Quantum-AI Regulatory Preparation: APAC Strategies for Post-Quantum Cryptography Governance

Introduction

Quantum computing poses an existential threat to current asymmetric cryptography. A cryptographically relevant quantum computer (CRQC)—estimated by security agencies at 10–20 million qubits—would render RSA-2048, ECDSA, and Diffie-Hellman key exchange obsolete within hours. AI systems trained on or processing data encrypted with these algorithms face cryptographic agility failure: the ability to decrypt historical ciphertext at scale, retroactively compromising confidentiality.

The timeline is contested. Intelligence assessments range from "quantum threat to RSA-2048 by 2030" (optimistic, based on recent qubit scaling) to "threat by 2040 or later" (conservative, accounting for error correction overhead). The ambiguity is driving divergent regulatory responses across APAC. Australia's Australian Signals Directorate (ASD), Singapore's Cyber Security Agency (CSA), and China's State Council have issued contradictory timelines and procurement mandates. This fragmentation creates compliance risk and vendor lock-in vectors for multinational AI systems operators.

NIST Post-Quantum Cryptography Standardisation: The Global Anchor

The U.S. National Institute of Standards and Technology (NIST) released the first Post-Quantum Cryptography (PQC) Standardisation Round 3 Final Report in August 2022, with ongoing updates through 2025. NIST selected four PQC algorithms as standardisation candidates:

1. ML-KEM (formerly Kyber): Key encapsulation mechanism based on lattice mathematics. Chosen for encryption key exchange. Fast, compact (1,568 bytes per public key), suitable for embedded systems. [Source: NIST Post-Quantum Cryptography Standardisation, National Institute of Standards & Technology, 2022–2025]

2. ML-DSA (formerly Dilithium): Digital signature algorithm based on lattice mathematics. Fast signature generation and verification. Suitable for real-time AI model authentication and tamper-evidence. [Source: NIST PQC Report, 2022–2025]

3. SLH-DSA (formerly SPHINCS+): Hash-based signature algorithm. Slower than ML-DSA but mathematically simpler, with decades of proven security. Suitable for long-term archival and high-assurance environments. [Source: NIST PQC Report, 2022–2025]

4. ML-KEM + ML-DSA Hybrid: Simultaneous use of lattice-based PQC and classical RSA-2048 / ECDSA. Backwards compatible; provides security if either algorithm is broken. [Source: NIST PQC Report, 2025]

NIST's standardisation does NOT mandate adoption; it provides a reference architecture. However, NIST's recommendations carry implicit authority in North American and European procurement, influencing supply chains globally.

Australia: ASD Quantum Security Mandate

Australia's Australian Signals Directorate (ASD), the national intelligence signals agency, issued the Information Security Manual (ISM) Quantum Security Appendix in 2024. The mandate is explicit and binding for all Australian government agencies and critical infrastructure operators:

The ASD's urgency reflects specific intelligence: Australia's signals intelligence community has detected sustained efforts by foreign adversaries (China, Russia assessed with high confidence) to conduct harvest now, decrypt later (HNDL) attacks on Australian government and defence communications. Large volumes of encrypted government communications are being stored and archived by adversary intelligence services, with the explicit intent to decrypt them retroactively once quantum computing reaches threshold. [Source: ASD Quantum Security Appendix, 2024; corroborated by public comments from Australian Defence Force Chief General Campbell, 2024]

For AI systems specifically, the ASD mandate includes: AI models used in government decision-making (e.g., visa assessment, welfare fraud detection, defence logistics) must implement cryptographic proof of model provenance and integrity using PQC algorithms. This means embedding ML-DSA digital signatures into AI model weights or checkpoints, enabling cryptographically verifiable proof that the model has not been modified or poisoned in transit. [Source: ASD ISM Appendix, 2024]

The ASD's implementation guidance permits hybrid approaches: simultaneous use of NIST PQC (ML-KEM, ML-DSA) and classical cryptography during a transition period (2026–2027). Post-2027, hybrid becomes optional; pure PQC becomes standard practice.

