Thales has just demonstrated the remote update of post-quantum cryptographic algorithms on 5G SIM and eSIM cards already deployed, without interruption of service or equipment replacement. This mechanism addresses the central issue of the post-quantum transition for telecom operators. For CISOs and network architects, the key parameter is not (yet) the quantum threat itself, but the transition window that opens today on existing 5G infrastructures.
5G networks support use cases that, if compromised, could have devastating effects on critical infrastructures: emergency services, industrial networks, national communications. However, the asymmetric encryption methods currently deployed on these networks – RSA, ECDH – rely on mathematical problems that quantum algorithms like Shor’s will solve on a scale, with an estimated timeline of less than fifteen years for cryptographically significant systems according to the American NIST. The question posed to telecom operators is not whether their infrastructures will have to migrate to post-quantum cryptography, but at what pace and cost this migration can occur without destabilizing production networks.
Cryptographic agility: responding to future threats
Thales’ demonstrated mechanism is based on the concept of cryptographic agility: the ability of a device to substitute its security algorithms without hardware modification. Applied to 5G SIM and eSIM cards, this principle allows operators to deploy cryptographic updates across their active fleet according to the same model as a software update, remotely and centrally, without intervention on the terminal. For network architects, this modifies the security lifecycle management model as cryptography ceases to be a fixed hardware property and becomes a manageable parameter over time.
The scope of this mechanism surpasses the quantum threat. Cryptographic agility allows operators to adjust their protections as standards evolve, including in response to vulnerabilities discovered in algorithms currently in production. The NIST finalized its first post-quantum cryptography standards in 2024, including CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures. The ability to deploy these algorithms on an existing fleet without hardware replacement mechanically reduces the time between the publication of a standard and its effective deployment on the network, a key parameter for companies managing long-lived infrastructures.
Thales positions this demonstration within its commitment to international standardization processes, notably at the NIST. “The success of this demonstration proves that quantum-resistant security is no longer a futuristic concept: networks can start preparing for it today. By enabling remote updates, we help operators protect their clients and critical services without interruption,” said Eva Rudin, Vice President of Mobile Connectivity Solutions at Thales. This involvement in defining standards gives Thales an anticipatory position on future regulatory requirements, reducing the risk of divergence between deployed algorithms and current standards.
Update instead of replacement
For telecom operators, Thales’ demonstration shifts the issue of post-quantum migration from hardware replacement to software update management. An operator managing tens of millions of active SIM cards no longer needs to plan a physical fleet renewal cycle to meet post-quantum requirements. They can deploy the new algorithms through remote updates on a schedule aligned with regulatory constraints and network operation cycles. This model change has direct budgetary implications, as the marginal cost of a cryptographic update on an existing fleet is structurally lower than that of hardware replacement on a large scale.
For CIOs of organizations whose critical communications pass through private 5G networks or public networks – industry, healthcare, defense, energy – this demonstration raises an immediate governance question. Do framework contracts with telecom operators include cryptographic update clauses? Are the SIM and eSIM deployed on industrial IoT equipment and professional mobile terminals eligible for this type of remote update? The answers to these questions determine organizations’ ability to maintain compliance levels without engaging in costly hardware renewal cycles.
Thales, a standards-defining actor
Thales’ demonstration also establishes an industrial precedent in the separation between hardware lifecycle and cryptographic security lifecycle. If this decoupling becomes widespread in the entire 5G ecosystem, it changes the criteria for evaluating network equipment. The useful life of a SIM or eSIM will no longer be limited by the obsolescence of its cryptographic algorithms but by its hardware characteristics. For infrastructure architects, this parameter directly factors into TCO calculations for network deployment projects over a five to ten-year horizon.
Thales’ internal research on post-quantum cryptography, conducted by dedicated teams within the group and subject to NIST standardization processes, positions the company as a standards-defining actor. For companies evaluating their network security providers, this distinction is significant, as a provider involved in standard definition anticipates future requirements with precision that third-party technology integrators cannot achieve.
