The Charter of Trust is a non-profit alliance of global companies that are thought leaders and pioneer practitioners in cybersecurity and digital trust.

The transition to post-quantum cryptography is not a future problem — it is a present one. The threat of adversaries harvesting encrypted data today for decryption once quantum computing matures means that organizations with long-lived data and systems are already exposed. Waiting for cryptographically relevant quantum computers to arrive before acting is not a viable risk management strategy.



Exposure is not uniform across sectors. Financial services, government and defense, operational technology, and healthcare face the sharpest quantum risk, driven by decades-long data retention obligations, slow system replacement cycles, and the societal consequences of cryptographic failure. For these sectors, PQC readiness has moved from best practice to strategic imperative.



Globally, the direction of travel is clear. The United States, European Union, United Kingdom, Singapore, and Australia have each established structured PQC transition frameworks, with mandatory deadlines converging around the late 2020s and 2030. Organizations operating across jurisdictions should expect compounding compliance requirements and align migration plans accordingly.



At the same time, the geopolitical dimension of PQC standardization is becoming increasingly salient. The emergence of a “splinternet” infrastructure, characterized by regionally fragmented digital ecosystems, suggests that cryptographic standards diverge along political and strategic lines. As a result, organizations must not only manage technical migration but also navigate a politically charged landscape in which interoperability, regulatory alignment, and long-term cryptographic agility become critical strategic considerations.



This paper offers a comparative overview of regional PQC transition frameworks and identifies the business and systemic risks associated with quantum-vulnerable cryptography, providing insights for organizations preparing for the transition to post-quantum cryptography. Overall, PQC migration is a strategic transformation, not a technical patch. Cryptographic inventory, governance structures, crypto-agility, and supply chain engagement are as central to success as algorithm selection — and organizations that treat PQC readiness as an architectural and organizational challenge will be best positioned as quantum risks continue to mature.

On February 13, the Charter of Trust hosted its annual Thematic Dinner on the sidelines of the Munich Security Conference. This year’s discussion focused on "Rethinking Cyber Trust: Building Resilience in the Age of AI".

Leading transatlantic voices from government, military, industry, law enforcement, and cybersecurity came together for a critical discussion on the evolving threat landscape. Key themes emerged:
o the urgent need for harmonized regulation,
o the reality that it takes networks to defend networks,
o and the recognition that energy infrastructure represents our next major cyber risk frontier as AI drives exponential growth in energy consumption.

A powerful reminder that there is no security without cybersecurity, and no cybersecurity without active cyber defense. The path forward requires accelerated standards development, stronger public-private information sharing, and moving from reactive postures to coordinated defense strategies.

We are grateful for the engaged dialogue and look forward to continued collaboration as we work together to build cyber resilience in the age of AI.

Artificial Intelligence (AI) is rapidly becoming a cornerstone of economic competitiveness, public service delivery, and national security. At the same time, it introduces new systemic risks to cybersecurity, privacy, and societal trust. This paper, developed under the Charter of Trust’s Principle 3 “Security by Default”, addresses this dual challenge: securing AI systems throughout their lifecycle while responsibly leveraging AI to strengthen cybersecurity.

Aligned with the Charter of Trust’s overarching goals—to protect data, prevent harm to people and infrastructure, and establish a reliable foundation for trust in a digital world—the paper outlines how Security by Default can operationalize Trustworthy AI. It positions security not as a reactive compliance exercise, but as an inherent, continuously enforced design principle that enables innovation while safeguarding resilience, transparency, and accountability.

Against a backdrop of increasing geopolitical competition, fragmented regulatory regimes, and accelerating AI adoption, the paper highlights the strategic importance of trust as a differentiator for organizations and societies alike. It examines key governance, technical, and regulatory risks surrounding AI, and underscores the need for coherent governance models that integrate cybersecurity, privacy, and ethical considerations from design through deployment and operation.

Building on the Charter of Trust’s prior work, the paper provides a high-level framework for embedding Security by Default across the AI lifecycle, aligned with emerging global regulations such as the European Union (EU) AI Act. It also demonstrates how AI, when securely designed and governed, can serve as a powerful enabler of cybersecurity—enhancing threat detection, incident response, and risk management.
Ultimately, the paper reinforces the Charter of Trust’s conviction that trust, security, and innovation must advance together. By embedding Security by Default and Trustworthy AI principles at the core of AI development and use, organizations can strengthen digital trust, improve resilience, and contribute to a safer and more reliable digital future.

Please download the full report below.