NIST quantum-safe encryption migration concept showing digital lock icons shifting to post-quantum cryptography protection.NIST's new quantum-safe encryption standards are here, but most companies still haven't started the switch.
91% of Enterprises Aren’t Ready for Quantum-Safe Migration
Cybersecurity / Enterprise IT

91% of Enterprises Aren’t Ready for Quantum-Safe Migration

NIST finalized its post-quantum encryption standards two years ago. Government deadlines start hitting in January 2027. And most security teams still haven’t mapped where their own vulnerable encryption lives.

Somewhere in your infrastructure right now is a TLS certificate, a VPN tunnel, or a code-signing key protected by encryption that a sufficiently powerful quantum computer will eventually break. You probably don’t know exactly where. Neither does most of the industry.

That’s the uncomfortable starting point for quantum-safe encryption migration, the multi-year project of replacing RSA and elliptic-curve cryptography with algorithms designed to survive an attack from a quantum computer. The National Institute of Standards and Technology (NIST) finalized the first official post-quantum cryptography (PQC) standards back in August 2024. Two years later, the vast majority of enterprises haven’t started implementing them, even as the first hard regulatory deadlines approach.

The number you’ll see everywhere isn’t real. A widely circulated claim that “78% of enterprise IT teams haven’t started migration” doesn’t trace back to any known survey. The closest verified figures: 91% of surveyed cybersecurity professionals say their organization has no roadmap for quantum threats (Trusted Computing Group), and only 5% have actually implemented quantum-safe encryption (DigiCert). Both numbers are arguably worse than 78%, and both are attributable.

What NIST actually finalized, and why it matters

On August 13, 2024, NIST released the first three finalized post-quantum cryptography standards, capping an eight-year public evaluation process that started with a 2016 call for proposals. The agency describes them as designed to resist attacks from quantum computers that would otherwise threaten the encryption protecting everything from confidential email to e-commerce transactions.

Three standards, three jobs:

StandardWhat it doesBased on
FIPS 203Key exchange (ML-KEM)CRYSTALS-Kyber
FIPS 204Digital signatures (ML-DSA)CRYSTALS-Dilithium
FIPS 205Backup signature scheme (SLH-DSA)SPHINCS+

A fourth algorithm, FALCON, is still working its way toward publication as FIPS 206. NIST added a fifth, HQC, in March 2025 as a non-lattice-based backup, in case a future breakthrough finds a weakness in the lattice math that FIPS 203 and 204 depend on. Redundancy by design, not an afterthought.

Dustin Moody, the mathematician who leads NIST’s PQC project, put the urgency plainly at the time of release:

“We encourage system administrators to start integrating the new standards into their systems immediately, because full integration will take time.” Dustin Moody, NIST PQC Project Lead, 2024

That quote is now two years old. It hasn’t aged into irrelevance. It’s aged into an indictment.

The readiness gap, in real numbers

Here’s what enterprise quantum readiness actually looks like right now, pulled from the surveys with disclosed methodology and sample size:

  • 91% of surveyed cybersecurity professionals say their organization has no roadmap to defend against quantum threats, according to the Trusted Computing Group’s State of PQC Readiness report, based on 1,500 professionals across the US and Europe.
  • Only 5% of organizations have implemented quantum-safe encryption, despite 69% acknowledging the risk, per DigiCert’s 2025 Quantum Readiness Gap survey.
  • 81% of professionals in the same TCG survey believe their current crypto-libraries and hardware security modules aren’t ready for the migration at all.
  • 46.4% of organizations admit that substantial portions of their encrypted data could be exposed once a cryptographically relevant quantum computer exists.
  • Across a 2026 internet-wide scan of 32,011 domains, hybrid post-quantum TLS certificate adoption came back at effectively zero, meaning the certificates authenticating most public websites remain entirely classical.

The “actively transitioning” figure you’ll sometimes see quoted at 40% (from a 2026 Entrust/Ponemon study) is technically accurate but softer than it sounds. It includes planning and risk-assessment work, not completed deployment. Don’t let a vendor deck blur that line for you. Assessment isn’t migration.