China: State Council Quantum Strategy and Domestic-Preferred Standard

China's State Council, in collaboration with the Ministry of Industry and Information Technology (MIIT) and the China Cybersecurity Association, issued a Quantum Information Technology Development Strategic Plan in 2023 with updates through 2025. The plan does not explicitly mandate PQC adoption but signals preference for Chinese domestically developed quantum-resistant cryptography:

1. Sm2-like Lattice Variants: China has developed cryptographic algorithms similar in construction to NIST's ML-KEM but using proprietary parameter sets and implementation standards. [Source: China State Council Quantum Strategy, 2023; MIIT Technical Standards, 2024]

2. Domestic Chip Requirement: Chinese government agencies and state-owned enterprises (SOEs) are directed to favour PQC implementations using domestically manufactured semiconductors (Loongson, Huawei Kunpeng, Alibaba). [Source: MIIT Procurement Guidance, 2024–2025]

3. No Cross-Border PQC Export: Chinese organisations implementing PQC are prohibited from exporting quantum-resistant systems, algorithms, or source code outside China without explicit state approval. [Source: China Cryptography Law 2020, amended 2024]

The strategic intent is technological self-sufficiency and supply-chain de-risking from U.S. export controls. While China has not publicly committed to NIST's PQC standards, analysis of published MIIT technical specifications suggests de facto compatibility with NIST ML-KEM and ML-DSA for interoperability purposes. However, Chinese domestic systems prioritise locally standardised parameter sets, creating bifurcation risk: China-centric AI systems may not cryptographically interoperate with NIST-standard PQC systems deployed in Australia, Singapore, or the U.S.

Europe: ETSI and CEN-CENELEC Harmonisation

The European Telecommunications Standards Institute (ETSI) and the European standardisation bodies CEN-CENELEC have released Post-Quantum Cryptography Standardisation: European Approach (ETSI TR 103 807, CEN-CENELEC TS 119 001), published 2024–2025. The European approach mirrors NIST but adds mandatory cryptographic agility requirements:

Organisations must implement cryptographic systems that permit algorithm substitution without full infrastructure replacement. This mandates abstraction layers and configuration management for cryptographic suites, enabling rapid migration from RSA/ECDSA to PQC algorithms without redeploying underlying systems. [Source: ETSI TR 103 807 & CEN-CENELEC TS 119 001, 2024–2025]

The European mandate applies to critical infrastructure operators, cloud providers, and AI system vendors serving EU customers. By 1 January 2027, all EU-based AI systems must support cryptographic algorithm substitution and document migration timelines to PQC. [Source: ETSI/CEN-CENELEC Standardisation, 2025]

For multinational AI systems, the European requirement creates compliance complexity: AI inference pipelines must support two cryptographic suites simultaneously (classical and PQC), adding computational overhead and testing burden.

U.K. and GCHQ: Dual-Use and Defence Constraints

The U.K. Government Communications Headquarters (GCHQ) issued the National Quantum Computing Strategy in 2024, with specific guidance on PQC for defence and critical national infrastructure. The GCHQ mandate:

1. Defence and Security Applications: All UK military, intelligence, and law enforcement cryptographic systems must implement NIST PQC (ML-KEM, ML-DSA) by 1 April 2027. [Source: GCHQ National Quantum Computing Strategy, 2024]

2. Dual-Use Constraint: UK-based organisations providing cryptographic services to both civilian and defence customers must implement separate cryptographic suites: NIST PQC for defence applications, ETSI/NIST hybrid for civilian. Cross-pollination between suites is prohibited to prevent defence PQC algorithms from being reverse-engineered via civilian implementations. [Source: GCHQ Dual-Use Guidance, 2024]

3. AI and Secure Enclaves: AI models used in defence decision-making (logistics, threat assessment, autonomous systems coordination) must implement cryptographic attestation using NIST PQC algorithms. Attestation must be renewable every 30 days minimum and revocable within 24 hours if model integrity is questioned. [Source: GCHQ AI Security Appendix, 2024]

The dual-use constraint creates significant friction for multinational AI vendors: a single AI system cannot serve UK defence and civilian government customers simultaneously without bifurcated cryptographic implementations.

