Post-Quantum Cryptography Is Accelerating - Automotive Readiness Is Not

Insights from SBD Automotive’s industry-wide survey into crypto-agility and post-quantum cryptography adoption.

A few years ago, post-quantum cryptography in automotive cybersecurity felt like a future consideration:

“When quantum computers become relevant, what will we need to change?”

Today, the question is more urgent:

“Are the vehicles being designed now capable of surviving the cryptographic transition already beginning?”

That shift matters.

Google has now set a 2029 timeline for its own post-quantum cryptography migration, citing progress in quantum hardware, error correction and factoring resource estimates. Its announcement also makes clear that the risk is not limited to encryption. Digital signatures, authentication services and long-lived trust models are also in scope,  all of which sit at the heart of modern connected vehicle security.

For automotive, this is not a distant technology story. It is a product lifecycle issue.

Vehicles launched in the late 2020s will still be operating well into the 2030s and beyond. They will rely on OTA updates, connected services, diagnostics, cloud authentication, vehicle identity, digital keys and supplier-provided software stacks. Many of these systems depend on cryptography that was never designed for a post-quantum world.

That is why SBD Automotive examined industry readiness for crypto-agility and PQC adoption through its latest automotive cybersecurity technology adoption questionnaire. The results show an industry that understands the risk, but remains divided on when and where to act.

PQC has moved from research topic to roadmap item

The timing of the post-quantum transition has changed.

NIST finalized its first three post-quantum cryptography standards in 2024, including ML-KEM for general encryption, ML-DSA and SLH-DSA for digital signatures. This removes one of the industry’s most common reasons for delaying action.

Until recently, many OEMs and suppliers could argue that PQC planning was premature. Algorithms were still moving through standardization. Toolchains were immature. Hardware support was unclear. Business cases were difficult to quantify. That argument is now weaker.

The standards are available. Major technology companies are moving. Google’s 2029 migration target gives the market a clear signal that the transition is entering an execution phase, not remaining in research.

For automotive, this creates a difficult timing problem. Vehicle development cycles are long, and a cryptographic decision made today can become a platform limitation for a decade.

Automotive is aware of the risk, but still waiting for clearer triggers

The survey results show a clear divide between “act now” and “wait and see.”

Some leading OEMs are already prioritizing PQC, particularly where long-term software update integrity, vehicle-to-cloud communications and connected services are involved. These organizations recognize that hardware launched today may not support future PQC requirements unless crypto-agility is designed in from the beginning.

Across the broader industry, however, adoption remains cautious. Many organizations still treat PQC as a 2030+ topic, with practical deployment pushed into future platform refreshes. In many cases, the challenge is not awareness. It is the absence of a near-term trigger strong enough to compete with cost pressure, software-defined vehicle delivery, regulatory compliance and supplier integration challenges.

That is understandable. It is also risky.

The automotive industry has seen this pattern before: technologies with difficult ROI, unclear ownership or long-term benefits are often postponed until they become unavoidable. PQC may follow the same path — but with less room for late correction.

Off-board communications are leading. In-vehicle domains are lagging

One of the clearest findings from the questionnaire is that PQC readiness is not uniform across the vehicle architecture.

Connected services and off-board communications are the most advanced. TLS, mTLS, backend APIs, cloud services and certificate-based authentication already benefit from more mature crypto-agility mechanisms. OEMs can test hybrid approaches, update server-side infrastructure and manage deployment risk more incrementally.

In other words, off-board communications provide the most realistic first step for automotive PQC adoption.

The picture changes inside the vehicle.

Secure boot, diagnostics and in-vehicle communication introduce much harder constraints: boot-time performance, memory footprint, ECU capability, HSM support, supplier dependencies, validation cycles and safety-related timing requirements. These are not simply software library decisions.

For secure boot, PQC signatures may be desirable, but not always feasible with today’s hardware in systems that require fast startup and predictable execution. For diagnostics, many organizations are still working through classical asymmetric authentication maturity before moving toward quantum-resistant approaches. For in-vehicle communication, basic challenges around key rotation, secure storage and message authentication still limit progress in many architectures.

This creates a sequencing challenge. OEMs cannot wait for every domain to be PQC-ready before beginning the transition. But they also cannot assume that lessons from cloud and connectivity will transfer directly into embedded vehicle systems.

