The Substrate Problem
A frontier offensive-AI model and a falling estimate of what breaks financial cryptography are correlated, system-wide risks — filed as IT, not stability.
The claim
The thing that makes a risk macroprudential is not that it is large. It is that it is correlated — that many institutions fail in the same way at the same time because they share an exposure. A maturity mismatch at one bank is that bank’s problem; the same mismatch across a funding market, snapping shut on the same morning, is a system’s problem. Supervision is organised around finding those shared exposures and stress-testing what happens when they crystallise together.
There is a class of shared exposure the framework does not look at this way, because it files it under operational risk and operational risk under IT. The financial system runs on a thin, concentrated layer of common substrate: a handful of core-banking platforms, a few cloud providers, a small set of security-tooling vendors, one public-key infrastructure underneath authentication almost everywhere. A flaw in any of those is a correlated exposure across every institution standing on it, and that correlation is the systemic content. Two developments in 2026 made the point concrete, and both are currently treated as engineering questions rather than stability ones. That treatment is the categorisation error this piece is about.
One disciplining caveat governs everything that follows, and I would rather state it once, plainly, than dress it up. In both cases the threat is, today, better evidenced on paper than in the world: demonstrated in controlled settings, or estimated on the page, but not executed against hardened financial infrastructure at scale. I mark claims as established, plausible, or speculative throughout, because the distance between those three is the analysis. The two cases are also not symmetric, and I will not pretend otherwise — the first is the live, uncertain one everyone is talking about; the second is slower-moving but far more certain in direction. They are weighted accordingly.
Case 1: offensive capability is outrunning the cadence of supervisory testing
In the first week of April 2026, Anthropic published a model it declined to sell. Claude Mythos Preview was presented not as a product but as a capability judged too sensitive for ordinary release: a system that finds previously unknown software vulnerabilities and writes working exploits for them with limited human direction. Rather than ship it through an API, Anthropic restricted it to a vetted consortium of around fifty organisations under a programme called Project Glasswing, and reported that in its first month it had surfaced more than ten thousand high- or critical-severity flaws. For nearly two months not one European bank, regulator or government could use it; on 1 June, after the European Commission flew officials to San Francisco, Anthropic agreed to admit the EU’s cybersecurity agency, ENISA, to the programme. The manner of that admission — a bilateral concession in response to a direct ask, rather than the exercise of any European instrument — is itself part of the argument here, and I will come back to it.
The precise capability claim matters, because the overclaimed version invites dismissal and the defensible version does not. What is established: the UK’s AI Security Institute, evaluating the model independently, found it the first to complete a thirty-two-step simulated intrusion — reconnaissance through to full network takeover — that AISI estimates at around twenty expert-hours, and found it able to discover and exploit vulnerabilities autonomously in controlled settings. What AISI states with equal clarity, and what bounds the claim: those environments were small, weakly defended, and lacked the active defenders, segmentation and endpoint tooling of a real enterprise network. The defensible statement is therefore narrow. A model has shown benchmark-tier offensive capability against soft targets. It has not been shown to defeat a hardened, actively defended bank at scale. Everything systemic downstream is conditional on that benchmark-to-production gap closing, which is plausible, not established.
Set against this is the one long-run resilience series the field has.

Mandiant’s global median dwell time — the days an intruder sits undetected inside a network after breaking in — has fallen from 416 in 2011 to the low teens. It is worth being exact about what that shows, because it is easy to misread. Dwell time is measured after a breach succeeds; it captures how fast defenders notice an adversary already inside. Autonomous vulnerability discovery acts before the breach, compressing the work of finding and weaponising a flaw, which raises the probability and frequency of initial compromise. Those are different phases of an attack, and a model that writes a zero-day in minutes changes nothing about dwell time once an attacker is in. So the series says nothing about attacker-side compression. What it does show is narrower and still useful: defence has a measurable cadence, won over a decade against human adversaries at human speed. The open question is whether the pre-intrusion phase is about to move on a timescale that cadence was never set against.