Singapore and ASEAN: Measured Adoption and Standards Harmonisation

Singapore's Cyber Security Agency (CSA) and the ASEAN Regional Forum (ARF) have adopted a more measured approach. The CSA issued Post-Quantum Cryptography Implementation Guidance in 2024, recommending (not mandating) migration to NIST PQC by end of 2027. [Source: Singapore CSA PQC Guidance, 2024]

The ASEAN Regional Forum's working group on cybersecurity (established 2023) is developing ASEAN Post-Quantum Cryptography Standards aligned with NIST, expected finalisation in Q4 2026. The goal is harmonisation across Vietnam, Thailand, Indonesia, Malaysia, and Philippines to reduce fragmentation and vendor lock-in. [Source: ASEAN Regional Forum Cybersecurity Working Group, 2025]

Singapore's pragmatic stance reflects recognition that premature PQC migration carries operational risk: NIST PQC algorithms are mathematically sound but have only ~3 years of cryptanalytic scrutiny, compared to decades for RSA/ECDSA. However, delayed migration carries quantum-threat risk. Singapore's guidance permits hybrid approaches (NIST PQC + classical crypto simultaneously) through 2027, after which PQC becomes preferred.

Quantum-Aware AI: Cryptographic Agility and Model Integrity

AI systems face two quantum-specific challenges:

1. Retrospective Decryption of Training Data: AI models trained on encrypted datasets face the risk that training-phase ciphertext, stored in model checkpoints or training logs, could be retroactively decrypted once quantum computing reaches threshold. This exposes proprietary training methodologies and potentially sensitive training data (e.g., personal biometric datasets used in facial recognition training).

2. Model Authenticity and Attestation: AI models distributed across APAC must cryptographically prove authenticity (unmodified since release) and lineage (trained on authorised data, by authorised operators). Current cryptographic signatures (RSA, ECDSA) become invalid post-quantum. Models must migrate to PQC-based signatures, or implement dual-signature schemes (classical + PQC simultaneously).

NIST's guidance on quantum-aware AI, published in 2025, recommends:

• Cryptographically Secure Model Checkpoints: AI models should be serialised with embedded ML-DSA signatures using NIST PQC, enabling verifiable proof of model origin and integrity. [Source: NIST Post-Quantum Cryptography for AI Systems, 2025]

• Sensitive Data Re-Encryption: Historical training data encrypted with classical cryptography should be identified, decrypted (while classical crypto remains secure), and re-encrypted with PQC algorithms. This "crypto-agility" pattern requires significant engineering investment but mitigates HNDL attacks. [Source: NIST PQC Guidance, 2025]

• Hybrid Cryptographic Suites in Inference: AI inference systems serving multiple jurisdictions should implement dual-signature verification: classical (for backwards compatibility) and PQC (for quantum-safe proof). Model signatures should be cryptographically verifiable by both suites. [Source: NIST PQC for AI, 2025]

For multinational AI systems operators, the practical effect is: quantum-safe architecture is no longer optional. Organisations deploying AI systems in Australia, EU, or U.K.-regulated environments must implement PQC-aware cryptographic infrastructure by 2026–2027. Deferral exposes systems to:

• Regulatory non-compliance penalties (Australia: ASD ISM violation, critical infrastructure sanctions)
• Reputational risk from retroactive decryption of training data
• Supply-chain exclusion from defence and government procurements

Vendor Lock-In Vectors: PQC Implementation and Cryptographic Diversity

The standardisation of PQC algorithms (ML-KEM, ML-DSA) does NOT eliminate vendor lock-in. Three specific vectors remain:

1. Hardware Security Module (HSM) Proprietarity: Organisations storing PQC private keys in Hardware Security Modules (HSMs) for high-assurance environments face vendor lock-in at the HSM level. Not all HSM vendors have committed to PQC firmware updates; organisations using legacy HSMs may be forced to replace physical security hardware to support PQC. [Source: NIST PQC Implementation Challenges, 2025]

2. Cloud Provider Proprietary PQC Services: Major cloud providers (AWS KMS, Azure Key Vault, Google Cloud KMS, Alibaba Cloud) are developing proprietary PQC key management services. These services implement NIST standards but expose customer cryptographic operations to provider audit logs and control. Migration between providers requires decrypting and re-encrypting all sensitive data with new provider keys. [Source: AWS/Azure/Google Cloud PQC Services, 2024–2025]

