Post Quantum Cryptography (PQC) readiness is increasingly constrained not by algorithm availability, but by cryptographic visibility, dependency complexity, and fragmented governance. This paper presents an anonymised case study of a large European critical service provider that initiated PQC readiness through a discovery first strategy, utilizing tool supported cryptographic inventorying to establish an evidence based baseline prior to migration planning. The discovery phase revealed systemic challenges, including distributed cryptographic ownership, uneven evidence quality across legacy and modern environments, and high dependency on third party cryptographic roadmaps. To operationalise these findings, the organisation introduced a structured exposure register that enabled prioritisation based on asset criticality, confidentiality longevity, and migration feasibility. We argue that PQC discovery should be understood as a governance capability that stabilises organisational knowledge and converts cryptographic uncertainty into measurable accountability, supporting risk based decision making and ecosystem coordination. The results contribute actionable lessons for institutions pursuing crypto-agility and resilience under post quantum harvest now, decrypt later threat models.

翻译：后量子密码学（PQC）就绪日益受到密码学可见性、依赖关系复杂性和分散治理的约束，而非算法可用性。本文对一家欧洲大型关键服务提供者进行了匿名化案例研究，该提供者通过"发现优先"策略启动PQC就绪，利用工具支持的密码学清单化建立基于证据的基线，再开展迁移规划。发现阶段揭示了系统性的挑战，包括分布式密码学所有权、传统环境与现代环境中证据质量参差不齐，以及对第三方密码学路线图的高度依赖。为将研究发现付诸实践，该组织引入了结构化暴露登记册，基于资产关键性、保密寿命和迁移可行性实现优先级排序。我们主张，PQC发现应被理解为一种治理能力：它稳定组织知识，将密码学不确定性转化为可衡量的责任，支撑基于风险的决策和生态系统协调。研究结果为在"现在收集，以后解密"的后量子威胁模型下追求密码学敏捷性和韧性的机构提供了可操作的实践经验。