When Should Organizations Start Post-Quantum Cryptography Migration?

A large multinational company once owned Class A network address space. When the time came to sell it, the team faced a choice: re-IP the network, which would have required significant planning, coordination, and budget; or implement Network Address Translation (NAT)—routing rules and keep moving.

They chose NAT.

The network functioned normally for years afterward, which made the whole conversation easy to close. When concerns were raised that the sold address space could eventually create downstream conflicts, the response was pragmatic. Addressing it properly would need to be a separate project with its own budget approval in the next cycle. Nobody wanted to spend money on something that was not broken.

About five years later, Microsoft purchased that IP space for Azure. Large portions of the network developed routing conflicts with Azure services. The problem that never made the budget cycle was now on the incident list.

The encryption protecting most organizations’ sensitive data is in a similar position. It works today, which is why it keeps getting deferred.

Why World Quantum Day Matters for Security Leaders

World Quantum Day is April 14 every year, a date chosen because 4.14 approximates the first digits of Planck’s constant. It marks real progress in quantum science and technology, and genuine investment by governments and major technology companies in the race toward fault-tolerant quantum computing.

For security and technology leaders, the more immediate issue is not the exact arrival date of a cryptographically relevant quantum computer. It’s the fact that adversaries don’t need certainty to start collecting encrypted data now.

The threat has a name: harvest now, decrypt later (HNDL). Adversaries capture encrypted data today, store it, and wait. HNDL is not theoretical enough to dismiss and not mature enough to model cleanly. That’s exactly what makes it hard to prioritize. If your encrypted data will still matter in 2031 or 2036, the risk is already on the table, and has been for a while.

The Standards Have Arrived

There’s a common assumption that PQC is a future concern because the computers that would break current encryption don’t yet exist. The standards bodies didn’t wait for that assumption to get resolved.

NIST finalized its first PQC standards in August 2024, after an eight-year evaluation process.¹ These are not draft guidelines. They cover key encapsulation and digital signatures and are deployable now. The NSA’s Commercial National Security Algorithm Suite (CNSA) 2.0 sets mandatory migration timelines for national security systems, with the first compliance deadline for new systems arriving on January 1, 2027.² That deadline is less than a year away. The EU, UK Security Centre (NCSC), and Australian regulators have each published their own roadmaps, most converging in 2030 to 2035 as the outer boundary for full migration.³ Large infrastructure providers are already moving, and compliance timelines are no longer hypothetical. By late 2025, more than half of human-initiated web traffic through Cloudflare was already running on post-quantum key agreement.⁴

What Migration Actually Requires

PQC is not a product you deploy. It’s a migration, and the first step is knowing what you have.

A cryptographic inventory means identifying every system and application relying on asymmetric algorithms a quantum computer can break: RSA, elliptic curve cryptography, Diffie-Hellman key exchange. In a large enterprise this is genuinely messy work. Cryptography is embedded in VPN concentrators, certificate lifecycles, code-signing pipelines, and third-party vendor appliances that may not yet have a clear upgrade path. The answer to “what do we use?” is often not one list but several, pulled from different teams who have never compared notes.

The concept gaining traction is cryptographic agility: designing systems so algorithms can be swapped without rebuilding the architecture. Organizations that build for agility now will adapt as standards evolve. The ones that wait will do what organizations always do when a deadline closes in: compress the project, accept more risk, and pay more to get it done. Prioritizing assets by data retention requirements is the practical starting point. Encrypted data that needs to stay protected for ten or more years carries the most exposure, because that’s the window where decryption becomes feasible.

Limitations and Tradeoffs

Post-quantum algorithms are not a straight swap. The new standards carry more computational overhead than the cryptography they replace—which means larger key sizes, more bandwidth consumption on encrypted connections, and, in some cases, meaningful latency impact on high-volume systems. Organizations running legacy hardware or appliances without a clear vendor upgrade path will hit friction that a cryptographic inventory alone won’t solve.

The timeline uncertainty cuts both ways. The compliance deadlines from NSA and NIST are real, but the actual arrival of a cryptographically relevant quantum computer remains genuinely uncertain. That uncertainty has been used to justify delay before, and it will be used again. The HNDL threat exists regardless of when quantum computing matures, which is the stronger argument for moving now on long-retention data.

Vendor readiness is also uneven. Cloud providers and major infrastructure vendors are ahead of most enterprise software and appliance vendors. Any organization that has mapped its cryptographic exposure will likely find gaps where the upgrade path depends on a third party that has not yet published a roadmap.

Where to Start

The technical work still has to be executed, but the harder problem early on is organizational: ownership, inventory, and budget.

Most post-quantum migrations stall at the same two points: nobody owns the cryptographic inventory, and the project cannot get budget because nothing is visibly broken yet. Both are solvable before a single algorithm gets replaced.

• Ownership first. Assign someone to pull the inventory, knowing it will require conversations across infrastructure, application, and vendor teams that may never have happened before. The goal at this stage is not a complete picture. It’s a defensible starting point.
• Data retention second. Before the inventory is finished, identify which systems handle data that needs to stay protected for a decade or more. Financial records, health data, legal communications, intellectual property. That subset is the immediate priority and the easiest case to make to leadership, because the HNDL risk is directly proportional to how long the data needs to remain confidential.
• Budget framing third. “Quantum computers don’t exist yet” will kill this project in the next cycle if that is the frame. The case is easier to make when it’s framed the way security projects usually get funded: known risk, defined cost, and a real deadline. January 1, 2027 is a real date. The inventory is the evidence. Those two things together are a fundable project.

The Budget Cycle Problem

The NAT solution worked. For years, nothing was visibly broken. The concern about sold IP space was not dismissed because someone weighed the risk and accepted it. It was dismissed because there was no immediate pain and fixing it properly had a real cost. The standard applied was: does it work today? It did, so nothing moved.

That’s the same standard most organizations are applying to their encryption right now.

World Quantum Day offers the opportunity to ask whether “works today” is still the right bar, and whether this path forward sounds familiar: separate project, next budget cycle, nothing broken yet.

1. NIST, NIST Releases First 3 Finalized Post-Quantum Encryption Standards, August 2024
2. NSA, Commercial National Security Algorithm Suite 2.0, CNSA 2.0 Timeline, accessed April 2026
3. The Cloudflare Blog, State of the post-quantum Internet in 2025, October 2025
4. Ibid.