IBM’s Quantum-Safe Readiness Index, cited widely in industry roundups, puts the average enterprise score at 25 out of 100. Useful directionally. Less useful as a rigorous benchmark, since IBM hasn’t published transparent, peer-reviewable methodology behind that number the way TCG and DigiCert have for theirs.

Why the timeline suddenly feels shorter

Here’s the part that should actually change your planning horizon. Google researchers published work in early 2026, reported by The Register, showing that running Shor’s algorithm against elliptic curve cryptography (ECDLP-256) would require roughly 20 times fewer physical qubits than previous estimates assumed. That doesn’t hand anyone a working quantum computer. It moves the goalposts closer, and it’s a bigger deal than the 2024 NIST finalization itself, because it’s new information rather than a milestone everyone already priced in.

Google also quietly moved up its own internal target for completing its quantum-safe transition to 2029, an acceleration signal from a company with more visibility into the state of quantum hardware than almost anyone outside a national lab.

The deadlines that are actually coming

Regulatory pressure, not abstract risk, is what actually moves budget. Here’s what’s on the calendar:

  • January 1, 2027: Under the NSA’s CNSA 2.0 framework, all new national security system acquisitions must be CNSA 2.0-compliant by default. If you sell into the defense or intelligence supply chain, this deadline is closer than your last migration cycle took to complete.
  • 2028: The UK’s National Cyber Security Centre wants discovery and cryptographic asset inventory work done by this date, as phase one of a three-phase roadmap.
  • 2035: Both the US (NSM-10) and UK targets converge on full quantum-resistant deployment by this year. The White House has estimated the cost of the federal government’s own migration at roughly $7.1 billion over the 2025 to 2035 decade.

Sector-specific cost estimates make the stakes concrete. Boston Consulting Group figures cited in recent research put automotive manufacturers’ PQC transition costs at $400 to 750 million, driven by the sheer complexity of patching cryptography embedded across vehicle fleets. Manufacturing, utilities, and transportation face a comparatively modest $10 to 20 million. Your industry determines your number more than your headcount does.

Why cryptographers are betting real money against each other

If you want proof that “urgency” isn’t a settled question even among people who build this stuff for a living, look at what happened in April 2026. Cryptography engineer Filippo Valsorda argued that even if quantum computing predictions turn out wrong in a decade, the current probability that they’re right is already too high to ignore. Matthew Green, an applied cryptographer at Johns Hopkins University, publicly disagreed, and then backed it with cash:

“I think this is a good precautionary analysis but I’d bet huge amounts of money against a relevant quantum computer by 2029 or even 2035.” Matthew Green, Associate Professor of Computer Science, Johns Hopkins University, via The Register

Green and Valsorda formalized it into a $5,000 wager: Green is betting that classical cryptanalysis, not a quantum computer, will break ML-KEM-768 first. That’s not a random internet argument. That’s a specialist who studies exactly this problem, staking real money against the mainstream urgency narrative.

Peter Gutmann, a computer science professor at the University of Auckland, has been even more direct in his skepticism, pointing out in a 2025 interview that quantum computers have yet to factor the number 35, a six-bit problem, while the elliptic curve keys underpinning most of today’s encryption run 256 bits deep. That gap, he argues, isn’t one that recent efficiency papers close on their own.

On the other side, vendors are unambiguous about what to do regardless of the timeline debate. DigiCert’s Kevin Hilscher put it this way in the company’s 2025 readiness report:

“Organizations should already be into the early phases of their quantum readiness plan, starting with asset discovery and risk assessment, with the ultimate goal of crypto-agility.” Kevin Hilscher, Senior Director of Product Management, DigiCert

Our read: the skeptics aren’t wrong that the exact date is unknowable. They’re arguing about when the threat arrives. Nobody credible is arguing that the migration itself will be fast once it starts. That’s the part that should worry a CISO more than any doomsday date.

What security leaders should do in the next 12 months

This is not a patch cycle. It’s closer to a multi-year infrastructure overhaul, and the planning assumptions bear that out: small organizations are looking at 5 to 7 years for a complete migration, mid-sized enterprises 8 to 12 years, and large distributed enterprises 12 to 15 years or more, according to industry timelines compiled by The Quantum Insider. If your internal plan says “three years, tops,” it’s almost certainly understating the job for anything larger than a small business.

