There’s a particular kind of risk that keeps me up at night: the kind we don’t feel day to day because it’s easy to label it “later“. Quantum computing, the technology that harnesses the laws of quantum mechanics to solve problems too complex for classical computers, has lived in that folder for years.
I’m convinced we’re running out of time to keep it there, not because I want to be dramatic, but because the work required to respond is measured in years, not quarters.
What’s actually happening
Let me be plain about the threat model. “Harvest now, decrypt later” isn’t a sci-fi slogan; it’s a rational strategy. If an adversary can steal encrypted data today, they can store it and attempt decryption later when capabilities improve.
That’s why agencies like the UK’s National Cyber Security Centre (NCSC) and the U.S. national security community have been pushing organisations to plan now, not when a “Q-day” comes – the hypothetical milestone when quantum computers become more powerful than today’s widely used public-key encryptions.
This is where executives sometimes underestimate the risk: the target isn’t all data. It’s the data that remains valuable years from now: strategic plans, proprietary IP, legal files, identity records, health data, defence and infrastructure information. If you hold information with a long shelf life, delays matter.
The question I ask leaders isn’t “When will quantum break encryption?” It’s more uncomfortable than that: what are we collecting and retaining today that we’d regret losing five or ten years from now?
The timeline most boardrooms are misreading
I’ve had versions of this conversation in boardrooms more times than I can count. It usually follows a predictable arc: acknowledgement, real curiosity, and then a quiet conclusion of “important, but not urgent.“
I understand the instinct. Everyone is navigating finite attention against an infinite list of priorities. But a few signals are getting harder to wave away.
In 2024, the National Institute of Standards and Technology (NIST) finalised its first post-quantum cryptography standards after years of evaluation. That alone should tell any serious risk committee something: standards bodies don’t spend that kind of time on a purely academic exercise.
At the same time, major vendors are publishing roadmaps and technical milestones that point towards accelerating capability. These roadmaps aren’t guarantees. However, when multiple credible groups converge on roughly the same decade, it’s prudent to treat that as a planning horizon, not a debate topic.
When you ask security practitioners what they believe will happen, you don’t get comfort. One KPMG survey found that a substantial share of experts expect conventional public-key crypto to be broken within a timeframe that overlaps with typical enterprise migration cycles. Although the outcomes of surveys aren’t certain, they are a warning light, especially when they align with government guidance.
Here’s the arithmetic that bothers me: if you have data that must remain confidential for five years, and a realistic migration takes several years in a complex environment, then “we’ll start later” is not a neutral choice. It’s a decision to compress the transition into a crisis.
The scale of migration is what most underestimate
I want to be clear about something that is often overlooked: this is not a simple software upgrade. RSA and ECC, the two widely used types of security technology that help protect online communications and verify digital identities, are built into many core systems.
They support secure web connections, digital certificates, login and identity systems, software signing, remote access, and device authentication to name a few.
Replacing or augmenting that reality requires a fact base: where cryptography actually lives across your environment and supply chain.
In practice, that’s where most organisations get stuck, because they don’t have a clean map. Crypto is buried in appliances, libraries, legacy services, vendor dependencies, and so-called “temporary” workarounds that became permanent.
NIST has explicitly warned that cryptographic transitions can take a decade or more, often 10 to 20 years in complex environments, because you’re changing entire ecosystems.
What good looks like (and what it looks like first)
The companies worth paying attention to in this space aren’t selling “quantum panic,” but solving a practical enterprise problem: how to make cryptography visible, upgradeable, and governable before regulation or attackers force a rushed migration.
That’s the essence of crypto-agility. It means an organisation can find where cryptography lives, prioritise what actually matters, and replace vulnerable components without breaking operations.
In practice, early progress looks much less dramatic than most people expect. What ultimately matters is whether a team can turn a cryptography problem into a repeatable operational workflow.
In the first 90 days, “good” usually means three things: a live inventory of cryptographic dependencies across systems and suppliers, and risk tiering that highlights long-lived data, identity infrastructure, code signing, and critical third-party exposure.
And yes, regulatory expectations are moving in this direction. The UK’s NCSC has published a set of milestones leading to full migration by 2035, with planning and discovery expected earlier.
Read the orginal article: https://www.eu-startups.com/2026/07/quantum-security-the-clock-is-already-running/



