Adversaries may already be collecting your encrypted data. The math protecting it won’t hold forever — and the window to act is narrower than most executives realize. Here’s a post-quantum cryptography guide to help.
Every time a company closes a deal, files a patent, transfers funds, or sends a strategic plan over email, that information is shielded by a mathematical lock. Crack the math, and the lock opens. For decades, cracking that math was considered impossible in any practical timeframe. Quantum computers are changing that calculation — and the threat isn’t waiting for the technology to fully arrive.
The question facing corporate boards, chief information security officers, and technology executives is no longer whether to prepare for quantum-enabled attacks. It’s whether they’ve already waited too long.
The good news is that standards are published, tools exist, and major technology companies are already deploying them. The bad news, however, is that cryptographic overhauls historically take a decade or more to complete, and the window is closing.
Why Quantum Computers Are Different
A conventional computer processes information as bits — each one a 0 or a 1. A quantum computer uses quantum bits, or qubits, which can exist as 0 and 1 simultaneously — a property called superposition. Three hundred qubits can theoretically represent more states at once than there are atoms in the observable universe.
That isn’t just a speed advantage. It’s a different kind of machine suited to specific mathematical problems — including, critically, the problems that underpin most of the world’s encryption.
The relevant algorithm was identified 30 years ago. In 1994, mathematician Peter Shor demonstrated that a sufficiently powerful quantum computer could factor very large numbers exponentially faster than classical machines. That single insight puts at risk RSA, elliptic curve cryptography, and Diffie-Hellman key exchange — three systems that collectively secure the majority of internet traffic, banking transactions, VPNs, software updates, and digital signatures in use today.
Current quantum machines aren’t there yet. IBM, Google, IonQ, and others operate devices with qubit counts ranging from dozens to more than a thousand. But raw qubit count isn’t the critical measure — fault-tolerant qubits are, and those require substantial error-correction overhead that today’s machines can’t yet provide reliably. The honest assessment is that these systems are powerful enough to take seriously, not yet powerful enough to break production encryption.
That gap is narrowing faster than expected. Three research papers published within a 12-month period through early 2026 sharply revised downward the estimated computing resources required to break standard encryption. Estimates for attacking RSA-2048 dropped from around 20 million physical qubits to potentially fewer than 100,000 under newer architectural approaches. The field has stopped debating whether a cryptographically relevant quantum computer will arrive. It’s debating when.
The Threat That’s Already Here
The most urgent problem for most organizations has nothing to do with what quantum computers can do today. It has to do with what adversaries can do right now.
The strategy is called “harvest now, decrypt later.” Nation-state intelligence agencies and well-resourced criminal operations are collecting and storing encrypted data today — intercepting internet traffic, capturing secure communications, archiving whatever they can access — and waiting for quantum computing to mature. Storage costs have fallen far enough that retaining large volumes of intercepted data is economically viable for sophisticated actors.
Suspected data-harvesting operations have already surfaced. Keyfactor, a cybersecurity firm, has documented incidents consistent with this tactic: in 2016, Canadian internet traffic bound for South Korea was found to be rerouting through China; a similar redirection of European mobile phone traffic was reported in 2019. Whether those incidents were HNDL operations can’t be confirmed, but the pattern fits.
A Federal Reserve study published in 2025 called the threat “present and ongoing” — not theoretical. Its analysis focused on Bitcoin’s permanent, public transaction ledger, whose digital signatures quantum computers are expected to threaten. No future algorithm upgrade can retroactively protect data that already exists in the open. The same logic applies to any sensitive information currently in transit or in storage.
The implication is concrete and immediate. Any organization handling information that must remain confidential into the 2030s — trade secrets, strategic plans, patient records, legal communications, proprietary algorithms — may already be exposed. Not at some future date. Today.
The Defense: Post-Quantum Cryptography
The primary response is post-quantum cryptography, or PQC. The name is slightly confusing because these algorithms run on ordinary classical computers. What makes them “post-quantum” is that they rely on mathematical problems that quantum computers are not known to solve efficiently. The security guarantee shifts from “too hard for today’s computers” to “appears too hard for any computer, classical or quantum.”
In 2016, the National Institute of Standards and Technology launched a global competition to identify and standardize such algorithms. After eight years and 82 initial submissions, NIST published its first three finalized standards in August 2024. A draft transition roadmap published by NIST in November 2024 (NIST IR 8547) sets a hard deadline of 2035 for federal systems to complete migration, with high-risk systems required to move much earlier.
The three finalized standards:
- ML-KEM (FIPS 203) — Based on the CRYSTALS-Kyber algorithm, this replaces Diffie-Hellman and RSA key exchange in protocols like TLS and VPNs — the handshake that secures most web and corporate network traffic.
- ML-DSA (FIPS 204) — Based on CRYSTALS-Dilithium, this replaces RSA and elliptic curve signatures for authenticating software updates, financial transactions, and digital identities.
- SLH-DSA (FIPS 205) — Based on SPHINCS+, this provides a backup signature scheme using hash functions rather than lattice math — a deliberate hedge in case the lattice-based approach is later found vulnerable.
A fourth standard, FN-DSA (based on FALCON), is in final development as FIPS 206. A fifth algorithm, HQC, was selected for standardization by NIST in March 2025.
