NIST’s 2030 RSA Deadline Is Real. Your Migration Will Take 15 Years. The Math Is Brutal.

Scott Aaronson has spent years as the internet’s most trusted quantum skeptic. In May 2026, he published a post titled “Will you heed my warnings?” and told the world that people whose judgment he trusts more than his own now believe a fault-tolerant quantum computer capable of breaking deployed cryptographic systems should be achievable by around 2029. When the skeptic sounds the alarm, you pay attention.

Here is the problem. 97% of organizations say they plan to invest in post-quantum cryptography over the next 24 months. Only 22% have moved beyond piloting. And nearly half, 49% of organizations, haven’t started implementing any quantum-resistant security measures at all. The gap between awareness and action is so wide it borders on institutional negligence.

NIST has set 2030 as the deprecation date for RSA-2048 and ECC P-256. That sounds like four years. It is not four years for most enterprises. Academic research published in December 2025 puts the realistic post-quantum cryptography migration timeline for large enterprises at 12 to 15 or more years. Organizations that begin today cannot mathematically complete migration before 2031 at the earliest, and likely far later. This article explains why, what you need to do, and what you’re actually risking by waiting.

The 97% / 22% Gap: Awareness Without Action

The central tension in post-quantum cryptography today isn’t technical. It’s organizational. The awareness is near-universal. The execution is nearly absent.

The ISACA 2025 survey result deserves a moment to sit with: 37% of organizations haven’t even had an internal discussion about a known regulatory deadline. This is not a technology problem. It is a prioritization failure with a structural deadline attached to it.

Gartner has named post-quantum cryptography migration among six forces reshaping enterprise security architecture in 2026. CISOs who have not briefed their boards on this issue are already behind peer practice, not leading it.

What NIST IR 8547 Actually Says

In November 2024, NIST published IR 8547 (Initial Public Draft): Transition to Post-Quantum Cryptography Standards. This is the authoritative regulatory document. The timelines are not estimates.

Australia’s ASD advises eliminating all classical public-key cryptography by 2030. Europe’s ETSI is targeting full PQC integration by 2035 but encourages hybrid algorithm adoption now. The regulatory convergence is global, and it is accelerating.

Executive Order 14306, signed in June 2025, further reinforced federal cybersecurity modernization priorities including quantum-safe cryptography requirements. A 2025 executive order directed agencies to support Transport Layer Security Protocol Version 1.3 by 2030 and tasked DHS with maintaining a list of product categories that support PQC algorithms. CISA subsequently released an advisory mapping PQC standards to common enterprise hardware and software categories, noting that many listed product categories have implemented PQC for limited functions only and are not yet fully quantum-resistant.

Why Migration Takes 12 to 15 Years for Large Enterprises

The headline framing of “four years until the deadline” is almost comically optimistic for enterprises of meaningful scale. A peer-reviewed study published in MDPI Computers in December 2025 provides the most rigorous timeline data available:

These timelines are not pessimistic outliers. They reflect the structural reality of post-quantum cryptography migration: larger parameter sizes, hybrid cryptographic schemes, end-to-end ecosystem coordination, and the fact that cryptographic algorithms are embedded throughout every layer of enterprise infrastructure.

For historical context: TLS 1.3, widely considered one of the most successful cryptographic transitions in industry history, took approximately seven years from standard finalization to majority adoption. Post-quantum cryptography migration is structurally harder in every dimension.

Why PQC Migration Is Not a Simple Upgrade

Post-quantum algorithms carry computational overhead that impacts network performance and latency-sensitive applications. Migrating a payment processing system or real-time trading infrastructure is not a parameter swap. It requires latency testing, hardware upgrades, capacity planning, and in many cases, significant application-layer refactoring.

There is also a specific operational blocker that rarely makes it into CISO briefings: Microsoft Active Directory Certificate Services (AD CS) currently lacks a clear pathway to post-quantum solutions. For the thousands of enterprises dependent on AD CS for certificate management, this is not a future problem. It is a present one, and no vendor roadmap resolves it on a comfortable timeline.

The U.S. federal government estimates approximately $7.1 billion to migrate civilian information systems to post-quantum cryptography between 2025 and 2035. That figure excludes national security systems entirely. The private sector cost is orders of magnitude larger, and industry analyses suggest enterprises should budget 2 to 5% of annual IT security spend over a four-year migration window. For a company with a $50 million cybersecurity budget, that is $2.5 million to $6.25 million in dedicated migration investment.

