Post-Quantum Cryptography: The Enterprise Migration Guide for 2026-2030

Why the migration cannot wait for quantum computers to arrive

The most common misconception about post-quantum cryptography migration is that it can wait until quantum computers capable of breaking current encryption actually exist. This misconception ignores the harvest now, decrypt later threat that makes the migration urgent regardless of quantum hardware timelines.

Sophisticated adversaries — including state-level threat actors — are collecting encrypted data today with the specific intent of decrypting it when capable quantum computers become available. This is not speculative: intelligence assessments from multiple governments have identified this threat as active and ongoing. For data that must remain confidential for ten or more years — financial records, health data, legal communications, state secrets, intellectual property — the protection of current encryption may be inadequate today, because the data will still exist when quantum decryption becomes possible.

NIST's post-quantum cryptography standards

NIST finalised three post-quantum cryptographic algorithms in August 2024: FIPS 203 (Module-Lattice-Based Key-Encapsulation Mechanism, or ML-KEM, based on the CRYSTALS-Kyber algorithm), FIPS 204 (Module-Lattice-Based Digital Signature Algorithm, or ML-DSA, based on CRYSTALS-Dilithium), and FIPS 205 (Stateless Hash-Based Digital Signature Scheme, or SLH-DSA, based on SPHINCS+). These standards provide the cryptographic foundations for quantum-resistant systems and are the basis for all serious migration planning.

The algorithms have different characteristics that make them appropriate for different use cases. ML-KEM is designed for key encapsulation — protecting symmetric keys in communication protocols like TLS. ML-DSA is designed for digital signatures where performance is important. SLH-DSA is designed for applications where the signature scheme needs to be based only on well-understood hash function security assumptions. Understanding which algorithm is appropriate for which use case requires cryptographic expertise — most enterprises will need external support for the technical assessment.

The enterprise cryptographic inventory

The first step in post-quantum migration is a comprehensive cryptographic inventory — mapping every use of public-key cryptography in your organisation's systems. This is harder than it sounds. Cryptography is embedded throughout enterprise technology infrastructure in ways that are often not visible to IT management: TLS/HTTPS on web servers and APIs, VPN tunnel encryption, email signing and encryption, code signing for software updates, SSH keys for server access, PKI certificates for internal authentication, hardware security modules, encrypted database fields, and encrypted backup systems. Each of these represents a migration requirement, and each has different migration complexity, different vendor dependencies, and different urgency based on the sensitivity and retention requirements of the data it protects.

The inventory output should classify each cryptographic use by: the algorithm in use, the data it protects, the sensitivity and retention requirement of that data, the vendor dependency for migration, and the estimated migration complexity and cost. This classification drives the prioritisation of the migration programme.

Regulatory expectations and timelines

Financial services regulators in major jurisdictions have begun issuing quantum-resistant cryptography guidance that signals future mandatory requirements. APRA has included quantum risk in its CPS 234 and CPS 230 discussions. The FCA in the UK has flagged quantum risk in operational resilience requirements. The NSA's CNSA 2.0 guidance establishes specific migration timelines for US national security systems. The pattern across these regulatory signals: voluntary guidance now, mandatory requirements by 2028-2030 for critical systems in regulated sectors.