Only 5% of organizations say they have a defined quantum computing strategy, according to a 2025 ISACA poll of more than 2,600 global professionals. The encryption that those organizations rely on has a federal expiration date.
The question is whether anyone will be ready when it arrives.
What the standards actually require
In August 2024, NIST finalized its principal set of encryption algorithms designed to withstand quantum-computer-based cyberattacks. The three standards — FIPS 203 (ML-KEM for key encapsulation), FIPS 204 (ML-DSA for digital signatures), and FIPS 205 (SLH-DSA for hash-based signatures) — were the product of an eight-year standardization process that began in 2016. They replace algorithms such as RSA and elliptic-curve cryptography, which a sufficiently capable quantum computer could break using Shor's algorithm. NIST is encouraging computer system administrators to begin transitioning to the new standards as soon as possible.
But the agency did not stop at encouragement. NIST IR 8547, published in November 2024, establishes a 2030 deprecation deadline for algorithms at the 112-bit security level (RSA-2048, P-256) and a 2035 disallowance deadline for all quantum-vulnerable public-key algorithms, including RSA-3072 and P-384. The distinction matters. Deprecated means no new deployments permitted after 2030; disallowed means full prohibition in NIST standards and FIPS guidelines from 2035. For any organization in the federal supply chain, that translates into contract and audit risk.
The NSA's timeline for national security systems is even more compressed. By the end of 2031, the NSA expects full enforcement of CNSA 2.0 across all NSS cryptographic implementations. Software and firmware signing must exclusively use CNSA 2.0 algorithms by 2030.
The gap between awareness and action
Enterprise readiness has not kept pace with government timelines. ISACA's 2025 poll found that 62% of technology professionals worry quantum computing will break current encryption, but only 5% of organizations have made it a high-priority issue, and just 5% have a defined quantum computing strategy or roadmap. 41% of organizations said they do not plan to address quantum computing, and 37% have not discussed it internally.
A May 2025 survey by DigiCert found a similar pattern: while 69% of organizations recognize the risk quantum computing poses to current encryption standards, only 5% have implemented quantum-safe encryption. The sectors that have started moving are those with the most to lose. Banking and telecommunications were leading, with 45% to 47% of respondents in those sectors saying they have budgeted and planned for post-quantum cryptography in the near term, according to a Capgemini Research Institute study cited in a peer-reviewed analysis of enterprise quantum readiness.
Health care, financial services, and government handle data that must remain confidential for decades, making them the highest-priority targets for "harvest now, decrypt later" attacks — operations in which adversaries collect encrypted data today with the expectation that it will be decrypted once quantum hardware matures. As Rodrigo Madanes, EY's global next frontier technology and AI leader, put it, the most urgent quantum story for enterprises is not about buying quantum computing. It is about preparing for the day when someone else's quantum computer can break current encryption.
Why the timeline keeps compressing
The reason this migration is on anyone's calendar at all is that the hardware threat keeps getting closer. Google $GOOGL announced in early 2026 a 2029 target to complete its own migration to post-quantum cryptography, one of the most specific commitments from a major technology company. The choice of year was not arbitrary. In May 2025, Google researchers published a preprint showing that 2048-bit RSA could theoretically be broken by a quantum computer with about one million noisy qubits — a 20-fold reduction from the team's previous estimate.
Google controls its own browser, mobile operating system, and cloud platform. That 2029 target is almost certainly achievable for Google, and almost certainly unachievable for most of the organizations that need to hear the message. A peer-reviewed analysis published in the journal Computers estimated realistic migration timelines at five to seven years for small enterprises, eight to 12 years for medium enterprises, and 12 to 15 years or more for large enterprises.
The U.K.'s National Cyber Security Centre published a phased roadmap in 2025: identify cryptographic services that need upgrades, build a migration plan by 2028, execute high-priority upgrades from 2028 to 2031, and complete migration for all systems by 2035. Canada released a similar roadmap with a 2035 end date. Australia's Signals Directorate mandates that traditional asymmetric cryptography must not be used beyond the end of 2030. Those timelines assume organizations start now.
For context, the SHA-1 to SHA-2 migration took 12 years, and that transition was simpler. PQC migration requires larger parameter sizes, hybrid cryptographic schemes, and ecosystem coordination that have no historical precedent.
What companies should do first
The practical starting point is a cryptographic inventory: finding every instance of RSA, elliptic-curve, and Diffie-Hellman cryptography across an organization's systems, applications, and vendor dependencies. This process is non-trivial, since some legacy applications might not even have up-to-date documentation.
Companies do not need to replace everything at once. NIST IR 8547 supports hybrid cryptographic solutions — combining a classical algorithm and a post-quantum algorithm so the system remains secure unless both are broken. Google Chrome enabled a hybrid post-quantum key encapsulation mechanism by default in April 2024, and the Signal messaging app implemented a post-quantum protocol in September 2023. These are early movers, not edge cases.
NIST cryptographic standards are widely used across government and industry; federal agencies are required to use them, and many governments and international standards organizations adopt them. When NIST says RSA is disallowed after 2035, that decision propagates through procurement rules, compliance frameworks, and industry standards. Waiting for a quantum computer to break encryption before acting misunderstands the problem. The risk doesn't start when quantum computers arrive — it starts the moment encrypted data is collected.
The Federal Reserve published a research note in September 2025 examining harvest-now-decrypt-later risks to distributed ledger networks, concluding that even if a cryptocurrency network successfully deploys post-quantum cryptography mitigations, the data privacy of previously recorded transactions remains vulnerable because the data was collectible before the migration. The same logic applies to any organization protecting long-lived sensitive information. The migration to post-quantum cryptography is not a future project. It is a present-tense compliance obligation, a security imperative, and a logistical problem that most organizations have not yet begun to scope.
