Quantum security is the practice of protecting data and systems against the threat posed by quantum computers, which will eventually be capable of breaking the public-key cryptographic algorithms, specifically RSA, elliptic-curve cryptography, and Diffie-Hellman, that protect most of the world’s encrypted communications today. Most organizations treat it as a future concern. That framing is the single most dangerous assumption in enterprise cybersecurity today.
Nation-states, state-sponsored actors, and sophisticated adversaries are already harvesting encrypted data. Harvest Now, Decrypt Later (HNDL) is the strategy where adversaries exfiltrate and archive encrypted data today, then wait for quantum hardware to decrypt it later. They do not need a quantum computer now. They only need one eventually. NIST, the NSA, and CISA have each issued formal warnings that HNDL represents a present and ongoing threat, not a future one.
If your organization holds data that must remain confidential past 2030, that data is already a target. The question is not whether adversaries are collecting it. The question is whether your organization will be ready to protect it before they can read it. That urgency is grounded in what the research community has published over the past twelve months.
Why the Timeline Has Collapsed
For years, the consensus placed a cryptographically relevant quantum computer (CRQC) at least 15 to 20 years away. A landmark result published in late March 2026 has sharply revised that picture, and every security leader making budget and architecture decisions in 2026 needs to understand what changed.
In collaboration with the Ethereum Foundation and Stanford University, Google Quantum AI published a whitepaper showing that the 256-bit elliptic curve discrete logarithm problem on secp256k1, the curve securing Bitcoin and Ethereum signatures, can be solved with fewer than half a million physical qubits on a superconducting architecture. The estimated runtime is approximately 9 minutes, under projected fault-tolerant hardware parameters that do not yet exist at this scale.
This represents approximately a 20-fold reduction compared to the prior best physical qubit estimate for ECDLP-256 from Litinski (2023), which used a silicon-photonics-inspired active-volume architecture, finding that one key could be computed every 9.7 minutes using 6,000 modules with 576 physical data qubits each, approximately 3.46 million physical qubits in total. Every efficiency gain in the (subsequent) result came from algorithmic optimization alone, with no change in hardware assumptions.
Two aspects of this result deserve particular attention from security planners:
- Curve scope:The paper studied secp256k1 specifically. NIST enterprise curves such as P-256 (secp256r1) and P-384 were not directly analyzed, but face the same class of quantum attack. Shor’s algorithm applies to all elliptic curve variants, and attack costs scale primarily with bit-size rather than specific curve parameters, making comparable resource estimates applicable to enterprise-standard curves.
- Algorithm scope: The migration priority this establishes is public-key cryptography exclusively: RSA, ECC, and Diffie-Hellman. Symmetric algorithms such as AES-256 are not vulnerable to Shor’s algorithm. Grover’s algorithm halves the effective key length, leaving AES-256 with approximately 128 bits of quantum security, which remains computationally infeasible to attack. Organizations do not need to migrate to symmetric encryption.
- What drove the reduction: Every efficiency gain came from algorithmic improvements alone, using standard hardware assumptions. No hardware breakthrough was required. The resource bar continues to fall even without better machines, driven purely by how researchers learn to use the machines that already exist.
This paper did not arrive in isolation. It was one of several significant research outputs in the May 2025 to March 2026 window, collectively reducing the estimated resource requirements to break widely deployed cryptography by approximately ten- to twenty-fold within a single research cycle. The trend is consistent and accelerating. What this means operationally is that the data your organization is protecting right now carries more exposure than it did a year ago, and the case for immediate action is stronger than it has ever been.
What HNDL Means for Your Data Right Now
The mechanics of HNDL are straightforward, and that simplicity is part of what makes retrospective defense impossible. Adversaries exfiltrate encrypted data using classical techniques available today, store it at low cost, and wait for quantum hardware to mature.
The sectors carrying the highest HNDL exposure are those holding data with long confidentiality requirements. Healthcare sits at the top: patient records carry lifelong sensitivity and are held for decades. Legal organizations hold attorney-client communications with indefinite privilege horizons. Financial institutions manage long-term investment strategies, merger and acquisition communications, and sovereign debt records that retain strategic value for years.
Defense and government organizations hold classified communications and critical infrastructure data that nation-states specifically target for long-range intelligence value. Technology companies hold proprietary algorithms and unreleased research with multi-year competitive significance.
A medical record encrypted today and exfiltrated this year could be fully readable in the early 2030s. There is no incident notification when that happens. No regulatory trigger fires. No breach alert appears on the dashboard. The data is simply gone, quietly, years before anyone realizes it.
This is not a theoretical risk profile. It is the operational reality that underpins every regulatory deadline and every standards decision described in the next section. The question organizations now face is not whether to migrate, but whether they will have enough time to do it properly before those deadlines arrive.
