Post-Quantum Cryptography: What Executives Need to Know Before 2030
Quantum computers will eventually break RSA and ECC encryption. The window to prepare is now, not when it happens. Here's a plain-language guide to the threat, the NIST standards, and the steps your organisation should take today.
The Clock Is Already Running
The threat from quantum computing is not a future problem — it's a present one. Adversaries are already harvesting encrypted data today, storing it, and waiting for quantum computers powerful enough to break the encryption. This "harvest now, decrypt later" strategy means the data you encrypt today could be exposed in the next decade.
For executives, this creates an uncomfortable reality: the preparation window is measured in years, not months. Organisations that wait for quantum computers to arrive before acting will find themselves in the same position as companies that hadn't tested their backups before a ransomware attack.
This guide explains what post-quantum cryptography means, what NIST has standardised, and the concrete steps your organisation should begin taking now.
What Makes Quantum Different?
Classical computers process information in bits — 0 or 1. Quantum computers use qubits, which can exist in multiple states simultaneously through a property called superposition. This, combined with entanglement and interference, allows quantum computers to explore many possible solutions in parallel.
For most business applications, this makes no practical difference. But for a specific class of problems — factoring very large numbers and computing discrete logarithms — quantum computers are exponentially faster than classical ones.
This matters because two of the most widely used encryption algorithms, RSA and ECC (Elliptic Curve Cryptography), rely entirely on the computational hardness of these problems. A sufficiently powerful quantum computer running Shor's Algorithm could break RSA-2048 in hours rather than the billions of years a classical computer would require.
Symmetric encryption (AES-256) is more resilient — quantum computers can reduce its effective key length using Grover's Algorithm, but doubling the key length restores security. The existential risk is to asymmetric encryption, which underpins TLS/HTTPS, digital signatures, email encryption, VPNs, and certificate infrastructure.
The NIST Standards: What Was Finalised
In August 2024, the US National Institute of Standards and Technology (NIST) published the first three post-quantum cryptographic standards:
FIPS 203 — ML-KEM (CRYSTALS-Kyber)
The primary standard for key encapsulation (replacing RSA and ECDH in key exchange). ML-KEM is already supported in the latest versions of OpenSSL, BoringSSL, and several cloud providers' TLS implementations. This is the algorithm most organisations will encounter first.
FIPS 204 — ML-DSA (CRYSTALS-Dilithium)
The standard for digital signatures (replacing ECDSA and RSA signatures). Used for code signing, certificate authorities, and document authentication.
FIPS 205 — SLH-DSA (SPHINCS+)
A hash-based signature scheme — more conservative and slower than ML-DSA, but uses different mathematical foundations, providing a hedge if lattice-based algorithms face future weaknesses.
A fourth standard based on BIKE (isogeny-based) was withdrawn. NIST continues evaluating additional algorithms for future standardisation, including FALCON for digital signatures.
The Timeline: When Does This Become Urgent?
Estimating when a "Cryptographically Relevant Quantum Computer" (CRQC) — one powerful enough to break RSA-2048 — will exist is genuinely uncertain. Expert estimates range from 2030 to 2040, with some outliers at 2027.
The more useful question for executives is not "when will quantum computers arrive?" but "how long does our most sensitive data need to remain confidential?"
If your answer is "10+ years" — financial records, intellectual property, patient data, government contracts — then you already have a problem, because that data could be compromised by the harvest-now-decrypt-later approach.
A pragmatic migration timeline looks like this:
| Phase | Target | Timeline |
|---|---|---|
| Inventory | Identify all asymmetric cryptography in use | Now–2025 |
| Prioritise | Flag long-lived data, critical signing keys | Now–2026 |
| Pilot | Test PQC in non-critical systems | 2025–2027 |
| Migrate | Roll out hybrid PQC in critical infrastructure | 2026–2029 |
| Completion | Full PQC posture | Before 2030 |
The Hybrid Transition Approach
You do not need to rip out your existing cryptography to begin the transition. The current best practice is hybrid cryptography — combining a classical algorithm with a post-quantum algorithm. If the classical algorithm is broken, the post-quantum algorithm still protects the data. If the post-quantum algorithm has an unexpected weakness, the classical algorithm provides a fallback.
Google, Cloudflare, and AWS are already deploying hybrid TLS using X25519 + ML-KEM in their infrastructure. Signal has enabled post-quantum key agreement in its messaging protocol. The tooling is maturing rapidly.