The Harvest Now, Decrypt Later Threat Is Already Active

Here is the threat that makes the 2030 deadline somewhat academic: state-level adversaries don’t need to wait for Q-Day to begin benefiting from your unencrypted future.

Harvest Now, Decrypt Later (HNDL) describes adversaries intercepting and storing encrypted data today, then holding it until a sufficiently powerful quantum computer can break it. The attack is passive, undetectable, and is happening right now. Data encrypted with RSA-2048 today, captured by a sophisticated adversary, may be decryptable by 2030 to 2035 depending on quantum hardware progress.

This is where Dr. Michele Mosca’s mathematical framework becomes essential for any serious CISO conversation.

“Many organizations may be unaware that they are currently exposed to an intolerable level of risk that requires urgent action.” Dr. Michele Mosca, Co-founder, Institute for Quantum Computing, University of Waterloo. Co-author, Global Risk Institute Quantum Threat Timeline Report 2026.

The Global Risk Institute’s 2026 report, drawing on a survey of 26 leading quantum experts, concludes that a cryptographically relevant quantum computer is “quite possible” (28 to 49% probability) within 10 years, and “likely” (51 to 70% probability) within 15 years. This is the most credible probabilistic Q-Day estimate available from an independent body.

The threat timeline just compressed further. Three research papers published between May 2025 and March 2026 reduced the estimated quantum resources needed to break RSA-2048 from approximately 20 million qubits to fewer than one million, and potentially as low as 100,000 qubits using newer architectures. Threat models built on 20 million qubit assumptions are now obsolete.

The systemic financial risk is not abstract. The Citi Institute calculates that a quantum-enabled cyberattack disrupting a top-five U.S. bank’s access to Fedwire could generate between $2 trillion and $3.3 trillion in indirect economic losses, equivalent to 10 to 17% of U.S. GDP. This is a financial stability issue, not an IT budget line.

Healthcare organizations face a specific compounding risk: they carry the highest average data breach costs in any sector at $10.93 million per incident, yet lag significantly in PQC adoption. Long-lived patient data with decade-long confidentiality requirements is precisely the class of data most vulnerable to HNDL attacks today.

The Three NIST PQC Standards You Need to Know

On August 13, 2024, NIST finalized three post-quantum cryptography standards. These are the algorithms you will be migrating to. Understanding them is a prerequisite for any credible vendor or procurement conversation.

A fourth standard, FIPS 206 (FN-DSA, based on FALCON), is expected to be finalized in 2026. Additionally, HQC was selected in March 2025 as a code-based KEM backup to ML-KEM, with finalization expected in 2026 to 2027. NIST is deliberately building a portfolio, not a single-algorithm bet, after the 2022 collapse of SIKE (a final-round candidate broken by classical cryptanalysis) demonstrated how quickly assumptions can be overturned.

Google, Apple, Signal, and Zoom have already implemented PQC protections. Apple and Cloudflare began integrating PQC into their core platforms in 2024. These are not pilot programs.

“Google, Apple, Signal, and Zoom have implemented PQC. Government mandates like CNSA 2.0 set hard deadlines. Financial services are moving.” Duncan Jones, Head of Cybersecurity, Quantinuum. CSO Online, January 2026.

TLS certificate management is also changing in parallel. Public SSL/TLS certificate validity is transitioning toward a 47-day maximum, with a six-month renewal cadence milestone arriving in March 2026. The forced infrastructure modernization this creates accelerates PQC readiness for organizations treating it as a unified program rather than two separate workstreams.

What CISOs Must Do Right Now

CISA, NSA, and NIST jointly publish a six-step quantum-readiness playbook. The credible enterprise migration takes years, and it begins with a cryptographic inventory, not a vendor purchase. Here is the operational sequence:

Step 1: Cryptographic Inventory (This Quarter)

Identify every system in your environment using RSA, ECC, and Diffie-Hellman. This is now a compliance task. CISOs without an inventory have no baseline for planning, no way to prioritize, and no credible response to a board question about quantum readiness. Start with systems holding long-lived sensitive data. Personal health records, financial transaction histories, classified communications, and legal documents with decade-long confidentiality requirements are your highest-priority targets.

