“As a deeply digitised society, Estonia must lead in adopting quantum-safe technologies.”
Cybernetica has been awarded three strategic procurements by the Estonian government to lead the nation's transition of e-governance systems to post-quantum cryptography (PQC).
As quantum computing technology advances, traditional cryptographic systems, including RSA and elliptic curve cryptography (ECC), face unprecedented vulnerabilities. Estonia's core digital technologies currently depend on traditional cryptography vulnerable to quantum computers, including eID solutions (ID-card, Mobile-ID, and Smart-ID), public key infrastructure, the X-Road data exchange platform, public e-services, and even the Internet voting system. This threatens both national security and public trust in digital services. "Presently, the systems are secured and there’s enough time to begin transition to PQC, since no quantum computers exist, yet. However, it is impossible to know precisely when one is going to be manufactured, there are only predictions. Which is why it is important to begin transitioning as early as possible," said Dan Bogdanov, Cybernetica’s Chief Scientific Officer. "Cybernetica has been very invested in researching PQC since 2017 and we have a very clear picture of the transitioning process."
Recent developments emphasise the urgency of this transition. A 2025 study by Google researcher Craig Gidney suggests that breaking 2048-bit RSA encryption could require as few as one million qubits – a milestone that may be closer than previously anticipated. Given the need to protect documents with decades-long confidentiality requirements, the transition to quantum-resistant cryptography must begin as soon as possible.
Cybernetica's procurement wins encompass three projects that form a comprehensive approach to quantum-proofing Estonia's digital state.
1. National post-quantum roadmap
Cybernetica will develop Estonia's national roadmap for transitioning to post-quantum cryptography. This strategic framework will guide government agencies and public sector organisations through the complex process of upgrading their cryptographic infrastructure. "The research community might re-evaluate these results in the near futuure, however, it is clear that there has been a remarkable development of quantum Computers and quantum algorithms. Given the fact that we have to protect documents that must remain confidential for decades, the transition to PQC cannot be postponed to an unknown period of time," Bogdanov explained.
The roadmap development process consists of three phases: conducting a cryptographic inventory of existing systems, creating detailed transition plans with clear timelines and priorities, and implementing these plans across Estonia's digital infrastructure. According to the company’s CTO Arne Ansper, building on Cybernetica's experience from the X-Road hash function migration fifteen years ago – when MD5 and SHA-1 were replaced with SHA-512 – this initiative tackles a far more complex and multifaceted challenge.
It is worth mentioning that several global organisations have compiled migration guidelines and best practices, including ETSI, Post Quantum Cryptography Coalition, and the British National Cyber Security Centre.
2. Quantum-proofing the Population Register
The Population Register (Rahvastikuregister) is an important part of Estonia's e-governance infrastructure. Cybernetica will assess its quantum-related risks, evaluate the system's readiness for PQC implementation, and provide clear guidelines for maintaining and enhancing security. This work includes mapping the register's architecture, analysing data flows, examining cryptographic components in the context of quantum threats, and evaluating the applicability and expected impact of PQC solutions.
The goal is to ensure that the Population Register remains secure against quantum computing threats while maintaining system reliability and interoperability with other e-government components. This project serves as a model for securing other critical national databases and services.
3. Lifecycle research of cryptographic algorithms
Cybernetica will update and modernise the comprehensive 2021 report "Cryptographic Algorithms and Their Support in Libraries and Information Systems," which was previously updated in 2023. The new version will expand its scope to include the latest developments in PQC adoption across various protocols, standards, and applications. It will incorporate findings from the national PQC roadmap and Population Register projects, providing an essential resource for public sector organizations, policymakers, e-service developers, and users.
This research aligns with the Ministry of Defence's cryptographic assessment capability program to avoid duplication and ensure coordinated national efforts.
The quantum-safe future of Estonian e-governance
Estonia's core digital technologies currently depend on traditional cryptography vulnerable to quantum computers, including eID solutions (ID-card, Mobile-ID, and Smart-ID), public key infrastructure, the X-Road data exchange platform, public e-services, and even the Internet voting system. These three projects will provide the foundation for protecting these critical systems.
The European Union's NIS Cooperation Group has established 2030 as the deadline for high-risk use cases to transition to quantum-resistant cryptography, with medium-risk cases following by 2035. Similarly, the U.S. National Security Agency requires quantum-resistant algorithms in all new products and services starting in 2027. Cybernetica's work positions Estonia to meet or exceed these international benchmarks.
"As a deeply digitised society, Estonia must lead in adopting quantum-safe technologies," said Arne Ansper. "These three projects will create a comprehensive approach to secure Estonia’s digital infrastructure for the quantum era. For complex systems like the ID card, mobile phone based digital signatures and Internet voting, new technology and even new research will be needed. Cybernetica is committed to ensuring that e-governments that rely on our systems remain trustworthy, secure, and resilient against tomorrow's threats."
To learn more about Cybernetica's stance on PQC and what we can do for you, take a look at our whitepaper!