For your organisation, a hybrid approach allows you to:
- Begin building PQC readiness without breaking existing integrations
- Comply with emerging regulatory guidance that is starting to reference PQC (NIST CSF 2.0, upcoming EU cyber regulations)
- Avoid the "flag day" migration risk of switching all cryptography at once
What Your Organisation Should Do Now
1. Complete a Cryptographic Inventory
You cannot migrate what you cannot see. Start with a full inventory of:
- Where asymmetric cryptography is in use (TLS certificates, VPNs, code signing, SSH keys, email encryption, database encryption)
- Key lengths and algorithm types (RSA-1024 vs RSA-2048, ECDSA P-256 vs P-384)
- Certificate expiry dates and rotation procedures
- Third-party and vendor dependencies with cryptographic exposure
For many organisations, this inventory reveals surprising complexity — cryptography is often embedded in ERP systems, SCADA infrastructure, and legacy applications that are difficult to update.
2. Assess Data Longevity
Classify your sensitive data by how long it needs to remain confidential. Data with a confidentiality requirement beyond 2030 should be treated as at risk today. This typically includes:
- Intellectual property and R&D documents
- Patient records and medical data
- Long-term financial projections and M&A information
- Government and defence-related data
- Long-lived credentials and root CA keys
3. Prioritise Root CA and PKI Infrastructure
Your Public Key Infrastructure (PKI) — the Certificate Authority hierarchy that underpins digital trust across your organisation — has the longest migration lead time. Root CAs are embedded in trust stores across thousands of devices and may have 10+ year certificate validity periods. Start here.
4. Engage Your Vendors
Most organisations' cryptographic exposure is not in code they wrote — it's in the software and hardware they buy. Begin asking your critical technology vendors:
- Do you have a post-quantum cryptography roadmap?
- Which of your products use RSA or ECC, and when will PQC alternatives be available?
- Do you support hybrid key exchange in TLS today?
This creates procurement leverage and surfaces dependencies that could block your migration.
5. Follow Regulatory Guidance
NIST has published migration guidance (NIST IR 8547) recommending that organisations phase out RSA and ECC by 2030. The US NSA has issued similar guidance for National Security Systems. South African organisations with international clients or data sharing agreements should anticipate equivalent requirements flowing through within the next two to three years.
What Post-Quantum Cryptography Does NOT Protect Against
It is worth being clear about scope. Post-quantum cryptography addresses the threat to asymmetric encryption from quantum computers. It does not:
- Protect against ransomware or malware attacks on your systems
- Replace the need for strong symmetric encryption, access controls, and key management
- Protect data that is stored unencrypted
- Address operational security weaknesses (phishing, stolen credentials)
A post-quantum ready cryptographic posture is one layer of a multi-layered security architecture. It works alongside, not instead of, backup resilience, endpoint protection, and network segmentation.
FAQ
When should we start preparing for post-quantum threats?
Now. The inventory and prioritisation phases have no technical barrier — they require organisational effort, not new technology. Pilot deployments can begin today using existing open-source libraries. Waiting until quantum computers are demonstrated puts you on the wrong side of the timeline.
Does this affect our cloud providers?
Major cloud providers (AWS, Azure, Google Cloud) are already rolling out PQC in their infrastructure and will likely offer PQC-enabled certificate and key management services. However, your applications may use cryptography independently of the cloud provider — this needs separate assessment.
Is our current AES-256 data encryption safe?
AES-256 is considered quantum-resistant with the current understanding of quantum algorithms. The primary concern is asymmetric cryptography (RSA, ECC). That said, best practice is to ensure you are using AES-256 rather than AES-128, as Grover's Algorithm reduces effective symmetric key lengths.
What does this cost?
The cryptographic inventory is primarily a professional services cost. Hybrid TLS can be enabled in most modern infrastructure without licence cost increases. The larger cost is vendor migration coordination and updating legacy systems — which is precisely why starting early reduces total cost.
Who should own this in our organisation?
The CISO or Head of IT Security should lead the cryptographic inventory and prioritisation. Procurement should include PQC roadmap questions in vendor assessments. The Board should be briefed on data longevity risk for crown-jewel assets.
The Bottom Line
Post-quantum cryptography is not a theoretical concern for 2035 — it is an operational risk management decision for today. The organisations that will be best positioned are those that start their cryptographic inventory and vendor engagement now, before the standards are mandated and the migration timelines compress.
Contact our security team to discuss your organisation's cryptographic posture and what a PQC readiness assessment would involve.