The mathematics protecting nearly every digital transaction on the planet was designed for a world without quantum computers. According to many experts, that luxury is ending—and the corporate response has barely begun.
For decades, online security has rested on a single assumption that certain arithmetic problems are so difficult that no computer could solve them in any practical timeframe. Cracking the encryption on a bank account or a classified government memo would take longer than the age of the universe on today’s best machines. Quantum computers do not change the mathematics. They change what is practical.
A new synthesis of published roadmaps from eight leading quantum computing companies—IBM, Google, Microsoft, IonQ, Quantinuum, QuEra, Alice & Bob and PsiQuantum—shows a striking convergence with every major player is targeting machines capable of cracking today’s encryption codes within the next decade. A September 2025 paper published on arXiv sharpened the picture further, reporting substantially lower estimates for the computing resources required to break RSA-2048, the encryption standard securing the majority of internet traffic. The question of whether quantum computers will eventually break modern encryption has shifted from ‘if’ to ‘when,’ and the most credible answer is sooner than most organizations are planning for.
Quick Facts
- Eight major players—IBM, Google, Microsoft, IonQ, Quantinuum, QuEra, Alice & Bob and PsiQuantum—have all published roadmaps targeting fault-tolerant quantum computers between 2028 and 2033.
- A September 2025 paper on arXiv substantially lowered the estimated number of physical qubits needed to break RSA-2048, the encryption standard protecting most internet traffic, under newer computing architectures.
- The harvest now, decrypt later threat is active: nation-state adversaries are already capturing and storing encrypted data, waiting for quantum computers capable of decrypting it.
- The U.S. National Institute of Standards and Technology published its first three post-quantum cryptography standards in August 2024, giving companies a concrete migration target for the first time.
- Cryptographic migrations historically take 10 to 20 years—meaning organizations that wait for the threat to become undeniable will likely be too late.
One Finish Line, Many Different Vehicles
The eight companies charted here are not building the same machine. IBM and Google use superconducting circuits cooled to near absolute zero. IonQ and Quantinuum trap individual charged atoms—ions—and manipulate them with laser pulses. QuEra uses neutral atoms arranged with optical tweezers, a kind of laser-based pincer. Alice & Bob is developing ‘cat qubits,’ a superconducting variant engineered to suppress one category of errors at the hardware level. Microsoft has placed its highest-stakes bet on a topological qubits, a fundamentally different approach based on exotic quantum particles called Majorana zero modes, which the company claims could eliminate entire categories of errors that plague competitors—though independent replication of its 2025 results remains an open scientific question.
What unites these divergent approaches is a shared destination and a tightening timeline. IBM’s published roadmap targets what it calls ‘quantum-centric supercomputing’ by 2029—modular quantum processors integrated with classical computing infrastructure—with practical fault-tolerant operations by 2033. Google, whose Willow chip demonstrated below-threshold error correction in 2024, is targeting a commercially useful fault-tolerant machine by the late 2020s. Quantinuum, a joint venture between Honeywell and Cambridge Quantum, published an accelerated roadmap in 2024 setting a 2030 target for universal fault-tolerant quantum computing. QuEra, a spinout of Harvard University, claimed in 2024 demonstrations of up to 48 error-corrected logical qubits—a category of qubit quality, not just count—and has outlined a path to 1,000 logical qubits by 2029.
The arXiv paper cited above, produced by a team of quantum computing and cryptography researchers, significantly revised downward the estimated number of physical qubits required to break RSA-2048 under newer computational architectures. Where earlier estimates placed the requirement at roughly 20 million physical qubits, newer approaches suggest the number could be dramatically lower. That finding, if it withstands peer review, would materially compress the timeline between current quantum hardware and the ability to crack encryption that protects banking, government communications and corporate infrastructure.
‘The question of whether a cryptographically relevant quantum computer will arrive is increasingly being treated as a timing question, not an open one,’ said Doug Adams of Vanderbilt University’s Institute of National Security, speaking at the Vanderbilt Quantum Forum in April 2026. ‘They’re capturing the data and they’re waiting. They’re very patient.’
The PQC Threat Exists Regardless of Timeline
The most counterintuitive aspect of the quantum threat is that it does not require a powerful quantum computer to exist today. The attack strategy known as ‘harvest now, decrypt later’ works on a simple premise that adversaries—nation-state intelligence agencies being the primary concern—collect and store encrypted data now, at scale, and wait. Storage costs have fallen to the point where retaining vast archives of intercepted communications is economically feasible. There is no urgency to decrypt it immediately. They hold it until the hardware catches up.
The implication is that organizations handling information that must remain confidential into the 2030s may already be compromised—not at some future date, but today. A 2025 Federal Reserve study illustrated one concrete version of the risk: Bitcoin’s entire transaction history is publicly available and permanently recorded on the blockchain, secured by cryptographic signatures that quantum computers are expected to threaten. No future algorithm can retroactively protect data that has already been collected.