There is a specific supervisory exposure here, though it is narrower than earlier versions of this argument implied, and worth scoping precisely. The Digital Operational Resilience Act’s threat-led penetration testing regime, built on TIBER-EU, is intelligence-led and largely tests the post-compromise contest: given a foothold, can the institution’s defenders detect lateral movement, privilege escalation and exfiltration. A faster initial breach vector does not, by itself, degrade that — the red team can simply begin from the assumed breach, and the blue-team detection it certifies stays comparable. So the honest version is not that AI breaks threat-led testing. It is twofold and smaller. First, AISI’s own ranges show these models executing the whole chain autonomously, including the lateral movement and escalation that TLPT exists to test, which raises the question of whether a red team that lacks frontier tooling is exercising the blue team against the speed and breadth the real adversary now brings. Second, and this is the durable point, an EU red team operating below the offensive frontier — because the most capable tooling is access-restricted — tests against a weaker adversary than the one that exists, and certifies detection against that weaker adversary. That is a calibration concern about the realism of the exercise, not a claim that the instrument is broken; it is one supporting strand, not the load-bearing one.
What actually carries the case is the trend, and here the evaluator is explicit. AISI found a second model, from a different developer, reaching the same tier weeks after the first, and concluded the capability is emerging as a byproduct of general improvements in autonomy, reasoning and coding — with further increases expected “in quick succession.” That is the systemic content: not one fenced tool, but a frontier that is moving, broadening across developers, and only contingently access-restricted.
The scope of the claim has to be drawn carefully, because the obvious rebuttal is correct as far as it goes. Most of a European bank’s defensive patching is inherited: global vendors fix a flaw once and push it everywhere, and several of those vendors — Microsoft, Google, AWS, CrowdStrike, Cisco — sit inside the Glasswing consortium. A better red-team tool does not let a bank rewrite a vendor’s source code; it cannot fix what only the vendor can fix. So the margin that matters is not patch distribution, where Europe is largely fine. It is the residual window between a frontier-grade flaw being exploitable and the vendor’s fix arriving — the interval in which detection, containment and response, not patching, are the only defence. That residual window is exactly where first-party capability and testing realism decide the outcome. The claim is not that Europe cannot defend itself. It is that the supervisory exercise certifying it can detect a frontier intrusion may be calibrated, through restricted access to the best offensive tooling, to an adversary slower and narrower than the one that now exists.

The access picture sits behind this, and it should be stated as documented participation rather than absolute exclusion. Per Wall Street Journal and Bloomberg reporting: the consortium is mainly US-based; the NSA had access through earlier arrangements; Anthropic’s proposal to widen the group from around fifty to around a hundred and twenty organisations was blocked by the Trump administration, citing misuse risk and concern that broader access would dilute the federal government’s own use. Euro-area finance ministers met in Brussels on 4 May to discuss the lack of European access; the negotiations that followed ran for weeks without result, until the Commission sent officials to San Francisco and, on 1 June, Anthropic agreed to admit ENISA. That outcome is worth reading carefully rather than as simple closure. Europe obtained access to a capability that can be used against its own infrastructure not through any instrument it holds — the AI Act regulates deployment inside the Union and cannot compel an American firm to grant access to a model that sits outside it — but through a bilateral concession secured by travelling to ask for one. A single agency inside a testing consortium is also not a supervisory regime with standing access. So the asymmetry was real and it was contingent: it lasted under two months, then bent to a flight and a request, which says both that the fence was never structural and that Europe’s leverage ran through diplomacy rather than through the regulatory apparatus meant to govern operational resilience.
That reading was overtaken within weeks: in mid-June the US, citing national-security authorities, issued an export-control directive suspending all foreign-national access to Mythos and Fable (its guardrailed public release), forcing Anthropic to disable both for every customer, ENISA’s new access included — Anthropic disputes the basis and says it is working to restore service. Inside six weeks European access went from withheld, to granted by concession, to suspended by a US national-security order that no European instrument could reach or reverse.
The hinge: transient or structural?
That question — passing condition or standing feature — is where the macroprudential weight of Case 1 turns, and I do not think it is currently answerable. The evidence points both ways.

