Global Standards, Regional Variants: Designing for PQC Across Jurisdictions
As quantum computing accelerates, organizations can no longer treat cryptographic migration as a distant technical task. Dr Richard Searle of Fortanix explains how confidential computing and a software-first model enable enterprises to adopt post-quantum cryptography (PQC) rapidly while maintaining control, compliance, and agility. He describes how Fortanix integrates standardized PQC algorithms within trusted execution environments to protect data in use, at rest, and in motion, providing a verifiable layer of defense against quantum-era threats. Richard clarifies that crypto agility, not a one-off migration, is the real target, enabling algorithm rotation and policy enforcement as new standards evolve. He also outlines how global companies must account for regional algorithm preferences, such as those emerging in Europe and Asia, without fragmenting global operations. Through examples from finance and technology sectors, he highlights how auditability, attestation, and workload geolocation now define compliance readiness across DORA, GDPR, and CNSA 2.0 frameworks. The discussion reinforces that migration is as much about policy, inventory, and evidence as it is about cryptography itself. The lesson is direct: begin the transition now, build measurable posture, and design architectures that can adapt before regulators and attackers dictate the timeline.
What You’ll Learn:
How confidential computing underpins a secure execution base for PQC migration.
Why crypto agility, not one-off migration, defines long-term resilience.
How to manage regional algorithm differences while maintaining global compatibility.
How attestation, geolocation, and immutable logs turn compliance into proof of control.
The role of inventory management and performance assessment in sequencing PQC rollout.
How to balance human approval with machine-based cryptographic execution through APIs.
Why finance and technology are leading sectors in post-quantum adoption.
Why starting now lowers cost, builds capability, and prevents a rushed, regulator-driven scramble.
Dr Richard Searle is the Chief AI Officer at Fortanix, a global leader in confidential computing and data security. He leads Fortanix’s strategy at the intersection of cryptography, AI security, and post-quantum readiness, helping enterprises protect data across hybrid multi-cloud environments. With a background in systems engineering and safety-critical design, Richard brings more than two decades of experience in building secure, compliant, and resilient systems for both private and public sectors. Before becoming Chief AI Officer, Richard served as Fortanix’s Vice President of Confidential Computing and played a pivotal role in advancing the company’s confidential computing platform, which secures data in use through trusted execution environments. He has also served as the Chair of the End-User Advisory Council and General Members’ Representative to the Governing Board of the Confidential Computing Consortium under the Linux Foundation.
A Doctor of Business Administration from Henley Business School, University of Reading, Richard continues to contribute to research in AI and defense security. He serves as Principal Investigator for Fortanix within the U.S. NIST AI Safety Institute Consortium (AISIC) and the UK Integrated Quantum Network (IQN) Hub. Known for his clarity and discipline in security architecture, Richard focuses on helping global enterprises design for crypto agility, regulatory assurance, and quantum-safe innovation.
Your Roadmap to Quantum Resilience
[03:14] Step 1: Establish a Confidential Computing Base -
Quantum resilience begins with protecting what matters most, which is “data in use.” Richard explains how trusted execution environments create an invisible shield around sensitive workloads, keeping information safe even while it is being processed. Fortanix’s software-first foundation allows this protection to extend across cloud and on-premises systems, without the delays of hardware dependencies. Establishing this base gives enterprises the confidence to deploy new algorithms, test PQC performance, and maintain control wherever their data flows.
Key Question: Which of your workloads process the most sensitive data and need in-use protection today?
[05:45] Step 2: Design for Crypto Agility from Day One -
Every organization entering the quantum era must prepare for change. Richard highlights the need to design systems that can adapt, rotating algorithms, refreshing keys, and updating parameters through policy rather than rebuilds. This mindset transforms cryptography from a fixed asset into a flexible service that evolves alongside emerging standards. By embedding agility from the start, enterprises can move with the pace of regulation and innovation instead of reacting to it.
Key Question: How easily can your teams change algorithms when new standards arrive?
[09:10] Step 3: Plan for Regional Algorithm Variants -
Global operations demand awareness of regional differences in cryptographic policy. While NIST drives the global baseline, Europe and Asia are advancing their own approaches, such as Classic McEliece and FrodoKEM, to strengthen local sovereignty. Fortanix addresses this diversity through a single control plane that can manage multiple algorithms while maintaining unified governance. Organizations that prepare for regional variance today will stay compliant and operationally aligned as new mandates emerge.
Key Question: Are your policies ready to accommodate regional algorithm choices without breaking global consistency?
[16:15] Step 4: Turn Compliance into Evidence -
Compliance becomes a source of trust when it can be proven. Richard shows how attestation and workload geolocation enable enterprises to demonstrate exactly where and how data was processed. Immutable logs and signed records create a transparent audit trail, satisfying frameworks like GDPR, DORA, and CNSA 2.0. This approach shifts compliance from a reporting exercise to a living proof of security discipline and accountability.
Key Question: Can you present verifiable proof of control, location, and authorization for sensitive workloads?
[19:22] Step 5: Inventory, Evaluate Performance, and Sequence by Exposure -
A strong migration plan begins with visibility. Richard outlines how teams can build an accurate inventory of keys, certificates, and machine identities, then analyze which are most exposed or critical to business continuity. Fortanix’s data security platform supports this assessment, enabling phased implementation that balances performance with risk. By starting with the systems that face customers and regulators, organizations gain both resilience and credibility in their transition to PQC.
Key Question: Which high-exposure services in your organization should move first toward PQC?
[21:01] Step 6: Govern with Humans, Execute with Machine Identities -
As automation expands, clarity of control becomes vital. Richard describes how Fortanix maintains human oversight through quorum approvals while allowing machine identities to perform cryptographic operations within defined boundaries. This structure preserves accountability and enables scale, empowering secure automation for code signing, data exchange, and AI workflows. True governance lies in this balance, human intent directing machine execution through policy and precision.
Key Question: Where can you introduce automation that enhances control rather than replacing it?
Episode Resources
Richard Searle on LinkedIn
Fortanix Website
Johannes Lintzen on LinkedIn
PQShield Website
Want exclusive insights on quantum migration? Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.
✔ Get insider knowledge from leading cybersecurity experts.
✔ Learn practical steps to future-proof your organization.
✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.
UK