Crypto-agility is the real near-term capability

The most immediate priority for automotive is not universal PQC deployment.

It is crypto-agility.

The questionnaire suggests that crypto-agility mechanisms exist in parts of the industry, but implementation remains inconsistent. This matters because PQC migration will not be a single algorithm swap. It will involve changes to key sizes, signature schemes, certificate chains, libraries, communication protocols, backend services, HSM capabilities, provisioning processes and supplier requirements.

That is a broader challenge than most programs currently budget for.

Google’s PQC messaging highlights encryption and digital signatures as distinct migration challenges. Store-now-decrypt-later attacks create a present-day confidentiality concern, while digital signatures require transition before a cryptographically relevant quantum computer becomes available.

Automotive has both problems.

Connected vehicle data may face long-term confidentiality exposure. At the same time, OTA updates, vehicle identity, diagnostics access, certificates and firmware authenticity depend heavily on signatures and trust chains. Some of those trust decisions are deeply embedded into vehicle platforms and supplier components.

This is why crypto-agility should be treated as an architectural capability, not a cybersecurity feature.

The question is not whether an OEM can deploy ML-KEM or ML-DSA in a lab. The question is whether the OEM can replace vulnerable primitives across a live vehicle ecosystem without redesigning the platform.

Hardware readiness could become the bottleneck

A recurring theme from the survey is that software-only confidence can be misleading.

Some OEMs believe they can manage PQC adoption through software updates when required. In some domains, that may be true. In others, it may not.

Efficient PQC libraries, hardware acceleration, secure element support, HSM readiness, certificate handling and memory availability will all shape what is practically deployable. This is especially important for long-lived vehicle platforms and resource-constrained ECUs.

The lesson is not to panic about immediate quantum attacks. It is to avoid building platforms that cannot migrate when the risk becomes operational.

Quantum progress is becoming harder to ignore

The post-quantum discussion is also being shaped by broader quantum computing progress.

Google’s Quantum Echoes announcement is a useful example. It does not mean current cryptography has been broken, but it does show quantum computing moving toward verifiable, application-oriented breakthroughs. Google reported that its Willow chip ran the Quantum Echoes algorithm 13,000 times faster than the best classical algorithm on one of the world’s fastest supercomputers.

This matters because perception drives roadmaps.

As boards, regulators, insurers, infrastructure providers and technology partners begin treating quantum readiness as a practical planning issue, automotive cyber teams will be asked a simple question:

“Where are we exposed, and how quickly can we migrate?”

Many organizations will not like the answer unless they start preparing now.

What this means for OEM and Tier-1 leaders

For vehicle platforms launching in the late 2020s, the likely reality is uncomfortable:

Secure connectivity may be in place. OTA may be operational. Diagnostics may be improving. Crypto-agility may exist in selected domains. But PQC readiness will remain patchy, dependent on architecture, supplier capability and hardware choices being made today.

On paper, these platforms may look cybersecurity-mature. In practice, their long-term resilience will depend on whether cryptographic transition was designed into the architecture early enough.

A few practical implications stand out:

• Benchmarking matters. OEMs need an industry view to understand whether they are genuinely ahead or behind.

  
  

• Supplier roadmaps matter. PQC adoption will depend on HSM vendors, silicon providers, Tier-1s, diagnostic toolchains, PKI providers and backend platform teams.

  
  

• Domain prioritization matters. Connected services and off-board communications are likely to move first. Secure boot, diagnostics and in-vehicle communication need separate feasibility analysis.

  
  

• Crypto-agility matters most. The industry does not need every ECU to become post-quantum tomorrow. It does need the ability to migrate without a platform redesign.

That is why SBD Automotive continues to invest in pre-competitive cybersecurity research: to help OEMs and suppliers move beyond intuition, benchmark against the wider market and make better security investment decisions before those decisions become urgent.

A closing question for the industry

If Google is targeting 2029 for PQC migration, and vehicles launching today will still be active long after that, how much longer can automotive treat post-quantum readiness as a future platform issue?

The answer will not be the same for every OEM, domain or supplier ecosystem. But one thing is becoming clear: organizations that wait for certainty may have the least flexibility when the transition accelerates.

Post-quantum cryptography is moving faster than many expected. Automotive readiness is not.

How SBD can help