The case that the frontier keeps tilting starts with compute. Frontier training compute has grown roughly four-to-five-fold a year since 2010; my fit to Epoch AI’s frontier-model series returns 4.6×. Extended to 2030, that reaches about 10²⁹ floating-point operations — close to where Epoch’s own analysis puts the ceiling of what electricity can deliver, power binding ahead of chips and data. So one reading is an established trend running into a plausible physical ceiling: the offensive frontier plateaus, and the asymmetry is transient.
The counter-case is not weak. DeepSeek-V3 reached near-frontier capability at perhaps a tenth of the compute of its contemporaries, for a reported final-training-run cost of around $5.6 million — a figure that excludes prior research and ablations and has been widely misreported as total project cost. If algorithmic efficiency keeps improving — Epoch estimates roughly a halving of the compute needed for fixed capability every nine months — a power ceiling on training need not cap capability, because capability can be bought with cleverness instead of electricity. The qualification cuts back toward transience: efficiency has its own diminishing returns, and a power limit is physical in a way ingenuity is not. Neither side is settled.
And DeepSeek is Chinese, which dissolves the clean “fenced by Washington” story rather than complicating it. If frontier-adjacent offensive capability can be reached for single-digit millions outside the US, the consortium’s control is contingent and probably temporary, which is the reason I will not call the asymmetry structural. The fencing is real now; efficiency diffusion is why it may not last; the implication is multipolar rather than US-favouring. That contradiction is better made the argument than hidden: Case 1 is acute and quite possibly transient, and should be sized as such.
One corroboration keeps the near-term reading alive. AISI evaluated OpenAI’s GPT-5.5 on the same battery and placed it in the same tier — the second model to complete the thirty-two-step intrusion, marginally ahead on some narrow metrics. Two labs reaching the same capability independently is harder to contain than one. The same caveat governs throughout: these are benchmark environments without active defenders, so what is established is benchmark-tier capability while the operational threat stays speculative. The gap between the two is the room in which red-team standards and model-assisted defence have time to adapt, slowly but not at zero.
Case 2: the loss is created at capture, not at decryption
The quantum threat is mostly hype, and for most of its advertised uses the skepticism is earned. The physicist Sabine Hossenfelder has put the sharp version: across finance, logistics, chemistry and materials, quantum computing has consistently failed to convert a theoretical advantage into a practical one, and the lone clear exception is codebreaking. For a financial-stability reader that is the load-bearing simplification — it sets aside the portfolio-optimisation claims that rarely survive their implementation costs and isolates the one capability with a systemic payoff: breaking the public-key cryptography that protects stored data and underpins authentication.
That capability splits into two channels, and collapsing them — or waving the threat away as “just privacy” — misses half of it. Google’s March 2026 post setting its own migration deadline draws the line precisely: the threat to encryption is present today through harvest-now-decrypt-later, while the threat to digital signatures and authentication is a future one that must be fixed before a cryptographically relevant machine exists.
The first channel is confidentiality.

An adversary who captures encrypted traffic or an archive today can store it and read it whenever a capable machine arrives; for data whose confidentiality must outlast that arrival, the loss is booked at capture, not decryption. This is the one place a time-separation genuinely does analytical work that concentration alone does not — the exposure and its crystallisation are split across an interval no one can date. A risk officer will rightly push back, and the answer concedes before it holds: not everything is harvested, storage and targeting cost money, and much traffic already uses forward secrecy and short-lived keys. So the channel is real but selective — the marginal exposure concentrates in high-value, long-horizon, poorly-rotated stores: custody records, certain pension and mortgage books, sovereign archives. That is narrower than “the loss is fully booked,” and it is the defensible claim.
