IBM’s Quantum Roadmap Gives Enterprises a 4-Year Window to Act on Post-Quantum Migration
Your organization’s most sensitive encrypted data, customer records, financial transactions, intellectual property, could already be sitting in an adversary’s archive. It was captured yesterday. It will be decrypted in 2029, or 2031, or 2033. The exact date is uncertain. What is not uncertain is that the migration away from today’s encryption standards takes 42 to 54 months once an organization actually starts. And fewer than 5% of enterprises have started.
IBM’s quantum computing roadmap, Google’s dramatic security warning published March 25, 2026, and a new research paper that cut prior qubit estimates by a factor of 20 have together shifted this conversation from theoretical risk management to operational urgency. This article breaks down exactly what has changed, what the NIST post-quantum cryptography standards require, and what a CISO or CTO at an enterprise organization needs to do before the end of 2026.
The Real Threat Is Not the Qubit Count
When IBM announced Condor, its 1,121-superconducting-qubit processor, in December 2023, it made headlines. The 1,000-qubit barrier was crossed. But fixating on that number misses the actual story of 2026, which is about timelines, compliance clocks, and a harvest-now-decrypt-later threat that is already happening.
Qubit counts alone do not break encryption. What matters is logical qubits, fault-tolerant gates, and error correction at scale. IBM’s own engineers recognize this: after Condor, the company shifted its focus from raw qubit counts toward error resistance. State-of-the-art error correction currently requires roughly 1,000 physical qubits per logical qubit, which explains why the cryptographically relevant threshold is still years away from Condor’s 1,121 physical qubits.
A 1,000-qubit quantum computer does not break RSA-2048 today. Breaking RSA-2048 likely requires around one million physical qubits running for approximately a week, based on Google’s latest research estimates. The urgency is about migration timelines, not imminent decryption.
The actual story of 2026 is that organizations which have not started post-quantum cryptography migration will mathematically fail to meet regulatory deadlines. That is the operational reality driving this article.
What IBM’s Quantum Roadmap Actually Says
IBM has published a detailed hardware roadmap that provides the clearest public signal of where quantum capability is heading and on what schedule.
| Year | IBM Milestone | Key Capability |
|---|---|---|
| 2023 | Condor (1,121 qubits) | First processor crossing 1,000 physical qubits |
| 2026 | Kookaburra (1,386 qubits, multi-chip) | Three chips linked via IBM Quantum System Two, yielding a 4,158-qubit combined system |
| 2028-2029 | IBM Quantum Starling | Fault-tolerant system with roughly 200 logical qubits from approximately 10,000 physical qubits; 100 million gate operations |
| 2029 | Near-term quantum advantage tools | IBM targets delivery of tools for near-term quantum advantage by end of 2026, first large-scale fault-tolerant machine by 2029 |
The Kookaburra milestone in 2026 is significant not for its qubit count alone but for the multi-chip architecture. Linking processors is how IBM intends to scale toward the hundreds of logical qubits needed for cryptographically relevant computation. Every step on this roadmap narrows the gap between current machines and the systems that security teams are building their migration timelines around.
Our read IBM’s pivot from qubit maximalism to error-correction depth signals something important: the people closest to the hardware believe the engineering path to fault tolerance is now a matter of execution, not discovery. That is a different kind of confidence than the field had three years ago.
Google’s 2029 Alarm and What It Means for You
On March 25, 2026, Google’s security leadership published a formal announcement setting 2029 as the company’s internal deadline to secure its systems against quantum threats using post-quantum cryptography. The post was authored by Heather Adkins, VP of Security Engineering, and Sophie Schmieg, Senior Staff Cryptography Engineer. This is a full year ahead of NIST’s 2030 deprecation date and six years ahead of the 2035 final federal deadline under NSM-10.
Five days later, on March 30, 2026, Google Quantum AI released a 57-page paper with researchers from the Ethereum Foundation and Stanford University. The finding that drew immediate industry reaction: breaking 256-bit elliptic curve cryptography, the algorithm protecting Bitcoin and Ethereum, would require fewer than 500,000 physical qubits. That is nearly a 20-fold reduction from prior best estimates.
