The first thing to understand about post-quantum cryptography is that the deadline is not the day quantum computers break RSA. The deadline already passed for any data that needed to stay confidential for a decade. Adversaries do not need a working cryptographically relevant quantum computer today to compromise your encrypted traffic — they need a hard drive and patience. Capture the ciphertext now, store it cheaply, decrypt it when the math becomes possible. The technical name is "harvest now, decrypt later." The strategic implication is that any sensitive data your business encrypted with classical algorithms in 2026, and transmitted across any network where an adversary could intercept it, is on a countdown that began the moment it left your environment [NIST].
That is the reframing the cybersecurity industry has spent the last twenty-four months absorbing. NIST finalized the first three post-quantum cryptography (PQC) standards in August 2024 — FIPS 203, FIPS 204, and FIPS 205. NSA's Commercial National Security Algorithm Suite 2.0 mandates PQC for new national security systems starting in 2027. CISA, working jointly with NSA and NIST, has published a migration playbook. Cloudflare, Google, and Apple have already deployed hybrid post-quantum key exchange to billions of users. The migration is not theoretical. It is in production at the bottom of the internet stack. The remaining question for most businesses is not whether to move — it is how to move without breaking everything that depends on the cryptography they are replacing.
This guide explains the standards, the threat model that justifies the timeline, and the practical steps a business needs to take in 2026 to begin a credible PQC migration. It is written for IT and security leaders who need to translate the abstract "quantum threat" into a budget, a roadmap, and a defensible posture for the next audit cycle.
✓ Key Takeaways
- The "harvest now, decrypt later" (HNDL) threat means data encrypted today is already exposed if its confidentiality lifetime extends past the arrival of cryptographically relevant quantum computers — currently projected between 2033 and 2037.
- NIST finalized three PQC standards in August 2024: FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) as a hash-based signature backup. FIPS 206 (FN-DSA, based on FALCON) is expected later in 2026.
- NIST's transition plan (NIST IR 8547) deprecates RSA-2048 and ECC P-256 by 2030 and removes all quantum-vulnerable algorithms from NIST standards by 2035. NSA's CNSA 2.0 mandates PQC for new national security systems by 2027.
- The credible enterprise migration takes 5–15 years and starts with a cryptographic inventory — not a vendor purchase. CISA, NSA, and NIST jointly publish the six-step quantum-readiness playbook that frames the work.
- Real-world deployment is already underway: Cloudflare, Google Chrome, and Apple iMessage have shipped hybrid post-quantum protocols to production. The lesson for SMB and mid-market organizations is that the standards are operational, not experimental.
Why the Quantum Threat Is a 2026 Problem, Not a 2035 Problem
The intuitive reaction to quantum risk is to treat it as an event that happens on a specific future date — "Q-Day," the day a quantum computer factors a 2048-bit RSA key. That framing is misleading, and it leads businesses to defer migration that should already be underway. The actual risk model is temporal and asymmetric. Three forces are moving in parallel, and only two of them are still under your control.
The first force is the quantum hardware itself. The Global Risk Institute's most recent expert survey places the central probability distribution for Q-Day in the 2033–2037 range [Global Risk Institute]. More importantly, three peer-reviewed papers published between May 2025 and March 2026 dramatically reduced the estimated quantum resources needed to break RSA-2048 — from earlier estimates near 20 million physical qubits to under one million, with some newer architectures projecting figures closer to 100,000 [Quantum Insider]. Every revision in the literature has shortened the timeline. There is no published research moving it in the other direction.
The second force is the data lifetime mismatch. Most businesses encrypt data with cryptographic primitives chosen for protection windows of one to five years — TLS sessions, VPN tunnels, signed firmware updates, archived backups, financial records. But a meaningful fraction of business data has a confidentiality lifetime far longer than that: medical records, intellectual property, M&A correspondence, customer PII subject to evolving privacy regulation, government and defense contracts, source code, board minutes, attorney-client communications. Analysis of HNDL exposure suggests that 98–100% of healthcare records and 95–100% of government-classified data encrypted today are candidates for retroactive decryption if intercepted [Quantum Insider]. If you encrypt a fifteen-year medical record in 2026 with RSA-2048 key exchange and an adversary captures the ciphertext, the data's protection ends when the math does — not when your retention policy says it does.