Step 2: Vendor Contract Requirements (This Quarter)

Your organization’s quantum readiness is constrained by your least-prepared vendor. Survey your SaaS providers, cloud infrastructure partners, and managed security service providers immediately. Require documented PQC roadmaps as contractual obligations. For critical vendors unable to commit to 2026 to 2028 timelines, begin identifying alternative suppliers now, before the 2029 migration surge creates capacity constraints and you find qualified vendors fully booked.

Step 3: Crypto-Agility as a Design Standard (Immediate Architecture Change)

Every new system design must now include crypto-agility: the architectural capability to swap cryptographic algorithms without redesigning the system. Organizations that build this in now will spend orders of magnitude less on their migration than those retrofitting it later.

Step 4: Pilot NIST PQC Algorithms in Non-Critical Systems

Begin implementing FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) in development and staging environments. The performance overhead of post-quantum algorithms is real, and your infrastructure teams need hands-on experience before deploying in production systems where latency matters.

Step 5: Board-Level Briefing

Gartner named PQC migration among six forces reshaping enterprise security architecture in 2026. Peer practice now requires a board briefing. The Mosca Inequality gives you a concrete risk-quantification tool. The MDPI timeline data gives you the migration reality check. The Citi Institute systemic risk figure gives you the financial framing. These three data points together make a compelling board presentation.

“It’s a big collaboration, and we’re trying to show things that people might not have experienced so that they can feel more comfortable moving into this challenge.” Bill Newhouse, Cybersecurity Engineer and PQC Project Lead, NCCoE, NIST. Speaking at Risk & Compliance Exchange 2026. Federal News Network, May 2026.

Google has publicly set 2029 as its internal deadline for post-quantum migration, citing advances in the quantum computing field. The company stated it hopes to “provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry.” If Google is treating 2029 as its internal operational deadline, organizations that position 2030 as a distant horizon are already behind the curve set by the largest infrastructure operator in the world.

The Contrarian View: Is the Panic Warranted?

This piece would not meet its own standard without including the legitimate counterarguments. Matthew Green, professor of computer science at Johns Hopkins University and one of the most respected independent cryptography voices in the field, has offered pointed skepticism on both the timeline and the solutions.

Green has noted publicly that several post-quantum algorithms initially evaluated by NIST contained vulnerabilities exploitable by classical computers, SIKE being the most dramatic example. He questions whether the finalized algorithms have been tested against a threat that remains largely theoretical, and whether the commercial quantum computing field has sufficient “lucrative immediate applications” to sustain the research and engineering pace the threat models assume.

The broader historical record supports some of Green’s caution: experts predicted practical quantum computers by 2020 in the early 2010s. Q-Day timelines have been reliably wrong, in both directions, and the NIST 2030 deprecation date is a policy choice, not a physics proof. Genuine expert disagreement about quantum timelines persists, with serious researchers placing fault-tolerant quantum computing between five years and thirty years away.

There is also the vendor incentive problem. The PQC migration industry is now a multi-billion dollar market. Expect a surge in announcements claiming cryptographically relevant quantum computer breakthroughs. Some of these will be marketing, not physics. CISOs should calibrate their urgency to government mandates and independent academic research rather than vendor threat narratives.

Frequently Asked Questions

What Happens in the Next 18 Months

The post-quantum cryptography migration timeline is compressing from multiple directions simultaneously. Regulatory mandates are hardening. Quantum hardware timelines are accelerating faster than the academic consensus predicted two years ago. And the vendor market is heating up in ways that will make it harder, not easier, to identify genuinely capable implementation partners.

Three things to watch and act on before year-end 2026. First: complete a cryptographic inventory. Not a project plan to complete one. An actual inventory, system by system. Second: require PQC roadmap commitments from your top ten vendors by contract renewal or explicit written commitment. Third: pilot FIPS 203 in at least one non-critical environment so your security team develops hands-on experience before production pressure arrives.

The window between when the threat becomes real and when most large enterprises finish migration will be measured in years, not months. The organizations that begin in earnest today will still be finishing after 2030. The organizations that wait another year or two will be finishing after 2035, into the NIST full-disallowance period, with infrastructure that is technically non-compliant and actively vulnerable. That is not a risk posture. That is a liability.