Meridian

Technology

Banks Have Started Replacing Their Crypto. The Hard Part Is What Comes Next.

Why post-quantum migration looks easy on paper, and why the real cost is everywhere the decades-old code already lives.

By Priya ChenNovember 18, 20253 min read

Updated July 6, 2026

AI-generated 16:9 cover image for "Banks Have Started Replacing Their Crypto. The Hard Part Is What Comes Next.", covering cryptography, security, quantum, technology on The Meridian Hub.
Higgsfield Nano Banana Pro / The Meridian Hub generated cover

The standards bodies finished the work years ago. What is starting now is the long, expensive job of replacing the cryptography embedded in everything from VPN appliances to chip firmware.

Several large banks have begun piloting hybrid classical-post-quantum TLS for interbank traffic. The pilots are not at scale yet. But they are running, and that alone is a meaningful shift.

The bottleneck for broader adoption is, as always, the long tail of devices and libraries that have to be updated, recompiled, or in some cases retired.

Related reading: Two Foundries Just Eased the Constraint Behind Every AI Accelerator Shortage and Quantum Networking Just Quietly Reached Its First Real Customers.

The hard part about replacing cryptography isn't just the technology, it's the logistics. It’s like trying to replace all the light bulbs in a skyscraper without turning off power to any floor. You need new bulbs (code), but you also need ladders and spare parts, and someone has to climb each ladder at night.

Financial services moves first

The banks are taking the lead because they have the budget for it. But every device needs an update, which means a lot of work for IT teams. It’s not just about getting new software; it's also about making sure everything still works after you install it. The real challenge is figuring out how to do this without disrupting daily operations.

The operating question

When we talk about replacing cryptography, the first thing to look at isn’t the big announcement but the small details. It’s like checking if a new bridge can hold cars before opening it to traffic. Is there enough support for the changes? Do vendors have the parts in stock? Are users ready for the switch?

For companies and institutions in the Gulf, the practical impact usually appears in three places: planning assumptions, counterparties, and timing. When managers start pricing uncertainty into budgets, that’s a sign something is changing. If a vendor becomes harder to read or a regulator tightens rules, it affects how you do business. And if renewals stop following the old calendar, that means someone has to adjust their plans.

The system needs to prove itself after pilots end. That's when we can measure real impact. We need to see what data is collected and shared, because ownership tells us whether changes are real or just talk. Support, training, and fallback paths also matter; they separate surface-level movement from practical change.

For instance, does the new crypto reduce workloads or just move them elsewhere? If it affects customers directly, that’s a big deal. The proof is in how well it handles daily use after the pilot ends.

The next update should focus on evidence over adjectives. Useful signals include signed documents, changed service terms, revised guidance, delivery dates, pricing changes, customer notices, staffing moves, budget allocations, or repeated behavior over several weeks. Without these details, the story remains early-stage rather than settled.

In tech, durable change usually shows up through repeated behavior and clearer incentives over time. Until those signs appear, it’s best to be cautious and evidence-led. The real value is in asking better follow-up questions: check the claim, identify who owns it, watch for evidence, and keep conclusions open until facts are visible.

The hard part about replacing cryptography isn’t just getting new tools; it’s making sure everyone can use them without breaking anything. It’s a marathon, not a sprint, with lots of small steps along the way.

The daily digest

One email each morning, all the day’s reporting.