Post-quantum migration deadlines arrive faster than enterprise readiness
NIST has finalised the standards. The federal mandates are written. The cryptographic inventory inside most large organisations is still incomplete.
The standards exist. NIST published FIPS 203, 204 and 205 in August 2024, finalising ML-KEM, ML-DSA and SLH-DSA as the first generation of post-quantum cryptographic primitives. The US government issued migration mandates the following year. The European cybersecurity agency followed with sector guidance for telecommunications, finance and critical infrastructure. By any reasonable measure, the policy phase is closed.
What is not closed is the migration itself. Surveys of large enterprises consistently show the same pattern: most have not completed a cryptographic inventory, fewer than one in five have a credible migration roadmap with named owners, and almost none can answer the basic operational question of which third-party suppliers in their stack will support the new primitives on what timeline. The gap between policy and practice is now the binding constraint.
The harvest-now-decrypt-later threat is no longer hypothetical
The argument for moving faster has been repeated for years. Long-lived data — patents, medical records, source code, classified communications, anything with a confidentiality lifetime beyond the next decade — is being intercepted today by adversaries whose plan is to decrypt it once a sufficiently capable quantum computer becomes available. This is the "harvest now, decrypt later" threat model that has driven NSA's CNSA 2.0 timeline and the equivalent guidance from CISA.
The practical question for boards is not whether Shor's algorithm runs on hardware that exists today. It does not. The question is whether the data their organisation generates today will still be sensitive when such hardware does exist. For most regulated industries the answer is plainly yes, and the implication is that the migration to post-quantum primitives needs to be substantially complete before the threshold is crossed — not after.
The migration is harder than ordinary cryptographic upgrades for two reasons. First, ML-KEM and ML-DSA produce significantly larger keys and signatures than the elliptic-curve schemes they replace, which breaks assumptions in protocol implementations, hardware security modules, and certificate-chain sizing. Second, the practical advice from NIST and CISA is to deploy in hybrid mode — running classical and post-quantum schemes side by side — which doubles the operational surface during the transition.
The vendors that matter have moved. The major cloud providers ship hybrid post-quantum TLS in their load balancers. Browsers have shipped X25519+Kyber for over a year. The major HSM and KMS vendors have post-quantum key types in general availability. The operational substrate is largely there.
What is missing is internal: cryptographic inventory, dependency mapping, and a credible plan for the long-lived secrets — root certificates, signing keys, code-signing chains — that cannot be rotated quickly without a coordinated programme. Organisations that begin that programme now will land the migration on schedule. Organisations that defer it past 2027 will be relying on the assumption that fault-tolerant quantum hardware also stays on schedule. That has historically been a poor bet in either direction.