The third force is the migration timeline itself. Cryptographic transitions in real enterprise environments historically take five to ten years. NIST's own transition guidance describes the realistic horizon as five to fifteen years, depending on the size and diversity of the cryptographic estate [NIST IR 8547]. The migration is not a software upgrade. It is a multi-year effort to find every algorithm in every protocol on every device in every product in every supply chain — and to replace each one without breaking interoperability with everyone else doing the same thing. Organizations that wait until the quantum threat is operational will not have time to migrate before exposure.
2033–2037
central Q-Day probability window per the Global Risk Institute expert survey
2030 / 2035
NIST deprecation milestones for RSA-2048 and full removal of vulnerable algorithms
5–15 yrs
realistic enterprise PQC migration window per NIST IR 8547
Sources: NIST IR 8547; Global Risk Institute 2024 Quantum Threat Timeline; The Quantum Insider.
The harvest-now-decrypt-later model: ciphertext captured today sits in adversary storage waiting for the math to catch up. The countdown started the day the data was transmitted.
The 2024 NIST Standards: What Actually Got Standardized
The eight-year NIST PQC standardization process concluded on August 13, 2024, with three finalized FIPS standards. A fourth is expected in 2026. Understanding what each one does — and where each one belongs in your stack — is the foundation for every later step of the migration.
FIPS 203 — ML-KEM (Key Encapsulation Mechanism)
Formerly known as CRYSTALS-Kyber, ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is the algorithm that replaces RSA and elliptic-curve Diffie-Hellman for the most common cryptographic operation on the internet: agreeing on a shared symmetric key over a public channel. It is the algorithm you see in TLS handshakes, IPsec/IKE, SSH, and any other protocol that uses public-key cryptography to set up symmetric session encryption. NIST defines three parameter sets — ML-KEM-512, ML-KEM-768, and ML-KEM-1024 — corresponding to increasing security levels. Cloudflare's default hybrid TLS deployment uses X25519+ML-KEM-768 [Cloudflare].
FIPS 204 — ML-DSA (Digital Signature Algorithm)
Formerly known as CRYSTALS-Dilithium, ML-DSA is the lattice-based digital signature algorithm that replaces RSA and ECDSA signatures for most use cases — TLS certificates, code signing, firmware signing, JWT tokens, document signing, software update authentication. It is expected to become the default general-purpose post-quantum signature algorithm. Like ML-KEM, ML-DSA is fast, but its signatures and public keys are significantly larger than ECDSA's, which has implications for protocols and storage systems sensitive to bandwidth.
FIPS 205 — SLH-DSA (Stateless Hash-Based Signatures)
Formerly known as SPHINCS+, SLH-DSA is a hash-based signature scheme included intentionally as a backup. Its security relies on hash function assumptions rather than lattice problems, so if a future cryptanalytic breakthrough undermines the lattice family, SLH-DSA remains intact. The trade-off is significant: SLH-DSA signatures are much larger and slower than ML-DSA. Most enterprises will not use SLH-DSA as their primary signature algorithm, but it belongs in the toolkit for high-assurance use cases where algorithm diversity matters — long-lived root signatures, code signing for safety-critical systems, and any context where a thirty-year guarantee is more important than performance [NIST].
FIPS 206 — FN-DSA (FALCON-Based Signatures, Expected 2026)
The fourth standard, based on the FALCON algorithm, is expected to publish later in 2026. FN-DSA produces smaller signatures than ML-DSA, making it attractive for bandwidth-constrained environments — IoT devices, embedded systems, low-power radios, large certificate chains. It introduces additional implementation complexity (FALCON requires careful floating-point handling), which is part of why it standardized after ML-DSA.