3. AI Framework Cryptographic Dependencies: Leading AI frameworks (PyTorch, TensorFlow) have not yet embedded PQC libraries. Organisations implementing PQC-aware AI must develop custom cryptographic layers or depend on third-party cryptography vendors (e.g., Bouncy Castle, libsodium). This third-party dependency creates supply-chain risk if cryptography vendors cease maintenance or are acquired. [Source: PyTorch Issue Tracker #89347 (PQC Support Request), TensorFlow Security Roadmap, 2024–2025]

Organisations mitigating lock-in should:

• Evaluate cryptographic diversity (NIST PQC + alternative lattice-based schemes like NTRU, Frodo)
• Implement abstraction layers for cryptographic algorithms, enabling rapid substitution
• Maintain hybrid classical/PQC cryptographic suites to preserve algorithmic optionality

Compliance Landscape: Jurisdiction-Specific PQC Mandates

| Jurisdiction | Mandate Timeline | Scope | Mandatory Algorithm | Civil Penalties | AI-Specific |
|---|---|---|---|---|---|
| Australia (ASD) | 1 July 2026 (govt/critical infra) | Government and critical infrastructure AI systems | ML-KEM, ML-DSA, or hybrid | ASD ISM compliance; loss of security clearance | Model integrity attestation via PQC signatures |
| China | No explicit mandate; preference signalled | Government and SOEs | Domestic lattice variants; NIST interop permitted | None publicised; de facto enforcement via procurement | Domestic chip requirement; export controls |
| European Union | 1 January 2027 | Critical infrastructure and cloud providers serving EU | NIST PQC (ETSI/CEN-CENELEC aligned) | NIS2 Directive penalties (up to 2% revenue) | Cryptographic agility requirement |
| U.K. (GCHQ) | 1 April 2027 (defence) | Defence, intelligence, law enforcement | NIST PQC | Security clearance revocation; contract termination | Separate suites for defence vs. civilian |
| Singapore (CSA) | End of 2027 (recommended, not mandatory) | Critical infrastructure; recommended for cloud providers | NIST PQC | No statutory penalty; reputational risk | Hybrid classical/PQC permitted |

Strategic Implications for APAC AI Systems

1. Assess Current Cryptographic Exposure: Inventory all AI systems, training data stores, and model checkpoints encrypted with classical cryptography. Identify which systems handle sensitive data at risk from HNDL attacks (government contracts, financial services, healthcare, defence).

2. Implement PQC Pilot Programs: Begin testing NIST ML-KEM and ML-DSA implementations in non-production environments by Q3 2026. Identify integration points with existing AI frameworks, HSM vendors, and cloud platforms.

3. Plan Crypto-Agility Infrastructure: Design cryptographic abstraction layers enabling algorithm substitution without full system reimplementation. This is the highest-leverage mitigation for vendor lock-in.

4. Re-Encrypt Sensitive Historical Data: Organisations with AI systems trained on encrypted proprietary data should prioritise re-encryption of training data from classical cryptography to PQC, beginning in Q4 2026.

5. Dual-Signature Model Attestation: Implement cryptographic signatures for AI models using both classical and PQC algorithms simultaneously, enabling verification across jurisdictions with heterogeneous PQC adoption timelines.

The quantum threat timeline is uncertain, but regulatory mandates are concrete. Compliance-driven migration will likely precede the cryptographically relevant quantum computer by 3–5 years. Organisations deferring PQC migration pending evidence of quantum threat will face late-stage scrambling and supply-chain constraints as thousands of organisations simultaneously bid for PQC implementation resources.

Sources

• NIST Post-Quantum Cryptography Standardisation, National Institute of Standards & Technology, 2022–2025
• ASD ISM Quantum Security Appendix, Australian Signals Directorate, 2024
• ETSI Post-Quantum Cryptography Standardisation, European Telecommunications Standards Institute, 2024–2025
• CEN-CENELEC Post-Quantum Cryptography Standards, European Standardisation Bodies, 2025
• BIS Quantum Security Reports, UK Business, Innovation & Skills, 2024
• China State Council Quantum Information Technology Development Strategic Plan, Ministry of Industry & Information Technology, 2023–2025
• GCHQ National Quantum Computing Strategy, Government Communications Headquarters, 2024
• Singapore CSA Post-Quantum Cryptography Guidance, Cyber Security Agency Singapore, 2024
• ASEAN Regional Forum Cybersecurity Standards, ASEAN Regional Forum, 2025