The security of digital information depends on cryptographic systems that protect the confidentiality, integrity, and authenticity of data. For decades, algorithms such as RSA and elliptic curve cryptography (ECC) have provided that protection. However, these schemes are vulnerable to a type of computing that does not yet exist in operational form but is advancing rapidly: cryptographically relevant quantum computing.
The question is no longer whether that capability will arrive, but when it will do so and whether organizations will be ready. The answer, based on analysis of multiple technical, governmental, and academic sources, is that the transition to post-quantum cryptography (PQC) can no longer be postponed.
Three factors converge to make delay a high-risk decision: the active harvesting of encrypted data by adversaries, a shortened timeline for relevant quantum computation, and the magnitude of a migration that will take years. These are joined by a regulatory environment that is beginning to set concrete deadlines.
The first factor is the threat known as “harvest now, decrypt later.”Ā
A quantum computer is not required for a communication encrypted today to be compromised in the future. It is enough for an adversary to intercept and store the traffic. This method is not theoretical. Intelligence agencies and actors with advanced technical capabilities can record government communications, financial transactions, corporate intellectual property, medical data, and any other type of information traveling under RSA or elliptic curve protection. Once a quantum computer with sufficient resources is available, that stored data can be decrypted.Ā
The age of the material will not be an obstacle: a secret that was supposed to remain protected for twenty or thirty years would be exposed retroactively. The damage is not limited to confidentiality. An attacker could also forge digital signatures on historical documents or on software updates distributed years earlier, in what is known as “harvest now, forge later.” This affects the software supply chain, notarial records, smart contracts, and any system that relies on the integrity of cryptographic signatures generated with current algorithms.Ā
The existence of this attack method means that the moment to migrate is not determined by the arrival date of the quantum computer, but by the length of time data must remain secure. If a document requires confidentiality for ten years and the quantum computer appears in seven, the damage will have occurred even if the migration was planned for eight years from now. Ignoring this time mismatch means accepting the loss of protection of data that is currently considered sensitive information.
The second factor is that the timeline for the appearance of a cryptographically relevant quantum computer has been significantly compressed. Forecasts that placed that milestone in the second half of the century have been replaced by estimates that place it within the next ten years. A reference in this field is Dr. Michele Mosca of the Institute for Quantum Computing, who in 2015 posed a simple question: is the time that data must remain secure greater than the time needed to deploy quantum-resistant cryptography plus the time until quantum computing arrives? If the answer is yes, the migration should already be underway. Mosca estimated a probability of one in seven that a relevant quantum computer will appear in 2026 and 50 percent by 2031. Although these figures do not constitute certainty, they represent a level of risk that no entity handling long-term sensitive data can ignore.
Other studies, collected in analyses of enterprise migration strategies, place the most likely window between 2028 and 2033 for the arrival of fault-tolerant quantum computers. Google, for its part, has set an internal deadline to complete its migration by 2029. The company justified that date based on faster-than-expected advances in quantum hardware and the need to protect its own systems before the breaking capability becomes available.Ā
Recent research indicated that a one-million-qubit system could break RSA-2048 in approximately one week, multiplying by twenty the breaking speed estimated in earlier work. The results suggest that engineering barriers are being overcome more quickly than anticipated.Ā
Meanwhile, the U.S. National Institute of Standards and Technology (NIST) has published its post-quantum transition roadmap, which envisions the progressive withdrawal of RSA and elliptic curve cryptography by 2030 and their total prohibition by 2035. Various specialists consider that even this official schedule could prove late if quantum hardware materializes before the end of the decade.
The third factor is the intrinsic complexity of the change
Replacing cryptographic algorithms in an organization is not limited to installing a patch. It requires identifying every point where cryptography is used, inventorying algorithms and keys, developing or acquiring implementations of the new post-quantum standards, testing them in controlled environments, deploying them in production, and verifying interoperability with all systems, both internal and external.Ā
In a small entity, this process requires locating the use of cryptography in applications, servers, network devices, industrial systems, and cloud services. In a large one, the task multiplies by the number of legacy systems, geographic dispersion, dependence on suppliers, and the need to maintain operations during the transition.Ā
Research on enterprise migration timelines indicates that realistic periods range from five to seven years for small organizations, eight to twelve years for medium ones, and twelve to fifteen yearsāor moreāfor large corporations and critical infrastructure. If a relevant quantum computer appears around 2031, a large company that begins its migration in 2027 will already be late. But if it has not yet started, the delay will be inevitable.Ā
Even organizations that have started must face additional obstacles, such as the need to maintain compatibility with legacy applications, the shortage of personnel specialized in post-quantum cryptography, and uncertainty about the performance of the new algorithms on resource-constrained devices, such as sensors, smart cards, or industrial environments.Ā
The concept of crypto-agility, which consists of designing systems capable of swapping algorithms quickly, is frequently mentioned as a solution. However, achieving that agility requires investments in system architecture, governance, and technical training that also take time. It is not a resource that can be implemented in weeks.
Added to these three factors is the pressure of regulatory frameworks, which are leaving the terrain of recommendations to set concrete requirements. In the United States, presidential directive NSM-10 and OMB memorandum M-23-02 oblige federal agencies to migrate their systems to post-quantum cryptography. NIST published in 2024 the first final standards for quantum-resistant algorithms, including CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for digital signatures, and established the withdrawal schedule for vulnerable algorithms.Ā
The European Union, through the NIS Cooperation Group and the European Commission, has published a coordinated roadmap for member states, urging the completion of the migration for high-risk use cases before the end of 2030.Ā
Australia, through its Australian Cyber Security Centre, has urged organizations to complete the transition before the end of 2030. These deadlines are not symbolic. Entities that provide services to governments or form part of regulated supply chains will have to meet them to maintain their authorizations. Those who ignore them will assume not only a technical risk, but also a legal and commercial risk.
The confluence of these elements makes it impossible to consider the post-quantum migration as a project that can be postponed until the quantum computer is a tangible reality. The harvest-now attack compromises long-term data security from today. The quantum computing timeline has moved forward and margins have narrowed.Ā
The scale of the transition demands years, not months. And regulatory deadlines impose dates that are already defined. In this scenario, inaction is not a prudent option but a decision that consciously assumes a calculable and avoidable risk.
Organizations can take immediate steps without waiting to have all the definitive resources
The first step consists of carrying out a thorough cryptographic inventory: identifying which systems use cryptography, with which algorithms, what key lengths, and what level of criticality for the business. It is not possible to protect what is not known to exist.Ā
The second step is to initiate collaboration with technology providers to confirm the availability of libraries implementing NIST standards and to begin testing in non-critical environments.Ā
The third is to design or adopt an architecture that facilitates crypto-agility, so that the substitution of algorithms in the future does not reproduce the same difficulties. This transition will not be the last; threats will evolve and the capacity for rapid response will determine resilience. Starting now reduces the risk of a rushed migration and limits the window of exposure to harvest attacks. The available evidence does not justify any further waiting.