The Standards Are Ready. The Deadlines Are Real
The good news is that the cryptographic foundation for migration already exists. After an eight-year global evaluation process, NIST finalized three Post-Quantum Cryptography (PQC) standards on August 13, 2024. These three algorithms cover the two most critical use cases in enterprise security: protecting data in transit and verifying the authenticity of digital communications.
| Standard | Algorithm | Purpose |
|---|---|---|
| FIPS 203 | ML-KEM | Key encapsulation, replaces RSA and ECDH in key exchange |
| FIPS 204 | ML-DSA | Digital signatures, replaces ECDSA and RSA-PSS |
| FIPS 205 | SLH-DSA | Stateless hash-based digital signature scheme; complements ML-DSA with distinct security foundations |
On March 11, 2025, NIST selected HQC as a fifth algorithm under NIST IR 8545, a code-based key encapsulation mechanism that provides algorithmic diversity as a backup to ML-KEM in the event that lattice-based approaches are ever compromised. NIST plans to issue a draft standard for HQC approximately one year after selection, with finalization targeted for 2027. FIPS 206, based on the FN-DSA (FALCON) signature scheme, is awaiting approval for its Initial Public Draft release. Finalization is targeted for late 2026 or early 2027.
These are hard deadlines with real consequences, not recommendations that can be deferred. Beginning January 1, 2027, NSA CNSA 2.0 requires that new National Security System acquisitions support CNSA 2.0-approved quantum-resistant algorithms, with exclusive-use dates varying by system category from 2030 through 2033.
NIST IR 8547, currently in Initial Public Draft form, proposes that quantum-vulnerable public-key algorithms, including RSA-2048 and ECC P-256, be deprecated after 2030 and fully disallowed after 2035 in NIST standards and FIPS guidelines, a timeline that government agencies and industry bodies are widely using as a concrete planning target.
The standards are ready, and the regulatory clock is running. What stands between most organizations and compliance with these deadlines is not a lack of available algorithms; it is operational readiness.
The Hidden Obstacle: Cryptographic Debt
Before organizations can migrate, they must understand what cryptography they are currently running. Most cannot answer that question accurately, and that gap is the single biggest obstacle to meeting the timelines described above.
Encryption, signing, and authentication mechanisms are embedded across legacy applications, firmware, hardware security modules, cloud service defaults, SaaS platform APIs, and custom code built over the years with little centralized visibility. This accumulated cryptographic debt is the most commonly cited barrier to PQC migration. It was found that only 38% of organizations globally are actively preparing for the post-quantum transition. By the time quantum attacks become visibly immediate, the data collection is already complete.
Building crypto-agility, the ability to swap cryptographic algorithms without full system re-platforming, is the core architectural response to this problem. NIST’s Cybersecurity White Paper 39 (CSWP 39), finalized December 19, 2025, defines crypto-agility as a key practice that should be adopted at all levels, from algorithms to enterprise architectures, and provides a maturity model for implementation. The goal is to redesign cryptographic infrastructure so that future algorithm transitions are planned operational procedures rather than emergency responses.
Understanding the scope and depth of your cryptographic debt is what determines how realistic your migration timeline actually is. That is precisely where the work has to begin.
Where to Start
Security leaders in 2026 have a clear set of starting points. The sequencing matters as much as the actions themselves, and organizations that start in the right order move significantly faster than those that do not.
- Cryptographic inventory. Map every application, API, hardware security module, firmware component, and third-party integration that relies on cryptographic primitives. No migration plan is credible without this baseline, and it is increasingly a prerequisite for federal procurement and regulatory compliance audits aligned with NIST’s migration guidance.
- Data classification by confidentiality horizon. Any data requiring confidentiality beyond 2030 is the first-tier migration priority. Begin there, not with the easiest systems to migrate.
- Vendor audit. Survey cloud providers, SaaS platforms, and technology suppliers on their PQC transition timelines. Quantum-safe requirements are increasingly standard in federal procurement for National Security Systems and spreading into commercial supply chains. Note that the CA/Browser Forum’s 2029 mandate for 47-day maximum certificate validity creates a compounding deadline: organizations without CLM automation will face both PQC migration and accelerated certificate renewal demands simultaneously. Encryption Consulting’s CertSecure Manager addresses both within a single platform.
- Crypto-agility in new systems. Every system procured or architected in 2026 without algorithmic replaceability is technical debt from day one. Build the capability to swap algorithms as a design requirement, not an afterthought.
- Pilot FIPS 203, 204, and 205. Run contained implementations in realistic environments. Measure performance impact, particularly for hybrid TLS deployments, where NIST’s NCCoE testing documented meaningful throughput considerations that informed production planning.