| Classical Algorithm | Primary Use | PQC Replacement | Standard |
|---|---|---|---|
| RSA-2048 / RSA-3072 | Key exchange, encryption | ML-KEM-768 / ML-KEM-1024 | FIPS 203 |
| ECDH (P-256, P-384) | TLS / IPsec key exchange | ML-KEM-768 / ML-KEM-1024 | FIPS 203 |
| RSA signatures | Certificates, document signing | ML-DSA-65 / ML-DSA-87 | FIPS 204 |
| ECDSA (P-256, P-384) | Code signing, TLS certs, JWT | ML-DSA-65 / ML-DSA-87 | FIPS 204 |
| Long-lived root signatures | CA roots, firmware integrity | SLH-DSA | FIPS 205 |
| Bandwidth-constrained signatures | IoT, embedded, low-power | FN-DSA (expected 2026) | FIPS 206 |
| AES-128 / AES-256 | Symmetric encryption | AES-256 (Grover-resistant) | No change — already quantum-resistant |
| SHA-256 / SHA-384 | Hashing | SHA-384 / SHA-512 | No change — increase output size |
Two important non-changes are worth highlighting. AES with 256-bit keys remains secure against known quantum attacks, including Grover's algorithm, which effectively halves symmetric security. AES-256 retains 128 bits of post-quantum security and is considered quantum-resistant for the foreseeable future. Similarly, modern hash functions like SHA-384 and SHA-512 retain sufficient security margins. The "quantum threat" is overwhelmingly a public-key cryptography problem, not a symmetric encryption problem — though both deserve inventory and review.
Where Quantum-Vulnerable Cryptography Hides in Your Business
The reason PQC migration takes years is not the algorithms themselves. It is the surface area. Every modern business runs hundreds — often thousands — of distinct cryptographic implementations, most of them embedded inside other software or hardware and invisible to ordinary operations. Building the inventory is the work. The categories below are where to look first.
The network perimeter. Every TLS endpoint, every VPN concentrator, every IPsec tunnel, every reverse proxy, every API gateway, every load balancer terminates one or more cryptographic protocols that rely on RSA or elliptic-curve key exchange. Managed firewall and network security platforms are typically the first place to inventory because they handle the highest volume of long-haul traffic — and they are where hybrid TLS gets deployed first because the change is local to the appliance.
Public-key infrastructure. Internal certificate authorities, code-signing pipelines, S/MIME deployments, document-signing systems, and the trust roots underneath them all rely on RSA or ECDSA. Replacing a CA hierarchy is a multi-year project on its own and is one of the most consequential decisions in any PQC migration. Code signing in particular is sensitive: signatures on firmware or software updates need to remain verifiable for the entire deployed lifetime of the device or product, which can easily exceed the quantum migration window.
Email security. S/MIME, DKIM, and TLS for SMTP all use public-key cryptography that will need to migrate. Email security platforms sit at the boundary between internal cryptography and external interoperability — which is why the migration here will move slowly and require careful vendor coordination.
Identity and authentication. SAML signatures, OIDC/JWT signing keys, SSH host and user keys, hardware security modules, smart cards, and FIDO2/WebAuthn credentials all use classical signature algorithms. WebAuthn in particular is on a clear migration path, but the inventory of every SSH key, every JWT signing key, every SAML certificate across an enterprise is rarely centralized.
Application-layer encryption. Databases that encrypt fields at rest, applications that wrap RSA or ECDSA libraries for custom workflows, SaaS integrations that use public-key authentication with API providers, payment systems, blockchain or DLT integrations, and any custom code that touches OpenSSL, Bouncy Castle, or equivalent crypto libraries.
Embedded systems and IoT. Firmware, secure boot chains, OT/ICS controllers, medical devices, building automation, telematics. These are the hardest to migrate because the cryptography is often baked into silicon and the device lifetime can run decades. They are also where FN-DSA's smaller signatures will matter most.
What Industry Leaders Have Already Shipped
The most reassuring evidence that PQC is operational, not theoretical, is that the largest internet infrastructure operators have already deployed it at scale. Watching what they did — and how — gives smaller organizations a credible template.
Cloudflare expects the majority of traffic flowing through its network to be protected by post-quantum cryptography on both halves of every connection by the end of 2026. By early 2024, about 1.8% of all TLS 1.3 connections to Cloudflare's servers were already secured with hybrid post-quantum key exchange; in 2025 and 2026 the company has been progressively enabling post-quantum tunnels between its edge and origin servers across its customer base [Cloudflare]. The deployment pattern is the same across vendors: hybrid mode first — combining a classical algorithm (typically X25519) with a post-quantum algorithm (ML-KEM-768) — so that a flaw in either component does not compromise the connection.