“It’s a real shock. We’ll need to speed up our efforts considerably.”
Bas Westerbaan, Applied Cryptography Lead, Cloudflare — TIME magazine, April 2026
Cloudflare accelerated its own post-quantum deadline to 2029 within days of the paper’s release. Westerbaan’s reaction is worth sitting with. Cloudflare processes a significant share of global internet traffic. When its cryptography lead describes a research paper as “a real shock,” that is not public relations language. That is a practitioner recalibrating a production timeline based on new data.
Google also announced that Android 17 is integrating post-quantum cryptography digital signature protection using ML-DSA, building on existing Chrome support. Our read this signals that PQC is no longer a future feature on Google’s roadmap. It is shipping code.
The Compliance Deadline Ladder: 2027 to 2035
The regulatory framework for post-quantum cryptography migration in the United States is built on NSM-10, the NSA’s CNSA 2.0 suite, and Executive Order 14144. Enterprises serving federal clients, contractors, and financial institutions with ties to regulated sectors need to treat this schedule as binding, not aspirational.
| Deadline | Requirement | Who It Affects |
|---|---|---|
| Jan 1, 2027 | All new National Security System acquisitions must support CNSA 2.0 | Government contractors, defense suppliers, NSS vendors |
| Dec 31, 2030 | Equipment unable to support CNSA 2.0 must be phased out; NIST deprecates RSA/ECC | All federal agencies, regulated critical infrastructure |
| Dec 31, 2031 | CNSA 2.0 becomes mandatory across all National Security Systems (except exemptions) | NSS operators, contractors |
| 2033 | OS, cloud services, and custom applications must reach exclusive CNSA 2.0 use | Cloud providers serving federal; enterprise software vendors |
| 2035 | Full quantum resistance required across all National Security Systems per NSM-10 | Entire US national security supply chain |
The January 2027 deadline for new NSS acquisitions is the one that commercial enterprises should pay attention to first, even if they are not themselves defense contractors. When government procurement requirements shift, vendor product roadmaps shift with them. Any software company, hardware manufacturer, or cloud provider that wants to remain in the government supply chain will need CNSA 2.0 support in new products by January 2027. That cascades into commercial product decisions within 12 to 18 months of announcement.
CTOs should begin requiring CNSA 2.0 and post-quantum cryptography readiness clauses in vendor contracts now. The January 2027 government deadline will reshape commercial vendor roadmaps whether or not your organization is regulated. Get ahead of it in your next contract renewal cycle.
The Enterprise Readiness Gap Is Alarming
The data on enterprise preparedness is consistently grim across every survey and research source published in the past 12 months. The gap between awareness and action is wide enough to be a material risk that boards and audit committees should be asking about.
of enterprises have a formal quantum-transition plan (arXiv, September 2025)
believe quantum will break current encryption within 5 years (DigiCert/Propeller Insights survey, 1,042 senior security managers)
of organizations do not plan to address quantum computing at this time (ISACA 2025)
The DigiCert survey finding is particularly striking. Sixty-nine percent of senior cybersecurity managers believe quantum computers will break current encryption within five years. Only 19.2% describe themselves as “extremely prepared.” The gap between what people believe is coming and what they are doing about it is not a knowledge problem. It is an organizational inertia problem.
Scott Aaronson, Schlumberger Centennial Chair of Computer Science at the University of Texas at Austin and a newly elected member of the US National Academy of Sciences, offered the sharpest framing of this inertia in a PYMNTS interview in February 2026:
“The time to start thinking about migrating to quantum-resistant methods of encryption is now. Even optimistic estimates place practical quantum attacks five to ten years out, but the migration itself, not the threat, is the actual bottleneck for large institutions.”
Scott Aaronson, Schlumberger Centennial Chair of Computer Science, University of Texas at Austin — PYMNTS, February 20, 2026
Aaronson matters here for a specific reason. He has spent more than a decade as quantum computing’s most prominent skeptic, the researcher other researchers cite when they want to explain why hype outruns reality in this field. His May 1, 2026 blog post, titled “Will You Heed My Warnings?”, noted that some of the most reputable people in quantum hardware and error correction now believe a fault-tolerant, cryptographically relevant quantum computer “ought to be possible by around 2029.” His words, not a breathless press release.
