qReflector Learning Hub
Comparison · 3-5 minutes

What Will Break and What Will Remain?

PQC risk becomes practical when vulnerable cryptography appears inside real systems such as TLS, VPNs, certificates, PKI, code signing, and identity infrastructure.

Not everything breaks at onceDependencies matterInventory comes before action
30-Second Scan
Will everything break at once?
No. PQC is a migration problem, not a sudden universal failure.
What needs attention?
Systems that rely on vulnerable public-key cryptography, such as TLS, VPNs, PKI, certificates, signatures, and identity.
What remains usable?
Many systems remain usable, but their cryptographic dependencies may need review or upgrade.
What is the practical next step?
Build visibility: find where cryptography is used before deciding what to change.
Main teaching visual

System Impact, Not Everything Breaking

Post-quantum migration is about finding where vulnerable cryptography sits inside real systems.

Group 1

Needs attention

TLS key exchangeVPNsPKIcertificatesdigital signaturescode signingidentity

These often depend directly on public-key cryptography that will need a migration path.

Group 2

May need vendor or configuration changes

cloud servicesnetwork appliancesSaaSAPIsHSM/KMSmanaged certificate services

The system may remain usable, but support depends on configuration, vendor roadmap, or platform capability.

Group 3

Mostly remains usable

applicationsdatabasesbackupsfile storesbusiness workflows

They may not be replaced because of PQC, but the cryptography protecting them still needs review.

Group 4

Not directly affected

business logicUIreportingnon-cryptographic process steps

These parts do not become quantum-risk items by themselves, but they may rely on affected infrastructure.

PQC migration is not about everything breaking at once. It is about finding where vulnerable cryptography sits inside real systems.

Short Answer

In one view

Post-quantum risk does not mean that every system suddenly stops working.

Not everything breaks at once

The practical issue is that many real systems depend on public-key cryptography for trust, identity, key exchange, certificates, and signatures.

Some of those cryptographic mechanisms will need replacement, upgrade, configuration changes, or vendor support.

Dependencies need review

Other parts of the system may remain usable, but still depend on cryptographic libraries, certificates, protocols, or supplier roadmaps.

Start with visibility

The first step is not to replace everything. The first step is to understand what depends on what.

Core Explanation

01

Cryptography is hidden inside systems

Most people do not manage cryptography directly.

They manage systems that use cryptography.

This is why PQC readiness is partly a visibility problem.

  • websites
  • VPNs
  • APIs
  • identity platforms
  • cloud services
  • network appliances
  • software update systems
  • document-signing workflows
  • backups and archives
02

Some systems need direct attention

Systems that use vulnerable public-key cryptography for key exchange, identity, or signatures need attention.

These systems may need new algorithms, hybrid transition support, vendor updates, testing, or replacement planning.

  • TLS and HTTPS configurations
  • VPN platforms
  • PKI and certificate infrastructure
  • code-signing systems
  • software update mechanisms
  • identity federation and SSO
  • device and firmware trust chains
03

Some systems are affected indirectly

A system may not “do cryptography” as its main purpose, but it may depend on cryptography through libraries, certificates, APIs, cloud services, managed platforms, supplier products, hardware modules, or embedded firmware.

This indirect dependency is why inventory work matters.

04

Some parts remain usable, but still need review

Post-quantum migration does not mean every database, application, backup, or device must be thrown away.

Many systems remain useful.

The review question is: Which cryptographic dependency inside this system must change, and who controls that change?

Why It Matters

This page is the bridge from basic concepts to practical readiness.

01

After learning which algorithm families are at risk, the next question is system impact.

A company needs to know whether vulnerable cryptography is used in customer-facing services, employee remote access, internal APIs, identity systems, supplier platforms, software signing, product firmware, long-term archives, and regulated or long-lifecycle systems.

02

Without that visibility, migration planning becomes guesswork.

Practical Example

Situation

Will our customer portal break?

A company asks: “Will our customer portal break?”

The honest answer is: probably not suddenly.

But the portal may depend on:

TLS certificatespublic-key key exchangecertificate authoritiesapplication librariesa cloud load balanceran identity providera managed hosting platformvendor-controlled security settings
Practical outcome

So the better question is: Which cryptographic dependencies protect the portal, and which of them will need a migration path?

That answer may involve several teams and suppliers, not only the web team.

Careful Analogy

Teaching analogy

PQC migration can feel a little like a broad infrastructure transition. Like Y2K, it affects many hidden dependencies across systems.

Unlike Y2K, there is no precise calendar date when everything changes at once. The analogy is useful for understanding scope, not for predicting timing.

Common Misunderstanding

“On Q-Day, everything encrypted will suddenly break.”

Some public-key cryptographic mechanisms will need migration, and many real systems depend on them. But impact depends on where cryptography is used, how systems are configured, which vendors control them, and how long the protected data must remain confidential.

What to Remember

One-Sentence Summary

PQC impact is a system-dependency problem, not a simple “everything breaks” event.

Three Key Points

  • TLS, VPNs, PKI, certificates, signatures, code signing, and identity systems need attention.
  • Many business systems remain usable but may depend on cryptography that needs review.
  • Inventory and discovery are the practical bridge between algorithm risk and action.

Verified Sources

Migration guidance

The PQC Migration Handbook — Guidelines for Migrating to Post-Quantum Cryptography

TNO / AIVD / CWI
Migration guidance

Migration to Post-Quantum Cryptography

NIST NCCoE
Migration guidance

Make your organization quantum secure

Dutch NCSC / AIVD

Related Concepts

Cryptography Today

How Does TLS Use Cryptography?

Learn how TLS and HTTPS use certificates, digital signatures, key exchange, and symmetric encryption to protect secure connections.
Readiness and Migration

What is Crypto Discovery?

Learn what crypto discovery is, why one scanner is not enough, and how organisations find cryptography across systems, traffic, certificates, code, cloud, and vendors.
Readiness and Migration

What is a Cryptographic Inventory?

Learn what a cryptographic inventory is, how it differs from crypto discovery and CBOM, and why it matters for post-quantum readiness.
Readiness and Migration

What is a PQC Readiness Assessment?

Learn what a PQC readiness assessment is, what it should include, and how it turns quantum uncertainty into a practical migration roadmap.
Recommended next concept

Quantum Computing Basics

Navigation base page for the 'Quantum Computing Basics' section.

Continue