The second channel is integrity and availability, and the obvious version of it is wrong. It is tempting to say a quantum computer could forge clearing instructions and inject fraudulent payments. It could not, at least not that way: core interbank messaging and real-time gross settlement rely heavily on symmetric message authentication, which Shor’s algorithm does not break and which a larger key handles. Mass-forging a TARGET2 instruction is not the threat. The exposure is one layer down, in the asymmetric public-key infrastructure that authenticates endpoints, establishes secure channels, issues the certificates counterparties trust, and signs the software updates institutions install. That PKI is pervasive across financial infrastructure — it is what the sector’s own post-quantum migration guides catalogue first — and it is what a cryptographically relevant machine breaks.
The realistic systemic event is not silent, prolonged impersonation; it is more likely a forced halt. Once a certificate hierarchy is known to be breakable, the rational response is to revoke trust in the compromised roots, at which point connections fail closed: secure channels drop, handshakes are refused, and institutions fall back to out-of-band verification and manual settlement. How far that propagates depends on which trust anchors are shared across how much critical infrastructure — existing revocation procedures, segmented trust and out-of-band fallbacks are precisely the controls that would bound it — so the plausible range runs from messy-but-contained disruption to something much wider, rather than an automatic continent-scale outage. But the direction is a denial of service on the trust layer rather than a quiet looting of the system, which is the more credible worry: a system that has lost confidence in its own certificates stops rather than continues corrupted. The integrity exposure lives in the narrower, nastier windows around that halt — the period before the break is recognised, and the migration itself, in which a maliciously signed software update or a forged endpoint certificate could be accepted as genuine before trust is rebuilt on quantum-safe foundations. Either way the point holds against the “just privacy” dismissal: this is an attack on the availability and integrity of market infrastructure, not a data-protection matter, and it is why the migration cannot wait for the machine, even though, unlike harvesting, this channel only opens once the machine exists.
The hardware reality is the counterweight to any sense of imminence.


The estimated physical-qubit cost of factoring a 2048-bit RSA integer has fallen roughly a thousandfold in thirteen years, to under a million in Craig Gidney’s 2025 analysis — and the whole fall is algorithmic and error-correction progress at fixed hardware assumptions, not hardware improving. Yet demonstrated hardware is nowhere close, and the gap is not the one the headlines imply. Industry quotes qubit count, on which Quantinuum’s ninety-four logical qubits look within reach of the fourteen hundred required. But those ninety-four are error-detected — a distance-two code that spots an error and discards the run rather than correcting it and continuing — while the attack needs roughly fourteen hundred error-corrected qubits at code distance near twenty-five, holding integrity through a week of computation. On count and code distance together, every demonstration sits in one corner and the region the attack requires is empty.
The two windows are not the same width. The quantum gap — distance-two detection against distance-twenty-five sustained correction — is wide, plausibly many years. The cyber gap is narrow: the capability exists now, and only operational generalisation is in question. A supervisor faces a fast near-term exposure in Case 1 and a slow but directionally one-sided one in Case 2 — directional not in the sense that Q-Day has a knowable date, which it does not, but that the case for migrating strengthens monotonically as resource estimates fall and embedded dependencies stay hard to inventory. They call for different instruments.
What makes the slow exposure pressing despite the wide window is the migration, not the machine.

Past cryptographic migrations took nine to thirteen years from first warning to broad completion — and those were comparatively easy, near-drop-in replacements for algorithms already known broken. SHA-1’s full federal removal lands in 2030, twenty-four years after the first warning. Post-quantum migration is harder on every axis: larger keys, protocol changes, hardware dependencies, and the unglamorous problem of finding where cryptography is embedded at all. Measured from the 2024 NIST standards, the EU roadmap allows six years to its 2030 high-risk deadline and eleven to full transition in 2035, against a historical base rate north of a decade for an easier task. The honest qualification is that history is a guide, not a forecast: post-quantum migration is also better coordinated, more standardised and more policy-salient than those earlier episodes, which could compress it — or the embedded-cryptography problem could prove worse than any precedent. The base rate frames the risk; it does not settle it.
That a builder of quantum computers is migrating early is the revealed-preference tell, handled carefully. In March 2026 Google set its own internal post-quantum deadline at 2029, ahead of the EU’s high-risk target, citing hardware progress, error-correction advances and the falling factoring estimates. This is not a prediction that a cryptographically relevant machine is near; Google makes none, and neither will I. It is evidence of how much margin a sophisticated actor wants between its defences and a threat it cannot date — conservative private timing under deep uncertainty, not a forecast of Q-Day.