Three things to prioritize now:

1. Build the cryptographic asset inventory you probably don’t have

TLS certificates, VPN configurations, code-signing keys, HSMs, embedded firmware, and third-party vendor dependencies all need to be mapped before you can even scope a migration. Remember that 81% figure from earlier: most security teams believe their own crypto-libraries and HSMs aren’t PQC-ready, and you can’t fix what you haven’t inventoried.

2. Treat “harvest now, decrypt later” as a present-tense problem

Adversaries don’t need a working quantum computer today to benefit from one tomorrow. They can archive your encrypted traffic now and decrypt it later. Any data with a confidentiality requirement longer than roughly a decade, meaning intellectual property, health records, M&A documents, or government contract data, is already exposed under this model. That reframes the whole conversation from a future compliance deadline into a data classification exercise you should be running this quarter.

3. Prioritize crypto-agility over algorithm selection

The specific PQC algorithm you deploy first can be swapped later if your architecture is built correctly now. Betting your entire strategy on picking the “right” algorithm misses the point. Build systems that can change algorithms without a rebuild, and the rest becomes a scheduling problem instead of an existential one.

On budget, 58% of organizations surveyed by TCG plan to allocate 6 to 10% of their IT and security budget to PQC migration. Useful as an internal benchmark if you’re building the business case for headcount or spend.

A caution on the “rush” narrative: Larger key and certificate sizes plus immature implementations have already caused documented performance and interoperability problems in early PQC rollouts. The UK’s NCSC deliberately built its roadmap around a gradual, multi-phase timeline through 2035 rather than a sprint. There’s a real risk in moving faster than your vendors and your own testing can support.


Frequently asked questions

What are NIST’s post-quantum cryptography standards?

NIST finalized three post-quantum cryptography standards on August 13, 2024: FIPS 203 (ML-KEM, for encryption and key exchange), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, a hash-based backup signature scheme). A fifth algorithm, HQC, was added in March 2025 as an additional non-lattice-based option.

How long does quantum-safe migration take for an enterprise?

Industry planning estimates range from 5 to 7 years for small organizations to 12 to 15 or more years for large, distributed enterprises, depending on infrastructure complexity, legacy dependencies, and vendor readiness.

What percentage of companies have implemented quantum-safe encryption?

A 2025 DigiCert survey found that only 5% of organizations have implemented quantum-safe encryption, despite 69% recognizing quantum computing as a risk to current encryption standards.

What is “harvest now, decrypt later”?

It describes adversaries collecting and storing encrypted data today with the intent of decrypting it once a sufficiently powerful quantum computer exists. Data that needs to stay confidential for a decade or more is already exposed under this model, regardless of when quantum computers actually arrive.

When will quantum computers break current encryption?

There’s no consensus. Estimates range from 10 to 30 years based on current error-correction and qubit-stability hurdles, while recent efficiency research suggests the window may be compressing faster than previously assumed. Experts like Matthew Green and Peter Gutmann remain publicly skeptical of near-term timelines.


Where this goes next

Two things are true at once, and the industry keeps treating them as contradictory when they’re not. Nobody knows exactly when a quantum computer capable of breaking today’s encryption will exist. And the migration required to get ahead of it takes so long that “wait and see” isn’t actually a viable strategy for any organization with data that needs to stay secret past 2035.

Watch three things over the next 6 to 18 months: whether the January 2027 CNSA 2.0 acquisition deadline actually forces national security vendors to demonstrate compliance or slips, whether Google’s 2029 internal target holds as other hyperscalers respond, and whether the Green-Valsorda wager becomes a recurring reference point as more cryptographers stake public positions on timeline.

None of that changes what you should be doing this quarter: inventory your cryptographic assets, classify your long-lived data, and build for crypto-agility before you pick a single algorithm to bet on.

Want research like this before it hits the front page? Subscribe to The Neural Loop at neuralwired.com/newsletter.

Leave a Reply

Your email address will not be published. Required fields are marked *