On 18 June 2026, Taiwan’s Financial Supervisory Commission (FSC) announced its Post-Quantum Cryptography Migration Reference Guide for the Financial Industry, providing financial institutions with a phased framework for addressing cybersecurity risks arising from advances in quantum computing.
The Guide forms part of the FSC’s wider Financial Operational Resilience on Cybersecurity Ecosystem Blueprint, under which post-quantum cryptography migration was identified as a priority for Taiwan’s financial sector.
Quantum-related financial risks
Current public-key cryptographic systems support identity authentication, digital signatures, transaction verification, secure communications and data protection across the financial industry. Future quantum computers may weaken those systems and expose institutions to two principal risks:
- Harvest Now, Decrypt Later: encrypted information is collected today for decryption once sufficiently capable quantum technology becomes available; and
- Trust Now, Forge Later: digital signatures or certificates considered secure today may eventually be forged.
These threats could affect transaction integrity, confidential information, institutional connectivity and operational resilience.
Seven migration priorities
The FSC recommends that financial institutions:
- elevate quantum-related cryptographic risk to board and enterprise-risk level and establish a cross-functional migration team;
- create and maintain a Cryptographic Bill of Materials, linking cryptographic assets to business functions and external dependencies;
- develop crypto-agility so algorithms, certificates and security parameters can be replaced without major system redesign;
- coordinate migration across financial infrastructure providers, counterparties and other interconnected institutions;
- prioritise systems through quantum-risk and migration-complexity assessments;
- incorporate PQC readiness into procurement, outsourcing, vendor due diligence and contractual requirements; and
- establish testing, transition, rollback, monitoring and audit-documentation arrangements.
The FSC also identifies manual certificate management, weak cipher suites and hard-coded cryptographic keys as practices requiring early remediation.
Proposed implementation timetable
The Guide recommends a staged migration:
- 2026–2027: governance, cryptographic inventories and foundational crypto-agility;
- 2027–2029: pilot programmes, infrastructure upgrades and joint testing; and
- through 2035: migration of high-risk and critical systems, followed by broader implementation.
The timetable draws on international work undertaken by bodies including the United States National Institute of Standards and Technology, the G7 and the Financial Services Information Sharing and Analysis Center.
Implications for financial institutions
The Guide is presently a preparedness framework rather than a standalone mandatory technical standard. It nevertheless establishes a clear regulatory expectation that financial institutions should begin assessing quantum-related risks before existing cryptographic systems become vulnerable.
Boards and senior management should therefore consider PQC migration within cybersecurity governance, outsourcing oversight and operational-resilience planning. Institutions should also review whether existing technology contracts require vendors to support future algorithm changes, hybrid cryptographic solutions and migration testing.
A failure to maintain an accurate inventory of cryptographic dependencies may become a material obstacle to migration, particularly where institutions rely on legacy systems, cloud providers, outsourced infrastructure or interconnected payment and settlement networks.
Our observations
The FSC’s approach recognises that post-quantum migration is not a one-time technology replacement exercise. It is a multi-year governance, risk and supply-chain programme requiring coordination across the financial ecosystem.
Financial institutions should begin with the systems protecting long-lived confidential data, critical transactions and digital authentication. Early preparation will reduce the risk of rushed implementation, service interruption and dependence on vendors that are unable to support post-quantum standards.
Source: Taiwan Financial Supervisory Commission, Post-Quantum Cryptography Migration Reference Guide for the Financial Industry, announced on 18 June 2026.




