4 months. No disruption. No application changes.

Banco Sabadell proved something most financial institutions are still questioning:
You can validate post-quantum TLS in a real banking environment, without introducing operational risk.

In partnership with QuSecure and Accenture, the bank tested quantum-safe TLS on customer-facing infrastructure in just four months.

As a result, the U.S. Securities and Exchange Commission cited the pilot as a benchmark for industry-wide adoption.

Read the full QuSecure Banco Sabadell Case Study 2026

Why This Matters Now

Today, security and network leaders are not questioning whether post-quantum cryptography is coming. Instead, they are focused on how to move forward safely.

At the same time, several constraints are in play:

• Limited visibility into where cryptography is used

• No tolerance for downtime

• Ongoing coordination challenges across teams

Meanwhile, regulatory expectations continue to evolve, and cryptographic risk continues to grow.

Because of this, the core issue is clear.

How do you move forward without introducing risk to critical systems? Banco Sabadell approached this question directly.

The Challenge

In financial services, encryption touches nearly every part of the environment.

This includes:

• customer-facing applications

• authentication and session layers

• transactions and payment systems

• third-party integrations

As a result, any change to cryptography carries real implications. Teams must consider application dependencies, operational coordination, and system stability.

For this reason, many organizations delay action.

However, Banco Sabadell chose a different path. They focused on one key question: Can post-quantum TLS be validated safely before committing to broader change?

What Banco Sabadell Did

To answer that question, the team narrowed their scope.

They focused on a single, high-impact system: Their customer-facing web portal.

Next, they replicated production infrastructure in a controlled lab environment. This allowed them to test post-quantum TLS under realistic conditions using QuProtect R3™.

Approach

First, they applied protection at the network layer.
No application changes were required.

Then, they updated encryption to quantum-safe algorithms, including at the time NIST candidates such as Kyber.

At the same time, they enabled crypto agility. This allowed administrators to change algorithms quickly using a graphical interface.

In parallel, they tested multiple TLS configurations. This helped them understand performance tradeoffs.

Finally, they measured real-world behavior. Performance, stability, and system response were all evaluated.

What They Proved

As the pilot progressed, several outcomes became clear.

• You can move quickly
  The full pilot was completed in four months.
  This fits within a standard enterprise planning cycle.
• You can avoid disruption
  There was no impact to customer-facing systems.
  Operational stability was maintained throughout.
• You do not need application changes
  No rewrites or redeployments were required.
  This reduces dependency on engineering teams.
• It works in real environments
  Testing was conducted on infrastructure that mirrors production.
  This provides confidence beyond theoretical models.
• Performance remains stable
  Testing confirmed minimal impact on application communications.
  Customer experience was preserved.

As a result, the U.S. Securities and Exchange Commission (SEC) cited the pilot as a benchmark for how financial institutions can move forward. Learn more here. 

Why This Changes the Decision

Given these results, the path forward becomes clearer.

First, organizations do not need to wait for complete visibility. A controlled pilot allows teams to learn while progressing.

Second, production systems do not need to be put at risk. Validation can occur in a replicated environment.

Third, large-scale coordination is not required to begin. Security and network teams can lead early efforts.

Finally, a multi-year commitment is not necessary to get started. A pilot creates a practical entry point.

What This Means for Financial Institutions

Based on this approach, there is a clear way to move forward.

Start with a pilot in a controlled environment.
Then focus on critical systems such as customer-facing infrastructure.
At the same time, begin building crypto agility.
This ensures the ability to adapt as standards evolve.

In addition, early validation creates measurable progress. This becomes important as regulatory expectations increase.

Read the full QuSecure Banco Sabadell Case Study 2026