The standards come with real-world trade-offs. A post-quantum public key runs to roughly 1,184 bytes, compared to 32 bytes for an equivalent elliptic curve key — nearly 37 times larger. For software systems, that’s manageable. For embedded hardware with limited memory, it creates engineering challenges. Computational performance on modern hardware is generally comparable to existing algorithms, which limits disruption for most software upgrades.
Early enterprise deployment is already underway at scale. Apple integrated post-quantum encryption into iMessage in early 2024. Cloudflare reported in April 2026 that more than 65% of human internet traffic passing through its network is already protected by post-quantum methods, with full migration targeted by 2029. Google has set the same internal deadline. The NSA has mandated quantum-resistant algorithms for U.S. national security systems under CNSA 2.0, with full quantum resistance targeted by 2035.
Who Needs to Act, and How Urgently
Urgency varies by two factors: how long your data needs to remain confidential, and how sophisticated your likely adversaries are.
Government agencies and defense contractors face the most immediate exposure — classified communications collected today could potentially be decrypted within a decade. Financial institutions holding long-term strategies, merger plans, or proprietary trading systems face similar timelines. Healthcare organizations protecting patient records that must remain confidential for decades are also in the higher-priority tier.
Critical infrastructure — energy, water, telecommunications, transportation — presents a particular challenge. These sectors operate hardware with long replacement cycles and long data lifetimes. Updating them takes years, which is precisely why they need to start earlier.
The UK’s National Cyber Security Centre, which published updated migration guidance in June 2025, noted that PQC migration “will typically involve activity that spans multiple leadership cycles in most large organisations” and cautioned that “the total financial cost of PQC migration could be significant.” The NCSC expects cryptographic hardware roots of trust — hardware security modules and secure boot solutions — built to the new NIST standards to become widely available through 2025 and 2026, with hardware acceleration for PQC calculations improving in 2026 and 2027.
For organizations with shorter data sensitivity horizons, the calculus is different but the complexity is not lower. According to NIST’s own transition guidance, past cryptographic migrations have taken 10 to 20 years to complete at scale. The migration from the SHA-1 hashing standard to SHA-2 took more than a decade of coordinated industry effort. Post-quantum migration is generally considered more complex than any prior transition — because it isn’t a parameter adjustment. It’s a full replacement of the underlying mathematical systems.
Organizations that wait for the quantum threat to become publicly undeniable before acting may find they have already missed the practical window.
Key Deadlines at a Glance
Regulatory pressure is already materializing. Here are the mandated and expected milestones that should anchor any organization’s planning calendar — drawn from NIST IR 8547, NSA’s CNSA 2.0 framework, and Wiley’s February 2026 analysis of federal PQC transition plans:
- Now: NIST urges all organizations to begin applying the three published standards immediately. CISA released its first list of product categories where federal agencies should only acquire PQC-capable products in January 2026, required by Executive Order 14306.
- 2027: The NSA requires all new national security systems to use quantum-safe algorithms under CNSA 2.0.
- 2029: Google and Cloudflare have set internal deadlines to complete full PQC migration across their infrastructure.
- 2030: NSA’s CNSA 2.0 requires full application migration for national security systems. Pre-shared and symmetric keys must be phased out for Department of War systems.
- 2031: NIST will deprecate quantum-vulnerable algorithms with 112-bit security strength for federal civilian networks.
- 2035: All quantum-vulnerable algorithms are disallowed for federal systems. NSA requires complete infrastructure migration for all national security systems.
What Organizations Should Do Now
The starting point is a cryptographic inventory — a systematic catalog of where cryptography is deployed across the organization. That means TLS/SSL connections, VPNs, encrypted databases, digital signatures, authentication systems, and embedded devices. The inventory identifies which algorithms are in use, what data they protect, and how long that data requires confidentiality.
Without this baseline, prioritization is guesswork. With it, organizations can apply a simple risk framework: data that becomes public within five years carries lower risk than information requiring 20-year confidentiality. Systems protecting long-lived sensitive data from sophisticated adversaries are candidates for earlier migration.
NIST’s guidance on “cryptographic agility” recommends building the ability to update algorithms without replacing entire systems into all new deployments from the start. The key architectural decisions that follow the inventory:
- Direct migration: Which systems can move immediately to the NIST-standardized post-quantum algorithms with manageable engineering effort? Most software-based systems running modern hardware are candidates.
- Hybrid deployment: Which should run classical and post-quantum algorithms in parallel during the transition, so that both must be broken simultaneously to compromise security? This is the recommended approach for systems that can’t be fully migrated quickly.
- Quantum key distribution: Which particularly sensitive systems — financial settlement infrastructure, national security communications, critical utilities — might justify physics-based key distribution that makes eavesdropping physically detectable, not merely mathematically difficult?
- New procurement: All new technology purchases should specify post-quantum readiness as a baseline requirement. Systems built with cryptographic agility now will require shorter, cheaper migrations when regulatory deadlines arrive.
The quantum computing revolution is not a hypothetical. It is a technology transition underway now, funded by billions of dollars from governments and corporations on every continent, accelerating faster than most early estimates projected. The mathematics protecting digital business was designed for a world in which certain computational problems were practically unsolvable. Quantum computers do not change the mathematics. They change what’s practical.
For most organizations, the right first move is not a multimillion-dollar infrastructure project. It is a cryptographic inventory — knowing what you have, where it lives, and how long it needs to stay secret. That knowledge is the prerequisite to everything that follows. And the organizations that complete it soonest will have the most options when the options start to narrow.