Why the frameworks miss both
The apparatus that should hold these exists and is, on paper, substantial. DORA governs operational resilience and incident reporting; the TIBER-EU regime tests it; the ESRB runs a systemic-cyber framework and a pan-European coordination arrangement for systemic cyber incidents; and the coordinated post-quantum roadmap sets 2026, 2030 and 2035 milestones. Most importantly for the argument here, DORA’s central third-party pillar is already a concentration instrument: the European Supervisory Authorities published their first list of designated Critical ICT Third-Party Providers in November 2025 — nineteen of them, hyperscale cloud, core-banking platforms, data-centre operators — and took direct oversight powers over each, with designation turning explicitly on systemic impact, concentration of reliance, and substitutability. So the framework can see provider concentration, and a piece claiming otherwise would be arguing against its own evidence. But CTPP designation operates at the level of the provider — whether a given critical supplier is systemically important and runs its own house well. It is not built to capture what happens to that provider’s clients together, nor to see the cryptographic layer at all. The gap is not that the framework is blind to concentration. It is narrower, and it lies in two places the CTPP regime does not reach.
The first is the difference between provider concentration and correlated lag — and getting the mechanism right means being precise about where lag actually lives, because not all shared dependencies have it. When a flaw is in a hyperscaler’s managed platform — its hypervisor, a managed database — the provider patches it on the back end and the fix propagates across every client at once, with no client-side action and no window to exploit. That layer concentrates risk but does not lag. The correlated-lag exposure lives in a different layer: distributed software and security agents that each client must deploy itself, and on-premise packages that must be patched one estate at a time. There the same flaw sits exposed across every institution running the dependency, on a correlated clock, during the window before each deploys the fix. The shape of the danger is not hypothetical: the July 2024 CrowdStrike incident, in which a single faulty update to a near-ubiquitous endpoint agent grounded airlines, hospitals and banks within the same hours, was a correlated-failure event through exactly this channel — a shared software dependency, deployed everywhere, failing synchronously. CTPP oversight supervises whether the provider behind such an agent runs its own house well. It does not measure the synchronous exposure of all that agent’s financial-sector clients in the window a frontier-grade flaw is live, because that exposure is a property of the system’s topology rather than the provider’s governance, and it falls between the provider-facing CTPP lens and the firm-facing supervision of each client, seen whole by neither. The second gap is that none of this apparatus has remit over the cryptographic substrate. CTPP criticality is about ICT-service continuity, not about which signature schemes underpin which certificate hierarchies, nor about sequencing a migration so that shared trust anchors do not all reach their deadline unmigrated together. The post-quantum roadmap sets dates but does not own cross-institutional cryptographic concentration. So the formulation is not that no one is looking — it is that provider concentration is supervised, while correlated lag in the distributed-software layer and cryptographic concentration, the two properties that actually synchronise a failure, are currently owned by no single mandate.

That is what makes this macroprudential rather than a pile of firm-level IT problems, and it is a coordination-and-visibility failure across mandates rather than a total blind spot. Firm-by-firm supervision does not, on its own, reliably reveal a system-wide exposure: each institution inventories its own dependencies, tests against its own scenarios, and migrates its own cryptography on its own schedule, and the property that matters — concentration plus correlated lag across the whole estate — is the one no single filing contains. The framework already knows this shape from funding markets. It has built half the apparatus to see it in the substrate, in the CTPP regime, and not yet the half that would catch the synchronous failure.
What a supervisor should measure differently — and what would prove me wrong
The practical content is not a forecast. It is a sequence, and the order matters, because the obvious objection to everything above is fair: if this is really macroprudential, where is the operational equivalent of a capital buffer or a liquidity coverage ratio — the hard instrument, not another reporting form? The answer is that the instruments exist in adjacent form and the binding constraint on using them is measurement. A liquidity coverage ratio was possible only once liquidity could be measured against a defined stress; the buffer came after the metric, not before. The substrate has no agreed metric yet, which is why the first asks are measurement asks — not as a substitute for hard tools, but as their precondition.
