PKI / PQC

CBOM, PQC migration, and why Japan FSI is starting further back than anyone admits

Analysis

19 February 2026

← Overview

This is the longer read behind “Japan’s cryptography problem starts before quantum.”

IBM’s 2025 Quantum-Safe Readiness Index (published by the IBM Institute for Business Value) puts the global average organisation at 25 out of 100 on quantum-safe preparedness. That figure is alarming on its own. Japan FSI almost certainly scores below that average, and there are specific structural reasons why. Understanding those reasons is a prerequisite to any credible PQC advisory engagement in this market.

The baseline is worse than vendors assume

The typical large Japan FSI organisation has been managing PKI through NEC, Fujitsu, or Hitachi since the late 1990s. Certificate issuance was often handled as a project deliverable: a certificate was provisioned when a system was stood up, documented in a project binder, and then largely forgotten. The project team moved on. The certificate stayed, silently running, until it either expired, was replaced during a subsequent infrastructure refresh, or created an incident.

The result is that most large Japan FSI organisations have certificate estates they cannot fully describe. They know the certificates they provisioned in recent years under whatever certificate management tooling they currently run. They do not know with confidence what is running in the legacy environments: on-premises data centres, mainframe-adjacent systems, internal PKI islands built by different departments at different points over two decades.

Only 12% of organisations globally were running PQC pilots as of the HID PKI market study in 2026. In Japan FSI, the organisations doing PQC pilot work are measurable in single digits. The majority have not yet completed a CBOM, the cryptographic inventory that is the necessary precondition to any migration plan.

What CBOM discovery actually requires

A Cryptographic Bill of Materials is not a configuration export. You cannot run a script against your certificate authority and call it done. A real CBOM covers:

For an organisation with 20 years of PKI debt, producing this inventory is a six-to-twelve month engagement before any migration work begins. This is not a software sale. It is a professional services engagement that requires people who understand both cryptographic infrastructure and the specific way Japanese enterprise IT was built and maintained.

The incumbents’ conflicted position

NEC, Fujitsu, and Hitachi are the primary PKI infrastructure operators for most large Japan FSI environments. They issued most of the certificates. They built most of the internal CAs. They maintain the HSMs. Their institutional knowledge of these environments is, in many cases, irreplaceable.

They also have a significant commercial incentive to control the PQC migration narrative in their accounts. A CBOM that fully documents the complexity of the legacy environment is, simultaneously, an audit of the quality of their historical work and a procurement document that opens the migration opportunity to competitive tender. This is not a claim that these companies will deliberately obscure the picture. It is an observation that their incentives are not aligned with maximum transparency in the CBOM discovery process.

Independent CBOM advisory, engaging a party with no relationship to the incumbent PKI operator, is the correct procurement approach for any Japan FSI organisation that wants a genuine picture of its cryptographic estate.

The 47-day mandate: a collision in progress

The CA/Browser Forum’s reduction of maximum TLS certificate validity to 47 days, mandatory by 2029, is on a collision course with PQC migration for Japan FSI.

Here is why. PQC migration requires identifying which certificates use quantum-vulnerable algorithms (primarily RSA and ECDSA) and replacing them with PQC-compatible equivalents. Many of these certificates are in legacy systems where the renewal process is manual and the business impact of a certificate expiry incident is significant. The correct sequencing is: complete the CBOM, build automated certificate lifecycle management for the estate, then begin algorithm migration.

The 47-day mandate forces the automation of certificate renewal at scale before most organisations have completed their CBOM. Organisations that rush to deploy certificate automation without fully understanding their estate will provision automated renewal for the certificates they know about and continue to miss the ones they don’t. Those missed certificates will fail under the new validity regime, generating incidents that consume the same security operations capacity needed for PQC migration work.

The harvest-now-decrypt-later threat is not speculative

The rational for urgency in PQC migration is not that quantum computers capable of breaking RSA-2048 exist today. They don’t. The rational is that state-level actors are collecting encrypted traffic now, storing it, and planning to decrypt it when quantum capability matures. If the timeline to cryptographically relevant quantum computers is 5-10 years, which is the current consensus range, traffic being captured today will be decryptable within the window that matters for financial data.

MirrorFace, the Chinese state-aligned threat actor group, has been conducting campaigns against Japanese universities and think tanks since at least June 2024 — documented in joint advisories from Japan’s National Police Agency (NPA) and the Cabinet Secretariat’s NISC. The specific interest in Japanese research institutions, many of which have relationships with Japan FSI through research collaborations and advisory roles, is consistent with long-range intelligence collection rather than immediate exploitation. This is the harvest-now-decrypt-later model in operation. Japan FSI is a target environment, not a hypothetical one.

Keyfactor’s approach: sequencing matters

Keyfactor’s positioning in Japan is correct precisely because it starts with the CBOM and certificate lifecycle management layer rather than leading with PQC algorithm migration. The migration itself is a later-phase problem. The foundation problem, visibility, automation, and organisational process, is the immediate problem, and it is the problem that blocks migration regardless of which PQC algorithm eventually becomes the standard.

The NIST finalisation of PQC standards in 2024 (ML-KEM, ML-DSA, SLH-DSA) removes the “we don’t know what to migrate to” objection. The remaining objections are all about the estate visibility and renewal process foundation. That is where Keyfactor is competing, and it is the right competition to be in.

The G7 roadmap as a regulatory forcing function

The January 2026 G7 PQC financial sector roadmap is the clearest external forcing function on Japan FSI PQC timelines. G7 financial sector commitments are taken seriously by the FSA, which incorporates G7 standards into its own guidance cycle. FSA guidance becomes an expectation in examination conversations. Examination expectations become compliance programmes.

The organisations that have begun CBOM work and established certificate lifecycle management before the FSA’s next guidance update will be ahead of the compliance curve. The organisations that have not will face the familiar Japan FSI pattern of sudden urgency and compressed timelines when the regulatory requirement crystallises. The technology to address this exists now. The gap is the decision to start.

Reference documents

Referenced entities

Keyfactor Financial Services Agency (FSA) NICT FSA Cybersecurity Guidelines (October 2024) APPI CBOM PQC

← Pki-Pqc