Banking and telecom lead enterprise sectors in preparedness, with 45 to 47% of respondents in those sectors having budgeted and planned for near-term post-quantum cryptography transition. Every other sector is significantly behind.
The CTO Action Plan: What to Do in the Next 90 Days
The migration timeline math is straightforward and unforgiving. Enterprise PQC migrations realistically take 42 to 54 months from the moment an organization is properly resourced and underway. An organization that has not started a cryptographic inventory by the end of 2026 will struggle to hit NIST’s 2030 deprecation date. An organization that has not started by mid-2026 has already put Google’s 2029 internal deadline out of reach.
Step One: Cryptographic Asset Inventory
Every major guidance document from NIST, Capgemini, and Fortinet identifies this as the step that enterprises consistently skip or underestimate. You cannot migrate what you have not mapped. This means cataloguing every certificate, SSH key, code-signing key, embedded cryptographic algorithm in firmware and IoT devices, and any third-party library that handles encryption. For most large enterprises, this inventory alone takes three to six months.
Step Two: Assess Harvest-Now-Decrypt-Later Exposure
This is the present-tense risk that gets underweighted because its consequences are future-tense. Nation-state adversaries are capturing encrypted traffic now and storing it for future decryption. Any data with a confidentiality shelf-life beyond approximately seven to eight years is already exposed if it is encrypted with RSA or ECC today. That includes healthcare records, defense contracts, M&A negotiations, and anything classified at the top end of most organizations’ data hierarchies. Prioritize migration of those data classes first.
Step Three: Pilot NIST-Standardized Algorithms Now
NIST finalized its first three post-quantum cryptography standards in August 2024: FIPS 203, FIPS 204, and FIPS 205. These are not draft standards. They are ready for implementation. IBM’s z16 mainframe already includes hardware acceleration for post-quantum algorithms. Microsoft has published a detailed migration roadmap targeting full PQC transition by 2033, with core infrastructure migration beginning in 2026. Use these as benchmarks and start pilot deployments in lower-risk environments this quarter.
Step Four: Update Procurement Requirements
Begin requiring CNSA 2.0 and PQC readiness clauses in vendor contracts on renewal. Build a vendor questionnaire that asks suppliers to disclose their own PQC migration plans, target dates, and which NIST-standardized algorithms their products will support and when. The January 2027 government procurement deadline will accelerate commercial vendor timelines regardless; getting this into your contracts now creates leverage and accountability.
- Complete cryptographic asset inventory across all systems, firmware, and third-party libraries
- Identify all data with confidentiality requirements beyond 7 years and prioritize for immediate migration planning
- Pilot FIPS 203, 204, or 205 in at least one production-adjacent environment before Q4 2026
- Add PQC readiness requirements to vendor contract renewals starting this quarter
- Establish a crypto-agility architecture so algorithm replacement does not require full system rebuilds
- Present quantum readiness status to the board or audit committee with a formal risk register entry
The Skeptic’s Case: Why 2029 Might Be Too Early
Any responsible analysis of this topic needs to include the genuine scientific minority view, and not as a dismissal of urgency but as a calibration of certainty.
Gil Kalai, a mathematician at Hebrew University of Jerusalem and one of quantum computing’s most technically rigorous skeptics, has published conjectures arguing that fundamental noise correlations in highly entangled quantum systems may make fault-tolerant quantum computing impossible, not merely difficult. His argument is not that the engineering is hard. It is that correlated errors in large quantum systems may violate assumptions that fault-tolerance proofs rely on. This is an unresolved scientific dispute, not a fringe view.
RAND Corporation’s institutional assessment places cryptanalytically relevant quantum computers in “at least the 2030s,” and RAND explicitly warns policymakers against messaging that suggests such computers could already secretly exist. A hostile actor running a cryptographically relevant quantum computer against unsuspecting victims undetected for years is, in RAND’s assessment, highly unlikely.
Even Craig Gidney, the Google researcher whose work contributed to the March 2026 ECC paper, has described the probability of a cryptographically relevant quantum computer by 2030 at roughly 10%, characterizing that level as “unacceptably high” rather than likely. Google’s 2029 internal deadline is a risk management decision at 10% probability, not a forecast that Q-Day happens in 2029.