So, in order. First, require threat-led tests to record the realism gap they now carry: a TLPT attestation should state whether the red team had access to frontier-grade offensive tooling comparable to the assessed threat, so a certification of detection is read against a known adversary level rather than an unstated one. Second — the prescriptive one — require the ESRB’s systemic-cyber scenarios to carry an explicit autonomous-capability parameter and, for the quantum channel, a code-distance-progress assumption, with a public justification when either is omitted; operationally this means the scenario-design committee adds two named variables to an existing process rather than inventing a new exercise. Third, extend the CTPP regime’s concentration lens from the provider to the correlated-lag exposure of its clients in the distributed-software layer: cross-institutional dependency inventories and cryptographic inventories, the latter tagged by confidentiality duration and signature dependency, held by the authority whose mandate is the system rather than the firm.
And then the direction hard instruments would take — named so the thesis is not just dashboards, but flagged as direction rather than ready policy, because the trade-offs here are real and partly adverse. Once correlated-lag exposure is measurable, the analogue to a large-exposure limit is an operational concentration limit — a ceiling on how much of a critical function the system routes through a single dependency. The honest objection is that infrastructure is not fungible the way capital is: you cannot tell a bank it has “hit its hyperscaler limit” without telling it to stop, and a naive mandate to run core systems actively across two clouds can worsen resilience by doubling the attack surface and multiplying configuration error. So the feasible version is not forced active multi-provider; it is measured concentration thresholds that trigger heightened oversight and tested exit and fallback capability — closer to a supervisory add-on than a hard cap — and it applies most cleanly to the distributed-software layer where substitutability is real, not to the hyperscale oligopoly where it largely is not. The point of leading with measurement is that which of these is even feasible, and where, cannot be known until the concentration-plus-lag exposure is quantified. A limit set against an unmeasured exposure is arbitrary, and arbitrary limits are how good instruments get discredited.
And the kill criteria, because a piece arguing for supervisory attention should say what would retire the argument — in metrics a supervisor can actually read. The thesis weakens materially if a tracked frontier-model evaluation against hardened, actively defended environments (not benchmark ranges) shows the capability failing to generalise; if the share of tier-one institutions’ critical services concentrated in a handful of designated providers turns out low rather than high once the CTPP registers are mapped against each other; if post-quantum migration progress, measured against the historical nine-to-thirteen-year baseline, runs ahead of rather than behind schedule; or if the empty region in the logical-qubit chart stays empty while access to offensive models diffuses widely. Each is discrete and reportable. If they come back reassuring, the right conclusion is that the framework was adequate and the substrate belonged in the engineering domain after all.
The summary is plain. Two correlated exposures surfaced in 2026 that the resilience framework does not yet hold as stability concerns — one live and uncertain, one slow and directionally one-sided — and both turn systemic through a property the framework half-sees: it supervises provider concentration through the CTPP regime, but not the correlated lag or the cryptographic concentration that would actually synchronise a failure. In Case 1 the supervisor’s window is narrow and may be closing as the capability generalises or diffuses. In Case 2 it is wide, but the migration clock inside it is already short against the historical base rate. The cost of recognising this late is specific and not abstract: a single flaw in a shared dependency detected across the estate in the same week, or trust in a common certificate hierarchy failing closed during a stress window, is exactly the correlated event prudential supervision exists to prevent — and the one the substrate is currently arranged to produce. The instruments to measure it are a scenario parameter and a register away. The instruments to limit it are the ones the framework already owns, pointed at a layer it has not yet pointed them at. What is missing is not the tools but the decision to treat the substrate as load-bearing before the event that proves it was.
Paweł Fiedor — The Macro Prudential View
The views expressed are the author’s own and do not necessarily reflect those of any institution with which the author is or has been affiliated.
