Your encryption will be obsolete by 2030. Not metaphorically. Literally. The US government has already set the deadline. Quantum computers — machines that process information in fundamentally different ways than today’s computers — are advancing fast enough that the encryption protecting your bank account, your emails, and your business data will become breakable. The question is not whether this happens. It is whether you will be ready when it does.
“91% of businesses do not have a formal roadmap for migrating to quantum-safe algorithms.” — IBM Institute for Business Value, 2025Post-quantum cryptography (PQC) is the solution. This guide explains what it is, why the timeline is urgent, and what you actually need to do about it — in plain English, without a physics degree required.
What Is Encryption — And Why Will Quantum Break It?
Before understanding the solution, you need to understand the problem. Today’s encryption — the kind protecting HTTPS websites, banking apps, and corporate VPNs — is built on a mathematical assumption: that certain calculations are so hard that no computer could solve them in a practical timeframe. Specifically, factoring enormous numbers into their prime components. A number with 2,048 digits could take a classical computer longer than the age of the universe to crack. Quantum computers change this. They use quantum mechanical phenomena — superposition and entanglement — to process certain problems exponentially faster. A sufficiently powerful quantum computer running an algorithm called Shor’s Algorithm could factor those same 2,048-digit numbers in hours. Maybe minutes. Current quantum computers are not there yet. But they are improving rapidly — and the threat exists right now in a different form.The “Harvest Now, Decrypt Later” Threat
This is the part most businesses are not thinking about — and the reason the urgency is real today, not in 2030. Nation-state adversaries and sophisticated criminal groups are already harvesting encrypted data. They intercept and store encrypted traffic — financial records, government communications, medical data, intellectual property — that they cannot read today. Their plan: hold it until quantum computers are powerful enough to decrypt it retroactively. If your company transmitted sensitive data in 2024 and a threat actor stored it, they could potentially decrypt it in 2028 or 2030. The breach already happened. You just do not know it yet. This is why migrating to quantum-safe encryption is not a future problem. It is a now problem.What Is Post-Quantum Cryptography?
Post-quantum cryptography refers to cryptographic algorithms designed to be secure against both quantum and classical computers. These are not quantum technologies themselves — they run on ordinary hardware. They are new mathematical approaches that quantum computers cannot efficiently attack. In August 2024, the US National Institute of Standards and Technology (NIST) published its first finalized post-quantum cryptographic standards — a landmark moment that has been 8 years in the making. The three primary algorithms are:| Algorithm | NIST Name | Best For | Status |
|---|---|---|---|
| CRYSTALS-Kyber | ML-KEM | Key exchange, TLS | ✅ Standardised |
| CRYSTALS-Dilithium | ML-DSA | Digital signatures | ✅ Standardised |
| SPHINCS+ | SLH-DSA | Digital signatures (backup) | ✅ Standardised |
The NIST Timeline: When You Must Act
NIST has published clear deadlines that organisations — especially those handling sensitive data — must plan around:- 2024: First PQC standards published (already happened)
- 2030: Legacy public-key encryption systems deprecated — no longer considered safe
- 2035: Legacy systems disallowed — compliance will require quantum-safe alternatives
“The quantum clock is ticking and businesses are still stuck in prep mode.” — Help Net Security, December 2025
What Should Your Business Actually Do?
You do not need to understand the mathematics of lattice-based cryptography. You need a practical roadmap. Here is one.Step 1: Take Inventory of Your Cryptographic Assets
You cannot fix what you cannot find. Start by mapping every place your organisation uses encryption — TLS certificates, VPNs, code-signing, email encryption, database encryption, API authentication. Most large organisations discover they have hundreds of cryptographic dependencies they did not know about.Step 2: Identify Your Highest-Risk Data
Prioritise data with long confidentiality requirements. A credit card number that expires in two years matters less than a 20-year government contract or a decade of medical records. Harvest-now-decrypt-later attacks target the latter, not the former.Step 3: Adopt Crypto-Agility
Crypto-agility means building your systems so that cryptographic algorithms can be swapped out without rebuilding everything from scratch. This is the single most important architectural principle for surviving the quantum transition — and for any future cryptographic standard changes beyond it.Step 4: Start With Hybrid Encryption
The safest immediate approach is a hybrid model — combining your existing classical encryption with a post-quantum algorithm in parallel. If the PQC algorithm is later found to have weaknesses, your classical layer still protects you. Google and other tech leaders are already using this approach in production.Step 5: Follow NIST and Update Regularly
Bookmark NIST’s PQC project page. Standards will evolve. New algorithms will be standardised. Staying current is not a one-time project — it is an ongoing responsibility.Who Is Most at Risk Right Now?
Not every organisation faces the same urgency. But these sectors should treat this as an immediate priority:- Financial services — transaction records, customer data, regulatory compliance
- Healthcare — patient records with decades-long confidentiality requirements
- Government and defence — classified communications already targeted by nation-state actors
- Legal and IP-heavy businesses — trade secrets, contracts, patent applications
- Critical infrastructure — energy grids, telecoms, water systems
The Bottom Line
Post-quantum cryptography is not a future problem. It is a present one, wearing a future deadline. The encryption protecting most of the internet today will be breakable by quantum computers within a decade — possibly less. NIST has published the standards. The major tech companies are already migrating. The question for every organisation is not whether to make this transition, but how fast. Start with an inventory. Prioritise your most sensitive data. Build for crypto-agility. And do not wait for 2030 to start planning a 2030 migration. For more on how AI and emerging technology are reshaping cybersecurity, read our piece on the best deepfake detection tools in 2026 — another fast-moving security threat that most organisations are underprepared for. And for a broader view of where technology is heading, see our coverage of how AI agents are transforming the way we work.🔒 Protect Your Privacy Online
A good VPN encrypts your connection and shields your identity from hackers, trackers, and surveillance — especially on public Wi-Fi.
Get NordVPN →