The sectors most exposed are those that hold long-lived sensitive information, including defense contractors, financial institutions managing decade-long positions and strategies, healthcare organizations with patient records required to remain confidential for decades, and utilities and infrastructure operators whose control systems run on hardware with multi-decade update cycles. For any organization in these categories, the planning clock is not running from the day a fault-tolerant quantum computer is publicly announced. It has already started.
Deploying Defense Can Takes a Decade
The good news is that the technical solution exists, is largely standardized, and is already being deployed at scale by technology companies. In August 2024, the National Institute of Standards and Technology published the first three finalized post-quantum cryptography, or PQC, standards—algorithms designed to run on ordinary computers but resistant to the attack methods quantum computers enable. The standards, known as ML-KEM, ML-DSA and SLH-DSA, are intended to replace the RSA, elliptic curve and Diffie-Hellman systems that currently protect most digital communications.
Deployment at the technology frontier is already underway. Apple integrated post-quantum encryption into iMessage in early 2024 via its PQ3 protocol. Cloudflare reported in April 2026 that more than 65% of human traffic through its network was already protected using post-quantum methods, with full migration targeted by 2029. Google has set the same 2029 internal deadline. The NSA has mandated quantum-resistant algorithms for national security systems, with full quantum resistance required by 2035.
For most other organizations, that level of deployment is a distant aspiration. The central problem is not the technology—it is the migration. Cryptographic transitions are among the most complex, slow-moving operations in enterprise technology. The industry migration from SHA-1 to SHA-2 took well over a decade. Moving from 1,024-bit to 2,048-bit RSA required years of coordinated industry effort. Post-quantum migration is considered more complex than either: it touches every system that encrypts data, authenticates users, signs software updates or establishes secure connections—which is to say, nearly every enterprise system in existence.
The practical starting point for any organization is what security professionals call a cryptographic inventory: a systematic catalog of where and how cryptography is used across all systems. Without knowing what algorithms protect which data, and how long that data requires confidentiality, any migration plan is guesswork. For large enterprises, that inventory alone is a multi-month project. The migration itself typically spans five to ten years.
What to Do—and What to Be Realistic About
The honest caveat in any discussion of quantum computing timelines is that the field has a consistent history of optimism. Every major roadmap has slipped. The engineering challenges involved in building fault-tolerant quantum computers—maintaining quantum states, correcting errors, scaling qubit counts while holding quality constant—have proven harder than anticipated at each stage of development. Microsoft’s Majorana-based approach, if successful, could compress timelines significantly; if it stalls at current demonstrations, the company’s timeline slips with it. The arXiv paper lowering qubit estimates for breaking RSA-2048 is a significant development, but it awaits full peer review and independent replication.
None of that uncertainty is an argument for inaction. The asymmetry of the risk—where data collected today could be decrypted by a machine that does not yet exist—means that prudent organizations should plan around a 2030 horizon as a threat window, not a comfort zone. The migration to post-quantum cryptography is a long project best started early, not a one-time event that can be deferred until the threat is undeniable.
Two defensive approaches exist. Post-quantum cryptography, the primary path for most organizations, replaces vulnerable mathematical foundations with algorithms quantum computers cannot efficiently attack. Quantum key distribution, or QKD, takes a different approach by using the laws of physics themselves to make eavesdropping detectable, rather than merely mathematically difficult. QKD is practically limited to point-to-point fiber connections of roughly 100 kilometers and requires specialized hardware, making it relevant primarily for highly sensitive applications—national security agencies, financial settlement infrastructure, critical utilities—rather than general enterprise deployment.
What companies should do now
- Conduct a cryptographic inventory. Catalog every system that uses encryption, digital signatures or authentication. Identify the algorithm, the data it protects and how long that data requires confidentiality. Without this baseline, prioritization is impossible.
- Treat 2030 as your planning horizon, not a deadline. Organizations protecting data with decade-long confidentiality requirements are already exposed to harvest-now, decrypt-later attacks. Planning for a 2030 threat window provides the minimum lead time for a credible migration.
- Prioritize hybrid deployments. During transition, deploy systems that combine classical and post-quantum algorithms simultaneously—meaning both must be broken to compromise security. NIST and major vendors support this approach.
- Build cryptographic agility into new systems. Any system built today should be designed so its cryptographic algorithms can be updated without replacing the entire system. This dramatically reduces future migration costs.
- Update procurement standards immediately. New vendor contracts and technology purchases should specify post-quantum readiness as a requirement. Systems bought today will be in production during the threat window.
- Do not confuse encryption of stored data with full protection. Symmetric encryption, such as the AES-256 standard used for stored data, faces a lesser quantum threat and can be addressed by doubling key lengths. The harder problem is ‘in-transit’ encryption using RSA, elliptic curve or Diffie-Hellman systems, which require full replacement.
- Follow NIST’s published standards. ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) are finalized. A fourth standard, FN-DSA, is in final review. Implementations are available from IBM, Microsoft, PQShield and others.
The transition from current encryption standards to post-quantum alternatives will likely be the largest coordinated shift in digital security infrastructure since the commercialization of the internet. The roadmaps published by quantum computing companies—and the academic research tightening the timeline—make one conclusion difficult to escape: the organizations that treat this as a future problem are already behind.