The correct framing is not “quantum computers will break encryption by 2029.” It is “the risk is high enough by 2029 that Google, Cloudflare, and Scott Aaronson now treat 2029 as the responsible deadline for completing migration, regardless of whether Q-Day arrives that early.” That is a different claim, and it supports the same action.
The practical upshot: whether Q-Day lands in 2029, 2032, or 2037, the migration timeline of 42 to 54 months means the decision about when to start is already overdue for most enterprises. The uncertainty about the threat date does not reduce urgency. It increases it, because organizations betting on the later end of the range are taking on risk they cannot adequately price.
FAQ: Post-Quantum Cryptography Migration
Expert consensus places Q-Day, the point at which quantum computers can break RSA and ECC encryption, in the early-to-mid 2030s. However, Google and Scott Aaronson have identified 2029 as an accelerated risk window based on recent hardware progress and revised qubit estimates. This is not a prediction of Q-Day in 2029; it is a risk-management threshold that justifies completing migration before that year.
It is an adversarial strategy where encrypted data is intercepted and stored today with the intent to decrypt it once a sufficiently powerful quantum computer exists. Any organization whose data carries confidentiality requirements beyond seven to eight years should treat this as a current-tense risk, not a future one. Nation-state actors with long planning horizons are the primary concern.
CNSA 2.0 is the NSA’s Commercial National Security Algorithm Suite, the successor to CNSA 1.0. It mandates quantum-resistant algorithms for federal national security systems. New NSS acquisitions must support CNSA 2.0 from January 1, 2027. CNSA 2.0 becomes mandatory across all National Security Systems by December 31, 2031, with full quantum resistance required by 2035 under NSM-10.
NIST finalized three standards in August 2024: FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, a stateless hash-based signature scheme). These are production-ready and should be piloted in enterprise environments now, with deployment priority given to systems handling long-shelf-life confidential data first.
Fewer than 5% of enterprises currently have a formal quantum-transition plan, according to a peer-reviewed arXiv survey published in September 2025. Separately, ISACA’s 2025 poll found that 41% of organizations do not plan to address quantum computing at this time, and 37% have not discussed it internally at all.
Realistically, 42 to 54 months from the moment an organization is properly resourced and underway. The cryptographic asset inventory phase alone typically takes three to six months. An organization that has not started by the end of 2026 faces serious risk of failing to meet the NIST 2030 deprecation deadline, even if it begins in January 2027.
What You Know Now That Most Organizations Don’t
IBM’s quantum hardware roadmap, Google’s accelerated 2029 internal deadline, and a research paper that cut the qubit threshold for breaking elliptic curve cryptography by a factor of 20 have together changed the calculus of this field in the first half of 2026. The story is not that a quantum computer has broken encryption. It is that the organizations responsible for the internet’s security infrastructure are treating 2029 as the prudent completion date for post-quantum migration, and fewer than 5% of enterprises have a plan.
In the next 6 to 18 months, expect three things. First, government contractor compliance pressure from the January 2027 CNSA 2.0 acquisition deadline will cascade into commercial vendor roadmaps, making PQC readiness a de facto procurement requirement across more of the market than current regulations technically require. Second, more industry practitioners will follow Cloudflare and Google in publicly accelerating their timelines, creating reputational and audit risk for organizations that have not started. Third, cyber insurance underwriters and financial regulators will begin asking formal questions about quantum readiness in the same way they now ask about multi-factor authentication.
Three specific things to watch: the release of IBM’s Quantum Starling technical specs when they arrive in late 2028, NIST’s progress on IR 8547 (which addresses transitioning from currently deployed algorithms), and whether the EU’s regulatory framework develops parallel quantum-resistance mandates timed to the 2025 to 2030 NIS2 implementation period.
The organizations that complete post-quantum cryptography migration before Q-Day is demonstrably close will not win prizes. They will simply avoid the ones that do not.
Stay Ahead of What’s Coming
Get NeuralWired’s weekly briefing on quantum computing, enterprise security, and the technology decisions that matter for CTOs and CISOs.
Subscribe to The Neural Loop