The cybersecurity protecting your company uses public-key cryptography. This technology protects key sharing, digital signatures, and logins on nearly every system you use. It works because they use mathematical problems that current computers can’t solve. But a strong enough quantum computer could solve these problems quickly. While these quantum computers don’t exist yet, attackers are already planning ahead, they are saving encrypted data today – including banking, medical, government, and business secrets. They plan to decrypt it as soon as quantum computers are good enough. This is called ‘Harvest Now, Decrypt Later’ (HNDL). Because of this, your data could be at risk right now.
Key Takeaways
- Your data is already a target. Attackers are harvesting data protected by public-key cryptography now, waiting for quantum computers to crack it later. If your data has a long shelf life, it’s at risk today.
- The regulatory clock is ticking. Australia, the EU, the UK, and the US have all set targets for implementing solutions. If you operate across borders, you need to meet the earliest one that applies to you.
- Start now or fall behind. Cryptographic migration takes years, not months. Organisations that wait until 2030 will already be too late.
The threat is specific and everywhere
Not all encryption is unsafe. Symmetric encryption, like AES-256 that secures stored data, is generally safe from quantum computers. The risk is to public-key encryption: systems using RSA, elliptic curve, and Diffie-Hellman for exchanging keys, digital signatures, and proving identity. These methods let your browser check if a website is real, let two systems make a secure link, and support trust using certificates across your entire IT estate.
Public-key cryptography was made to be secure against current computers, and it is. But quantum computers follow different rules. They can solve the underlying mathematical problems much faster. So, the public-key encryption we’ve used for years will eventually break. We just don’t know when.
We know that governments and skilled criminal groups get this. They’re grabbing and saving encrypted data, and keeping it until a strong quantum computer can unlock everything. If your organisation handles any data with a long shelf life – patient records, defence intelligence, financial data, trade secrets, legal documents – that data is already a target.
This is real. A 2025 study by ISACA says 56% of cybersecurity experts worry about HNDL. But, 41% of businesses aren’t planning to deal with quantum computing yet [1]. Cybersecurity experts have warned about this for years. Now, governments are taking it seriously and setting firm deadlines to act.
The deadlines are real
Global regulators are requiring a change to encryption that resists quantum computers, called post-quantum cryptography (PQC). They have strict deadlines that must be followed.
- United States: From January 2027, all new National Security Systems must use quantum-safe encryption. Full migration across government systems is required by 2035 [2].
- United Kingdom: The National Cyber Security Centre (NCSC) has set a 2035 target for complete PQC migration, with three phases: discovery by 2028, high-priority upgrades by 2031, and full transition by 2035 [3].
- European Union: Deadlines of 2030 and 2035 apply, depending on the application and sector [4].
- Australia: The Australian Signals Directorate (ASD) has set a 2030 target for ceasing use of traditional asymmetric cryptography entirely [5].
If your organisation operates across borders, you’ll need to meet the earliest deadline that applies to you. And if you supply services to government or regulated sectors, your customers will increasingly require documented evidence of your PQC roadmap.
The standards exist and deployment is underway
This problem can be fixed. In August 2024, NIST finished its first set of post-quantum cryptography standards, including ML-KEM, ML-DSA, and SLH-DSA[6]. And implementation has started. By late October 2025, over half of web traffic on Cloudflare used post-quantum key agreement[4]. Big cloud companies like AWS, Google Cloud, and Microsoft Azure said they will offer services with PQC, planning to fully use it by 2026[7].
In financial services, JPMorgan Chase and BNY Mellon have already completed pilot programmes for quantum-resistant key exchange on their trading platforms [7]. Hardware security modules with PQC support are reaching the market, and hybrid cryptographic deployments – running classical and quantum-resistant encryption in parallel – are becoming the standard transitional approach.
The technology is ready. The question is whether your organisation is.
Why starting in 2030 will already be too late
Many leaders don’t realise that changing your public-key cryptography is not a quick software update. For big organisations, it means finding every place cryptography is used – all systems, protocols, vendors, and devices. Then, you must rank them by data importance and lifespan, agree quantum-resistant plans with suppliers, test hybrid setups, and make changes smoothly.
For large or legacy-heavy organisations, this can take years. Industry analysts recommend budgeting 2–5% of annual IT security spend over a four-year migration window [7]. ISACA warns that organisations waiting until quantum computers reach their full potential to begin planning will already be too late [1]. Bain & Company has issued similar warnings, noting that the transition will unfold gradually and that early preparation is essential [8].
Five things to do this year
You don’t need a quantum computer to start preparing for one. Here’s where to begin:
Map your cryptographic landscape. Carry out a full inventory of where and how your organisation uses public-key cryptography – protocols, certificates, key exchange mechanisms, digital signatures, third-party integrations. You can’t migrate what you haven’t identified.
Identify your most exposed data. Prioritise anything with a long shelf life or high sensitivity. Patient records, intellectual property, classified information, financial data – these are the assets most vulnerable to HNDL attacks.
Audit your vendors. Your quantum readiness is only as strong as your least-prepared supplier. Start requiring documented PQC migration roadmaps as part of your contractual obligations with critical vendors.
Pilot hybrid deployments. You don’t need to rip and replace overnight. Hybrid approaches (running quantum-resistant and classical encryption side by side) let you transition gradually whilst maintaining compatibility. NIST [9], the NCSC [3], and the ASD [5] all endorse this approach as a practical first step.
Build internal literacy. Your security team needs to understand PQC, not just your CISO. Free resources from NIST [9], IBM Quantum Experience, and Amazon Braket can help upskill existing staff without significant cost.
The window is open, for now
Quantum computing will bring extraordinary opportunities for the organisations prepared to use it. But the cybersecurity threat it poses is more immediate than the competitive advantage – and it demands action now, not when fault-tolerant quantum machines arrive.
Your encryption has an expiry date. You may not know the exact day, but you know it’s coming. The organisations that act now will be protected. Those that don’t will be explaining to their boards, their regulators, and their customers why they waited.
This post draws from my, soon to be published, full enterprise briefing, Quantum Computing for Enterprise: Current State, Real-World Applications & Strategic Outlook.
References
[1] ISACA, “Post-Quantum Cryptography: A Call to Action”, 2025, https://www.isaca.org/resources/news-and-trends/industry-news/2025/post-quantum-cryptography-a-call-to-action
[2] NSA, “Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) FAQ”, Updated December 2024, https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF
[3] UK National Cyber Security Centre, “Timelines for Migration to Post-Quantum Cryptography”, 2025, https://www.ncsc.gov.uk/guidance/pqc-migration-timelines
[4] Cloudflare, “State of the Post-Quantum Internet in 2025”, November 2025, https://blog.cloudflare.com/pq-2025/
[5] Australian Signals Directorate, “Planning for Post-Quantum Cryptography”, 2025, https://www.cyber.gov.au/business-government/secure-design/planning-for-post-quantum-cryptography
[6] NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards”, August 2024, https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
[7] PQC Readiness Strategy, “Post-Quantum Cryptography Readiness Strategy for Today”, 2025, https://medium.com/@oracle_43885/post-quantum-cryptography-readiness-strategy-for-today-fdf5732b7cae
[8] Bain & Company, “Technology Report 2025: Quantum Computing Moves from Theoretical to Inevitable”, 2025, https://www.bain.com/insights/quantum-computing-moves-from-theoretical-to-inevitable-technology-report-2025/
[9] NIST, “Post-Quantum Cryptography Project”, Ongoing, https://csrc.nist.gov/projects/post-quantum-cryptography
Curious About 
Leave a comment