Google enabled hybrid X25519+Kyber key exchange in Chrome for a subset of users in 2023 and has expanded that footprint since. Apple announced in February 2024 that iMessage would adopt PQ3 — a custom protocol that adds ML-KEM to its key agreement and periodically rekeys to limit the value of any single captured session — before the end of that year. The pattern across all three deployments is the same: ship hybrid, ship gradually, and start with the protocols where the largest fraction of long-lived data crosses the wire.
"Encrypted data remains at risk because of the 'harvest now, decrypt later' threat in which adversaries collect encrypted data now with the goal of decrypting it once quantum technology matures."
— NIST, Transition to Post-Quantum Cryptography Standards (NIST IR 8547)
The 6-Step Enterprise PQC Migration Playbook
CISA, NSA, and NIST jointly publish a quantum-readiness migration playbook that has become the de facto standard sequence for enterprise PQC adoption [CISA]. The structure below follows that guidance, with practical notes drawn from real-world deployments.
Build the Cryptographic Inventory
Identify every place quantum-vulnerable cryptography is in use across the environment: TLS endpoints, certificates, code-signing keys, VPNs, email crypto, identity systems, embedded firmware, application libraries, third-party integrations. CISA recommends automated discovery tools to keep the inventory current. The inventory is the single artifact every later step depends on — and it is the work most often skipped.
Map Data Sensitivity and Lifetime
For each data category, document its confidentiality lifetime: how long must this remain undecryptable to be safe? Pair that with the protocol that protects it. Anywhere lifetime exceeds the estimated arrival of cryptographically relevant quantum computers, the migration priority rises. Healthcare, legal, M&A, intellectual property, regulatory archives, and long-tenor financial data are typical HNDL exposure categories.
Establish Crypto Agility
Treat the cryptographic layer as a swappable component rather than a hard-coded dependency. Centralize algorithm choices through abstractions like cryptographic service providers, named cipher suites, or policy-driven libraries. NIST has published a crypto-agility maturity model aligned to CSF 2.0 to help organizations measure progress. The goal is to make the next algorithm change — and there will be more — orders of magnitude cheaper than this one.
Engage Vendors and Supply Chain
For any cryptography you do not implement yourself — and for most businesses, that is the overwhelming majority — your migration depends on vendor migration. Request a written PQC roadmap from every vendor in your cryptographic supply chain: firewalls, VPNs, email security, identity providers, HSMs, CAs, SaaS platforms, embedded device manufacturers. Make PQC readiness a procurement criterion in new contracts.
Pilot Hybrid PQC in Controlled Surfaces
Start with internal TLS connections, internal VPN tunnels, and non-customer-facing code signing pipelines. Use hybrid mode (classical + PQC together) so a flaw in either does not break security. Measure the operational impact: handshake latency, certificate size, key storage. The pilot teaches your team the migration mechanics before they apply to customer traffic.
Plan the Deprecation Timeline
Anchor the program to NIST's deprecation milestones: RSA-2048 and ECC P-256 deprecated by 2030, all quantum-vulnerable algorithms removed from NIST standards by 2035. Federal agencies and contractors should align to NSA CNSA 2.0's 2027 mandate for new national security systems. For private-sector organizations without federal exposure, the same dates set a defensible audit baseline.
Cryptographic infrastructure — HSMs, network appliances, and identity systems — is where most of the PQC migration work physically happens. Inventory precedes replacement.
⚠ Compliance Deadlines Worth Calendaring
NSA CNSA 2.0 mandates PQC for new national security systems by 2027. NIST IR 8547 deprecates RSA-2048 and ECC P-256 by 2030, with all quantum-vulnerable algorithms removed from NIST standards by 2035. Regulated industries — healthcare, defense, financial services, critical infrastructure — should expect equivalent timelines to flow through sector regulators well before the federal endpoint. Organizations subject to HIPAA or CMMC obligations should treat PQC inventory as a near-term compliance artifact, not a future one.