Sources: Anthropic, Project Glasswing announcement and Claude Mythos Preview, 7 April 2026 — https://www.anthropic.com/glasswing; UK AI Security Institute, Our evaluation of Claude Mythos Preview’s cyber capabilities, April 2026 — https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities; UK AI Security Institute, Our evaluation of OpenAI’s GPT-5.5 cyber capabilities, April 2026 — https://www.aisi.gov.uk/blog/our-evaluation-of-openais-gpt-5-5-cyber-capabilities; Wall Street Journal, White House Opposes Anthropic’s Plan to Expand Access to Mythos Model, 30 April 2026 — https://www.wsj.com/tech/ai/white-house-opposes-anthropics-plan-to-expand-access-to-mythos-model-dc281ab5; Bloomberg, reporting on the reported private-forum access leak, April 2026 — https://www.bloomberg.com/news/articles/2026-04-21/anthropic-s-mythos-model-is-being-accessed-by-unauthorized-users; Bloomberg, Anthropic to Give Mythos Access to EU Cybersecurity Agency ENISA, 1 June 2026 — https://www.bloomberg.com/news/articles/2026-06-01/anthropic-to-give-eu-s-cybersecurity-agency-access-to-mythos; Eurogroup, statement following the meeting of 4 May 2026 — https://www.consilium.europa.eu/en/meetings/eurogroup/2026/05/04/; Mandiant, M-Trends 2025 (global median dwell-time series, 2011–2024) — https://cloud.google.com/security/resources/m-trends; Mandiant, M-Trends 2026 (2025 dwell-time figure) — https://cloud.google.com/security/resources/m-trends; Epoch AI, frontier-models database and Can AI Scaling Continue Through 2030? — https://epoch.ai/data/notable-ai-models and https://epoch.ai/blog/can-ai-scaling-continue-through-2030; International Energy Agency, Energy and AI, April 2025 — https://www.iea.org/reports/energy-and-ai; DeepSeek-AI, DeepSeek-V3 Technical Report, arXiv:2412.19437 — https://arxiv.org/abs/2412.19437; C. Gidney, How to factor 2048-bit RSA integers with less than a million noisy qubits, arXiv:2505.15917 (2025) — https://arxiv.org/abs/2505.15917; C. Gidney and M. Ekerå, How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits, Quantum 5:433 (2021) — https://quantum-journal.org/papers/q-2021-04-15-433/; Quantinuum, Helios system results, March 2026 — https://arxiv.org/abs/2602.22211; Google Quantum AI, Quantum error correction below the surface code threshold (Willow), Nature, December 2024 — https://www.nature.com/articles/s41586-024-08449-y; Harvard/QuEra et al., Logical quantum processor based on reconfigurable atom arrays, Nature, December 2023 — https://www.nature.com/articles/s41586-023-06927-3; NIST, post-quantum cryptography standards FIPS 203/204/205, August 2024 — https://csrc.nist.gov/projects/post-quantum-cryptography; NIS Cooperation Group, Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography, 2025 — https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography; Google, A timeline for post-quantum cryptography migration, 25 March 2026 — https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/; European Supervisory Authorities (EBA, EIOPA, ESMA), first designation of Critical ICT Third-Party Service Providers under DORA, 18 November 2025 — https://www.eba.europa.eu/publications-and-media/press-releases/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital; ESRB, systemic-cyber framework and EU-SCICF — https://www.esrb.europa.eu/news/pr/date/2022/html/esrb.pr.220127~f1548f677e.en.html; S. Hossenfelder, video commentary on quantum computing and cryptanalysis, 2025–26 — https://www.youtube.com/watch?v=N-9muK0mv5w&pp=ygUbc2FiaW5lIGhvc3NlbmZlbGRlciBxdWFudHVt & https://www.youtube.com/watch?v=qV7hQEtr3ic&t=2s&pp=ygUbc2FiaW5lIGhvc3NlbmZlbGRlciBxdWFudHVt. Chart data as cited in each figure; dwell-time series from M-Trends as above; logical-qubit and code-distance points from the Gidney, Quantinuum, Google and QuEra sources above.



