensed the timeline businesses have to prepare for the novel security risks that quantum computing present. These include quantum-level cyberattacks, sensitive data decryption, compromised data integrity, and more, which are all driven by the increased speed and power of quantum computers.
In our latest LinkedIn Live panel discussion, Lattice security experts explored the implications of quantum computing, the growing necessity of post-quantum cryptography (PQC) to foster cyber resilience, and the role of Lattice low power Field Programmable Gate Arrays (FPGAs) in helping customers safeguard their systems in the quantum era.
Impending Regulatory Mandates
To understand the urgency of adopting PQC, businesses must first understand the regulations that will shape the future of secure system design:
The Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)
CNSA 2.0 is a U.S.-based NSA directive that requires all national security systems to adopt PQC by Jan. 1, 2027.
Per the directive, more traditional cryptography measures like the Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithms will be phased out and replaced by more powerful algorithms like the Module-Lattice-based Digital Signature Algorithm (ML-DSA), Module-Lattice-based Key-Encapsulation Mechanism (ML-KEM), and the NIST-standardized Extended Merkle Signature Scheme (XMSS) and Last Mean Square (LMS).
The effects of this regulation will ripple out from national security, impacting any organization that develops and sells technological solutions and infrastructure to the U.S. government. To be utilized by these entities, digital solutions will need to be CNSA 2.0 compliant.
The Cyber Resilience Act (CRA)
Poised to take effect in late 2027, this EU regulation requires software and hardware product vendors to track vulnerabilities and maintain cybersecurity throughout the lifecycle of "products with digital elements” (PDEs).
The CRA governs everything from PDE planning to design, development, and continued maintenance to ensure that robust security is enforced at every stage of the value chain. The goal is to shift the responsibility of cybersecurity from customers to vendors, tasking companies with proactive and continued protection of their products and enabling consumers to make informed and safe buying decisions.
This regulation has a wide reach; it applies to PDE manufacturers, importers, and distributors that do business within the European market, impacting any global business that wishes to sell PDE devices in the EU.
As their official enforcements approach, CNSA 2.0 and the CRA are no longer distant concerns. They’re active, looming mandates that impact businesses across industries. If teams haven’t begun preparing for compliance, they may already be behind.
Meeting Mandates with PQC & Cyber Resilience
Now is the time for organizations to adhere to compliance and adopt advanced security solutions to combat the threats of the quantum era.
One such solution is the development and enforcement of post-quantum cryptography (PQC) measures. Traditional cryptography involves converting plain text into ciphertext using an encryption algorithm, preventing any unauthorized data access without the right decryption key. A PQC approach involves a group of newer encryption algorithms that cannot be broken by quantum computers due to their significant mathematical complexity, including ML-KEM, LMs, XMSS, and ML-DSA, among others. An important part of PQC implementation is to maintain crypto agility, or the ability to easily swap out and/or upgrade your cryptographic algorithms. Early integration of PQC algorithms is critical for proactive protection against quantum threats. But, as computing capabilities evolve, businesses may need to experiment with different algorithms, so “locking in” to one option too early can inhibit future efficacy. Maintaining the ability to upgrade to new algorithms and take an agile approach to cryptographic strategy is essential for long-term security and adaptability.
Cyber resilience is not just the namesake of the EU’s impending regulatory mandate; it refers to an organization’s overall ability to detect, respond to, and recover from cyberattacks in real time. It’s a measure of how prepared an organization is to continue business operations in the face of cyber incidents. Ultimately, that’s what PQC measures are designed to support.
Cyber resilience efforts include:
- Real-time attack monitoring to maintain continuous oversight across cyber infrastructure, identify any anomalies as quickly as possible, and address them efficiently.
- Dynamic Root of Trust (RoT) sources that can help generate and protect cryptographic keys and perform cryptographic functions from within a secure and trusted environment.
- Field updatability and fast recovery to ensure continued improvement of and iteration on PQC algorithms, timely responses to security incidents, and the ability to keep pace with developments in the regulatory and threat landscape.
- Continued security after secure boot to maintain protective measures against malware, unauthorized software, and other malicious acts beyond the boot sequence.
By adopting PQC measures, maintaining crypto agility, and strengthening cyber resilience, organizations can better prepare to meet regulatory standards and protect their cyber infrastructure.
The Advantage of Using FPGAs
Organizations need to adopt hardware components that can both support PQC and cyber resilience efforts and integrate effectively into their existing technical infrastructure. Lattice FPGAs offer a range of crucial capabilities for PQC and resilience efforts:
- Post-deployment reconfiguration. Rather than permanently locking in configurations when deployed, Lattice FPGAs maintain a level of flexibility that allows for post-deployment changes and updates. Their reprogrammability is crucial as teams assess quantum threats and PQC algorithms and work to future-proof their protective capabilities amid the field’s rapid progress.
- Baked-in cryptographic capabilities. Lattice FPGAs include hardware Root of Trust (HRoT), secure boot, and reprogrammability capabilities that are crucial to the execution of PQC algorithms and the continued maintenance of cyber-resilient infrastructure.
- Parallel processing. Rather than operating sequentially/serially, FPGAs can process data in a parallel fashion that allows for multiple operations to occur at the same time, enabling these devices to support complex PQC algorithms while consuming less power and taking less time.
FPGAs can support PQC applications across industries, even in those that might be slower to adopt new technologies. For example, Industrial and Automotive businesses can’t rebuild entire production lines or cars on the road every three years. They need devices and solutions that work today and will work 20 years from now. Given this longer-term perspective, they may be more hesitant to jump on PQC solutions—and the infrastructure they require—too soon.
By leveraging FPGAs, organizations can proactively enhance their PQC and cyber resilience strategies, avoiding the limitations of short-lifecycle technology. FPGAs can be deployed to meet current cybersecurity needs and later be updated and reprogrammed in the field to meet future PQC requirements.
Preparing for Post-Quantum Security Environments with Lattice FPGAs
Whether it’s to maintain compliance with CNSA 2.0 and CRA or simply prepare your business for the future of cybersecurity, it's crucial that organizations adopt proactive PQC and cyber-resilient algorithms as soon as they can.
Failing to implement these solutions can lead to serious consequences, including exposure to quantum-level cyberattacks, non-compliance penalties and fines, operational disruptions, reputational damage, increased costs, and missed opportunities for innovation. To safeguard against future quantum threats, organizations must act now to audit their systems, adopt PQC algorithms, and leverage adaptable and secure FPGA solutions.
You can view the entirety of this LinkedIn Live panel discussion here. To learn more about how Lattice can help bolster your PQC readiness, contact our team today.