Quantum Computing’s Hard Deadlines: Enterprise Security Is Not Ready

NIST's post-quantum cryptography (PQC — cryptographic algorithms designed to resist attacks from quantum computers) standards have been final since August 2024, federal migration deadlines are locked in, and Google warned in March 2026 that a cryptographically relevant quantum computer capable of breaking RSA-2048 encryption could arrive as early as 2029. Yet only 13% of organizations have moved post-quantum cryptography into production, 60% have not begun a meaningful migration, and large enterprises face a transition timeline spanning eight to fifteen years — one that began ticking before most security teams noticed.

// 01 Post-Quantum Cryptography: What the New Standards Require

NIST (National Institute of Standards and Technology, the U.S. federal body that sets cryptographic standards adopted globally) finalized three post-quantum cryptography standards on August 13, 2024, ending an eight-year competition to replace the public-key algorithms that secure virtually all encrypted internet traffic today.

FIPS 203 — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) replaces RSA (Rivest-Shamir-Adleman, the dominant public-key encryption algorithm underpinning HTTPS and most PKI) and ECDH (Elliptic Curve Diffie-Hellman, the protocol most TLS connections use to negotiate session keys). ML-KEM operates on mathematical problems involving lattices — geometric structures in high-dimensional space — that no known quantum algorithm can solve efficiently.

FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm) replaces RSA-PSS, ECDSA, and EdDSA for digital signatures — the cryptographic proofs that authenticate software updates, code-signing certificates, and document integrity. NSA's CNSA 2.0 (Commercial National Security Algorithm Suite 2.0 — the U.S. government's approved algorithm list for classified and national security systems) mandates ML-DSA-87, the highest-security parameter set, for all national security system acquisitions beginning January 1, 2027.

FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) provides an alternative signature algorithm built entirely on hash functions, offering algorithm diversity in case a future mathematical weakness in lattice problems is discovered.

These are not optional security enhancements. They are the replacement cryptographic foundation for all authenticated and encrypted communications once classical algorithms are deprecated.

// 02 The Regulatory Deadline Cascade

Federal deadlines are already in effect or arriving within the next 18 months:

• September 21, 2026: NIST moves all remaining FIPS 140-2 certificates to Historical status. Only FIPS 140-3 (the Federal Information Processing Standard for cryptographic modules — hardware and software that store and manage encryption keys) validated implementations will be accepted for new U.S. federal procurement.
• January 1, 2027: All new National Security System acquisitions must support CNSA 2.0 algorithms under NSA mandate. This applies to VPNs, routers, operating systems, and communications hardware sold to defense contractors and federal agencies.
• 2030: NIST IR 8547 formally deprecates RSA-2048 and ECC P-256. No new systems may deploy these algorithms from this point forward. Organizations that have not begun migration by 2030 will face active compliance violations in federal and regulated environments.
• 2035: All quantum-vulnerable algorithms — RSA at any key length, ECDH, ECDSA — are fully prohibited from NIST standards and FIPS guidelines.

A May 2026 estimate places the total global cost of post-quantum cryptography migration at approximately $15 billion — a figure that increases the longer organizations delay, as emergency remediation under deadline pressure is consistently more expensive than planned migration.

// 03 Harvest Now, Decrypt Later: The Active Threat

The most urgent threat is not a future compromise. It is one occurring today.

"Harvest Now, Decrypt Later" (HNDL) describes a nation-state attack strategy in which adversaries intercept and archive encrypted communications now, with the intention of decrypting them once a sufficiently powerful quantum computer becomes operational. CISA (Cybersecurity and Infrastructure Security Agency), the NSA, the UK NCSC (National Cyber Security Centre), ENISA (European Union Agency for Cybersecurity), and the ACSC (Australian Cyber Security Centre) have all formally confirmed HNDL collection as an active, ongoing operation by multiple nation-state threat actors.

The NSA stated as early as 2021 that adversaries are bulk-collecting encrypted network traffic. No indicators of compromise appear during collection — the attacker stores ciphertext (the encrypted output, unreadable without the corresponding private key) and waits. With Q-Day (the industry term for when a quantum computer can break current public-key cryptography at scale) now estimated between 2029 and 2033 by multiple assessments, data protected today by RSA-2048 or ECC may be plaintext readable within a decade.

Industries most exposed to HNDL collection include defense contractors, pharmaceutical R&D firms, financial institutions, energy infrastructure operators, and any organization holding data whose sensitivity extends a decade or longer. If a document is classified, proprietary, or personally sensitive today, it should be considered a current HNDL target.

// 04 Who Is Affected

Every organization using TLS (Transport Layer Security — the HTTPS protocol securing web traffic and API calls), PKI (Public Key Infrastructure — the certificate hierarchy authenticating websites, software, and identities), or SSH (Secure Shell — the remote administration protocol for servers and network devices) is exposed. In practice, this means every enterprise network operating today.

