The Quantum Clock Is Ticking

For years, the concept of “Q-Day” has been treated as a distant milestone, one that many organisations assumed would arrive gradually enough to afford ample preparation time. That perception is beginning to change. The pace of progress in quantum computing is no longer linear, and the signals coming from both research and industry suggest that timelines are compressing in ways that many organisations are not fully accounting for.

 

With quantum computing following a trajectory similar to that of Artificial Intelligence (AI) — where capabilities expanded at scale far ahead of most institutional forecasts — organisations relying on conservative timelines may find themselves significantly underprepared.

 

Moving the Goal Posts

One of the clearest indicators of quantum acceleration is the behaviour of major technology providers. Google’s 2029 deadline for quantum-resistant cryptography is frequently misread as a distant horizon. In practice, it signals that major technology providers have concluded that change is not a question of if, but when. The more important signal lies in the research itself, which highlights continued advances in attack methods against widely used cryptographic standards such as RSA and elliptic curve cryptography. These developments demonstrate that progress is not limited to quantum hardware. Improvements in algorithms and attack efficiency are steadily reducing the margin of safety of today’s encryption.

 

There is a cumulative progression at play here, one that introduces a more complex risk profile than many organisations anticipate. Quantum disruption is unlikely to arrive as a single, clearly defined breakthrough. Instead, it will emerge through a series of incremental improvements that collectively erode the effectiveness of existing protections. As these advances continue, systems that were once considered secure may become increasingly vulnerable, particularly where cryptographic implementations are already operating close to minimum recommended standards.

 

Present Concerns

The threat is not confined to future scenarios. The concept of time-capsule attacks has transformed quantum risk into a present-day concern. Attackers can capture encrypted data today with the intention of decrypting it once quantum capabilities mature. This creates a long-term exposure for sensitive information such as intellectual property, financial data and regulated records, all of which may retain value for years or decades. Encryption must therefore be understood as a long-term data lifecycle control, not merely a point-in-time safeguard.

 

Identifying Cryptographic Reliances

Despite this, many organisations lack a clear understanding of where and how encryption is used across their environments. Enterprise infrastructure has evolved into a complex network of applications, cloud services, APIs and third-party integrations, each relying on cryptography in different ways. This complexity has created limited visibility, meaning businesses cannot easily identify their cryptographic dependencies or assess their exposure to quantum risk. The result is a visibility gap that makes it difficult to assess exposure and prioritise remediation.

 

This visibility gap has direct implications for migration readiness. Transitioning to quantum-resistant cryptography requires a coordinated effort spanning technology layers, internal teams and third-party partners. Cryptographic dependencies are deeply embedded in enterprise infrastructure, and changes in one area can have cascading effects across others. For most large organisations, this is a multi-year transformation programme, not a discrete project. 

 

In the UK, the National Cyber Security Centre (NCSC) has set a clear expectation: organisations should complete a full cryptographic discovery exercise and begin building their migration plans by 2028, with high-priority upgrades executed by 2031 and full migration completed by 2035.

 

Time to Act Now

The risk of delay becomes increasingly pronounced in this context. Organisations that postpone preparation in the hope of clearer timelines or more mature standards may find themselves under pressure to act quickly when the need becomes unavoidable. In contrast, those that begin the process now can take a more structured approach, gradually building the capabilities required to adapt. The transition to quantum-resistant cryptography is already a regulatory priority. In August 2024, the US National Institute of Standards and Technology (NIST) finalised its first three post-quantum cryptography standards – ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) – providing organisations with an actionable foundation for migration planning.

 

A practical starting point for most businesses is to focus on understanding their current state. This involves creating a comprehensive inventory of where cryptography is used, identifying systems that protect long-lived sensitive data and evaluating the strength of existing implementations. From there, organisations can begin to prioritise areas of greatest risk and explore approaches that enable gradual transition. Hybrid cryptographic models, combining classical and quantum-resistant methods, are emerging as a practical bridge, enabling organisations to build resilience incrementally without disrupting current operations. Both NIST and the NCSC have endorsed hybrid approaches as part of a structured migration path.

 

Equally important is the need to move beyond the assumption that vendors will manage the transition entirely on behalf of their customers. While vendor support plays a critical role, security ownership cannot be fully delegated. Encryption underpins identities, credentials, communications and system interactions. Without a clear internal strategy that maps dependencies, assigns ownership and defines migration sequencing, gaps are likely to persist precisely where multiple systems and providers intersect.

 

Reducing Risk Through Identity and Access Control

This is where a stronger focus on identity and access control becomes essential. As systems grow more interconnected, understanding who and what has access to sensitive data becomes a key factor in reducing risk. Effective security requires continuous verification of identities, strict control over privileged access and comprehensive auditing of system activity. These principles support the concept of a zero-trust security architecture, which enforces verification and least-privilege access across all users and systems.

 

The evolution of cryptography itself is already underway. NIST’s publication of three finalised quantum-resistant cryptography standards in August 2024, derived from the CRYSTALS-Kyber, CRYSTALS-Dilithium and SPHINCS+ submissions, provides a concrete foundation for organisations beginning their migration. Solutions that incorporate these algorithms alongside existing cryptographic methods offer a practical path forward. Architectures that prioritise crypto-agility are particularly valuable as standards continue to evolve.

 

The Q-Day Opportunity

The broader lesson from recent technological shifts is that preparation must begin before disruption becomes unavoidable. The pace at which AI outpaced enterprise governance and security frameworks offers a direct precedent. Quantum computing presents a similar challenge, but also an opportunity to take a more measured approach. Q-Day is unlikely to arrive as a single defining event, but its consequences will be felt across every system that relies on encryption. 

 

The organisations best positioned to manage that transition are those that act with structure and deliberation now. 

 

Those who delay may face a far more complex and urgent set of challenges, particularly as regulatory expectations increase and the pace of technological change continues to accelerate. Businesses that invest now in understanding their cryptographic landscape, strengthening identity controls and adopting flexible security architectures will be better positioned to navigate the transition and build the cryptographic resilience that the next era of enterprise security will demand.

 

---

 

Dr Adam Everspaugh is cryptography advisor at Keeper Security

 

Main image courtesy of iStockPhoto.com and beingbonny