The Pitfalls Most Migrations Hit
The technical specification of PQC is the smallest part of the migration. The painful parts are organizational, and they recur across every program. Knowing them in advance is half the cost of avoiding them.
Skipping the inventory. The most common failure mode is jumping to vendor selection or product procurement before the cryptographic inventory exists. Without the inventory, every later decision is guesswork. The inventory is unglamorous, time-consuming, and the only artifact that makes the rest of the program rational.
Underestimating signature size. ML-DSA signatures are roughly an order of magnitude larger than ECDSA signatures, and certificate chains carrying them are correspondingly heavier. Protocols, storage formats, embedded devices, and bandwidth-sensitive transports designed around small classical signatures will need rework. The pilot phase exists specifically to surface this.
Forgetting code signing. Code-signing keys often have the longest deployed life of any cryptographic artifact in an organization — firmware signed today may need to verify in 2040. They are also among the easiest items to overlook because the signing operation happens rarely. Treat code signing as a high-priority migration surface even when its day-to-day visibility is low.
Treating crypto agility as a slogan. "We'll just swap algorithms when needed" is the standard answer when crypto agility comes up in vendor reviews. The actual implementation — abstraction layers, policy-driven negotiation, named cipher suites — is software engineering work, and it costs months. Validate, do not assume.
Ignoring the supply chain. Your PQC posture is bounded by the PQC posture of every vendor whose cryptography you depend on. A migration that does not include written vendor roadmaps and PQC procurement clauses is a migration that will stop at the vendor boundary. Cybersecurity consulting engagements can help structure these conversations and translate vendor responses into a defensible risk position.
Mistaking hybrid for finished. Hybrid mode (classical + PQC together) is the recommended deployment for the next several years. It is not the destination. The destination is pure post-quantum, after the standards have shipped, hardware acceleration has matured, and interoperability testing has confirmed the algorithms hold up under load. Programs that treat hybrid deployment as completion will pay for it in the next migration cycle.
What to Do Next
For most businesses reading this in 2026, the right next step is not a vendor purchase. It is an honest internal assessment of where quantum-vulnerable cryptography lives in the environment, which categories of data have a confidentiality lifetime that extends past the projected Q-Day window, and which vendors in the cryptographic supply chain have published PQC roadmaps. That assessment is the foundation of a defensible posture and the budget request that comes after it.
The migration is multi-year, but the first six months matter most. They establish whether the organization treats PQC as a quiet, methodical engineering program — or as a crisis to be managed when the deprecation deadlines arrive in 2030. The first path is dramatically cheaper. The second is the one most organizations are still on.
Start Your Post-Quantum Readiness Assessment
ITECS works with mid-market and enterprise organizations to build cryptographic inventories, evaluate HNDL exposure by data category, structure vendor PQC roadmap conversations, and design hybrid pilot programs in TLS, VPN, and code-signing surfaces. The assessment sets the foundation for a migration that aligns with NIST and NSA deprecation timelines instead of chasing them.
Start Your Cybersecurity Assessment →Sources
- NIST — NIST Releases First 3 Finalized Post-Quantum Encryption Standards (FIPS 203, 204, 205): nist.gov
- NIST IR 8547 — Transition to Post-Quantum Cryptography Standards: nvlpubs.nist.gov
- CISA — Quantum-Readiness: Migration to Post-Quantum Cryptography (Joint CISA / NSA / NIST guidance): cisa.gov
- CISA — Strategy for Migrating to Automated Post-Quantum Cryptography Discovery and Inventory Tools: cisa.gov
- The Quantum Insider — What Is "Harvest Now, Decrypt Later" and Why Should You Care?: thequantuminsider.com
- Cloudflare — Defending Against Future Threats: Cloudflare Goes Post-Quantum: blog.cloudflare.com
- Cloudflare SSL/TLS docs — Post-Quantum Cryptography (PQC): developers.cloudflare.com
- Palo Alto Networks Cyberpedia — A Complete Guide to Post-Quantum Cryptography Standards: paloaltonetworks.com