The urgency is not uniform. Organizations facing the most immediate deadlines include:

• Defense contractors and federal agencies: NSA CNSA 2.0 requirements apply directly. Failure to support compliant algorithms in new National Security System acquisitions beginning January 1, 2027, affects procurement eligibility and contract compliance.
• Healthcare organizations: Patient records, genomic data, and clinical trial results carry 20–30-year sensitivity windows that extend well beyond even the most conservative Q-Day estimates. Any data collected before migration is complete is subject to HNDL exposure.
• Financial institutions: Transaction histories, authentication credentials, and proprietary trading algorithms represent high-value HNDL targets for foreign intelligence services with long time horizons.
• Critical infrastructure operators: ICS (Industrial Control Systems) and OT (Operational Technology — the hardware and software managing physical processes in energy, water, and manufacturing facilities) devices frequently use hardcoded cryptographic implementations that require physical hardware replacement rather than software patching.

// 05 What You Should Do Right Now

• Begin your cryptographic inventory immediately. CISA's quantum-readiness guidance recommends starting with a discovery phase to map every cryptographic algorithm in use across your environment. For large enterprises, this phase alone takes 12–24 months. Organizations that have not started do not yet know the full scope of what needs to change.

• Prioritize long-lived data and external-facing services first. Any data requiring confidentiality for ten or more years is a current HNDL target today. Migrate external authentication and key-exchange protocols — TLS termination, SSH host keys, VPN tunnels — first, as these represent the primary collection surface for nation-state HNDL operations.

• Verify cryptographic module vendor roadmaps. Confirm that your HSMs (Hardware Security Modules — physical devices that store and process cryptographic keys in tamper-resistant hardware) are on a path to FIPS 140-3 validation. After September 21, 2026, FIPS 140-2 modules will not satisfy federal procurement requirements and may trigger audit findings in regulated industries.

• Enable hybrid key exchange in TLS test environments. Most modern TLS libraries now support hybrid mode — running ML-KEM alongside classical ECDH simultaneously, protecting against both classical and quantum attacks during the transition. Enable hybrid key exchange in staging environments now to surface compatibility issues before production mandates arrive.

• Review vendor commitments for CNSA 2.0 support. Network equipment — VPNs, firewalls, routers — sold for National Security System use must support CNSA 2.0 by January 1, 2027. If vendors have not committed to a firmware update roadmap, begin evaluating replacements in the current procurement cycle rather than the next.

• Coordinate with your certificate authority on PQC issuance timelines. Code-signing certificates, TLS certificates, and internal PKI roots will require re-issuance under post-quantum algorithms. Long-validity certificates issued before NIST's August 2024 standards publication carry the highest risk profile and should be prioritized for early renewal.

// 06 Background: Understanding the Risk

The vulnerability in modern encryption stems from the mathematical problems underpinning public-key cryptography. RSA relies on the difficulty of integer factorization — multiplying two large prime numbers is trivial, but reversing that operation to find the original primes from their product is computationally infeasible on classical hardware. ECC relies on the discrete logarithm problem over elliptic curves — a related hard mathematical problem. In 1994, mathematician Peter Shor proved that a sufficiently powerful quantum computer could solve both problems in polynomial time (dramatically faster than any classical approach) using what is now called Shor's algorithm, breaking both RSA and ECC entirely.

For three decades, implementing Shor's algorithm at the scale needed to attack RSA-2048 required hardware estimated at 20 million physical qubits — a number so large it placed the threat firmly in theoretical territory. That assumption collapsed in March 2026, when three independent research papers demonstrated that the qubit count required to break RSA-2048 has fallen to fewer than one million physical qubits — and potentially as few as 100,000 under newer architectural designs. Google, responding to this research, moved their Q-Day estimate to 2029 — significantly earlier than the mid-2030s timeline that had shaped most enterprise planning.

The Global Risk Institute's Quantum Threat Timeline Report maintains a more conservative central estimate of 2033–2037, but even this range leaves only seven to eleven years — and large enterprise post-quantum cryptography migrations typically require eight to fifteen years from initial discovery through full deployment. Organizations that have not yet begun discovery do not have the time margin the mid-2030s estimate implies.

The migration is also not a pure software update. Post-quantum algorithms produce larger keys and signatures, increasing bandwidth, storage, and computational overhead. Some embedded devices — IoT sensors, medical equipment, legacy industrial controllers — cannot be patched at all and require physical replacement. Any organization that has not inventoried its cryptographic dependencies cannot yet assess how much of its infrastructure falls into this category.

// 07 Conclusion

Post-quantum cryptography migration is now a deadline problem, not a research problem. The standards exist, the regulatory timelines are public and approaching, and the collection phase of the primary near-term threat — Harvest Now, Decrypt Later — is already underway. Security teams that begin cryptographic inventories this year will face a difficult but manageable transition; those that wait for Q-Day to arrive will inherit a compliance and intelligence crisis simultaneously. Start the inventory, pressure vendors for CNSA 2.0 commitments, and treat post-quantum cryptography as critical infrastructure work beginning this quarter — not next year's planning cycle.