- Board-level governance. Quantum readiness requires executive sponsorship and a dedicated budget. The CISA, NSA, and NIST joint factsheet on quantum readiness, published in August 2023, remains a useful background reference, though organizations beginning this work today should treat Executive Order 14412, Securing the Nation Against Advanced Cryptographic Attacks, signed June 22, 2026, as the current primary planning framework for the post-quantum transition. The order requires federal agencies to migrate all High Value Assets (HVAs) and high-impact systems to post-quantum cryptography for key establishment by December 31, 2030, and for digital signatures by December 31, 2031.
- These requirements apply to civilian federal information systems; National Security Systems are governed separately through the Committee on National Security Systems. The order also directs covered federal contractors to comply with NIST FIPS incorporating PQC algorithms by December 31, 2030, and requires Sector Risk Management Agencies to assist critical infrastructure owners and operators in developing their own PQC migration plans.
Each of these steps is executable today. The organizations that will meet the 2027 and 2030 deadlines without disruption are the ones that are already working through this list. The ones that wait will find that migration timelines do not compress on demand.
The Cost of Waiting
A wait-and-see posture is structurally incompatible with the HNDL threat, and the math is not forgiving.
When quantum attacks eventually become practical, the data collected in prior years becomes immediately readable. By the time quantum decryption becomes practical in the early 2030s, the collection phase of the breach may already be years behind you, with no opportunity for notification, containment, or remediation.
Large enterprise migration timelines commonly estimated at 12 to 15 or more years reflect genuine organizational and technical complexity: cryptographic debt must be inventoried, infrastructure must be redesigned for agility, hybrid deployments must be piloted and validated, and governance frameworks must be updated across procurement, legal, and vendor management functions. Each phase requires time that cannot be recovered after the fact.
Organizations beginning structured migration in 2026 have that runway. Those that defer to 2028 or 2029 will face incomplete transitions against concrete deadlines, beginning with CNSA 2.0’s January 2027 acquisition requirement for National Security Systems and the proposed 2030 deprecation of RSA-2048 and ECC P-256 in NIST standards. For organizations operating within federal supply chains, the January 2027 CNSA 2.0 procurement gate is already a contract eligibility factor, not a future consideration.
The standards exist. The planning frameworks are in place. The adversaries have already made their decision about when to act. The only variable still within your organization’s control is when you begin.
How Encryption Consulting Can Help
Encryption Consulting guides organizations through every stage of the post-quantum migration, from the first cryptographic inventory to full production deployment through our PQC Advisory Services.
We begin with a Cryptographic Discovery and Inventory, scanning your entire environment to identify certificates, keys, algorithms, and protocols across endpoints, applications, APIs, and infrastructure. This builds the baseline every credible migration plan requires.
From there, we conduct a PQC Assessment to evaluate your exposure to quantum threats, identify RSA- and ECC-dependent systems, and deliver a prioritized report of vulnerable assets with risk severity ratings aligned to NIST migration guidance.
With that clarity, we develop a PQC Strategy and Roadmap, a phased migration plan aligned to your risk appetite, regulatory requirements, and long-term security goals, with cryptographic agility built in so your systems can adapt as standards evolve.
We then support Vendor Evaluation and Pilot Testing, helping you select the right tools, run proof-of-concept tests, and validate interoperability before any full-scale rollout.
Finally, we manage Full Implementation, deploying hybrid classical and quantum-safe models, rolling out PQC across your PKI and infrastructure, and establishing monitoring for long-term cryptographic health.
CBOM Secure
Encryption Consulting’s CBOM Secure tool plays a central role in helping organizations move from awareness to action. Rather than working through spreadsheets, manual OpenSSL outputs, or fragmented configuration files, CBOM Secure gives a clear, centralized view of cryptographic usage across your entire environment. It identifies which algorithms are in use, which systems require changes for post-quantum readiness, and whether current configurations meet your security policy requirements.
CBOM Secure accelerates the transition from discovery to action by automating crypto inventories, checking TLS configurations, validating algorithms, and aligning policies, so teams can move forward without guesswork.
The earlier your teams start, the more manageable the long-term work becomes.
Conclusion
The HNDL threat does not wait for internal consensus. Adversaries collecting encrypted data today need only patience and storage. The breach, in the sense that matters most, may already be in progress. What makes 2026 significant is that the gap between “quantum is coming” and “quantum is approaching operational capability” has closed substantially in the past twelve months. Google’s March 2026 whitepaper reduced the estimated qubit requirement to break ECC by approximately 20-fold through algorithmic work alone, and NIST’s post-quantum standards are finalized and in production use.
The path forward is clear: inventory your cryptography, classify data by confidentiality horizon, audit your vendors, build crypto-agility into every new system, and secure executive sponsorship before external deadlines drive the decision. The standards exist. The planning frameworks are in place. Encryption Consulting is ready to help you build the roadmap and execute the migration at the pace your organization requires.
