Quantum computing has a PR problem. It’s either framed as a near-mythical breakthrough or dismissed as a decade-away abstraction.

Both framings miss the actual risk, which is already here, and which directly touches eSIM infrastructure.

Thales, one of the heavyweights in eSIM provisioning and SIM manufacturing, recently published a detailed technical position on this. It deserves more attention than it’s getting.

Because their argument isn’t speculative. It’s operational.

Harvest Now, Decrypt Later

The attack vector Thales flags is called “Harvest Now, Decrypt Later” (HNDL).

The premise is straightforward: adversaries intercept and store encrypted data today, wait for quantum computers powerful enough to crack current encryption (most estimates put that 10–15 years out), then retroactively decrypt everything they’ve collected.

For most industries, this is a problem that can be managed gradually.

For eSIM infrastructure, it’s different. It’s immediate.

The Profile Package Download — the digital transmission that moves your mobile identity from an SM-DP+ server to a device — is the attack surface.

If that transmission is intercepted today and cracked later, the consequences aren’t just historical.

Attackers could obtain master keys that allow them to impersonate you on the network and access your historical communications. The breach isn’t contained to one moment in time.

It unravels backwards.

What Thales Is Actually Shipping

Thales isn’t theorizing.

Their latest Remote SIM Provisioning (RSP) update introduces Hybrid Post-Quantum Cryptography to the secure tunnel used for internet data transmission.

“Hybrid” is the operative word. It layers next-generation quantum-safe mathematics on top of today’s existing standards, rather than replacing them outright.

They’ve also significantly increased key lengths, raising the computational cost of any brute-force attack.

The immediate practical effect is clear: once device OEMs update the LPA (Local Profile Assistant) software to support PQC compliance, any profile download from a Thales platform gains quantum-resistant protection.

Importantly, this doesn’t require hardware replacement.

That’s not a trivial distinction.

Given that IoT devices using eSIM often operate in the field for 15+ years — smart meters, industrial sensors, connected vehicles — the ability to push cryptographic upgrades without physical intervention matters enormously.

The Gap That Remains

Thales is clear-eyed about what this doesn’t solve.

Securing the internet transport layer neutralizes HNDL attacks on the network side, but doesn’t address more sophisticated threats operating at the device level — malicious software with access to the device itself.

Closing that gap requires end-to-end cryptographic protection.

And that requires industry-wide alignment.

Thales is currently leading a multi-stakeholder effort to revise the GSMA SGP.22 standard — the core specification governing consumer eSIM provisioning — to incorporate full PQC requirements.

This is the long game.

Getting RSP platform providers, OEM manufacturers, and eSIM makers aligned before quantum capability catches up.

Where Alertify Stands — and What the Industry Needs to Watch

Thales isn’t alone in recognizing the quantum threat, but they are moving faster than most on implementation.

The NIST finalized its first set of post-quantum cryptographic standards in 2024, giving the industry a clear technical foundation. Companies like IBM and Google are already experimenting with quantum-safe infrastructure.

The question now is adoption velocity.

Compared to other infrastructure-level eSIM players — Kigen, IDEMIA, Giesecke+Devrient — Thales is staking an early position on PQC as a competitive differentiator, not just a compliance checkbox.

That’s a meaningful signal.

In a market where provisioning platforms increasingly compete on trust and enterprise-grade security, not just throughput or pricing, being early here carries real weight.

For travel eSIM providers — this layer of the stack remains largely invisible.

They rely on SM-DP+ infrastructure operated by players like Thales or their carrier partners. Their security posture, in a quantum-threat scenario, is largely inherited.

That’s not a weakness.

It’s how the ecosystem is structured.

But it does mean something important.

As quantum-safe provisioning becomes an enterprise expectation, the players closest to infrastructure will define trust.

The travel eSIM space is still maturing on that front.

Which makes this the right moment to start paying attention.

Conclusion

The real shift here isn’t quantum computing.

It’s that telecom is being forced to think long-term.

Not in data packages. Not in pricing models.

But in decades.

Because the uncomfortable truth is simple: the data being transmitted today may still matter when today’s encryption no longer holds.

And when that moment comes, the market won’t reward the cheapest.

It will reward those who were prepared.