Back to blog
#security#cloud#business

Post-Quantum Cryptography: A 2026 Business Guide

Quantum computers will break RSA and ECC, and "harvest now, decrypt later" attacks are already collecting your data. What businesses should do about it in 2026.

By Rafael Costa5 min readEnglish
Share
Post-Quantum Cryptography: A 2026 Business Guide

Here is an uncomfortable fact about the encryption protecting your data right now. A large enough quantum computer will break it, and while that machine does not exist yet, the attack has already started. Adversaries are recording encrypted traffic today, sitting on it, and waiting for the hardware that decrypts it. It is called "harvest now, decrypt later", and it means that any data with a shelf life longer than a few years, medical records, contracts, trade secrets, personal data you are legally required to protect, is arguably already exposed.

That reframes post-quantum cryptography from a research-lab curiosity into a planning problem for 2026. You do not need a quantum physicist on staff. You need to know what standards exist, what your obligations are, and why "we will deal with it when quantum computers arrive" is the one answer that is definitely wrong.

Why "someday" is already a problem

The threat model is the confusing part, so it is worth being precise. Two things are true at once: no quantum computer today can break RSA-2048, and your long-lived secrets are already at risk. Both, together.

The bridge between them is time. Harvest-now-decrypt-later attacks capture ciphertext now and decrypt it whenever the capability lands. If a piece of data still needs to be confidential in 2035, and a capable quantum computer plausibly arrives before then, that data is effectively at risk from the moment it crosses a network today. The clock that matters is not "when does quantum break encryption", it is "how long does this data need to stay secret", and for a lot of business data the honest answer is a decade or more.

Do the shelf-life math on your own data

Ask one question per data type: how many years does this need to stay confidential? Add that to today. If the answer lands anywhere near the expected arrival of capable quantum computers, that data is already a harvest-now target and belongs at the front of your migration queue.

What NIST actually standardised

The good news is that the replacement algorithms are done, not theoretical. In August 2024 NIST finalised the first post-quantum standards, and they are what everything else now builds on:

  • FIPS 203 (ML-KEM) replaces RSA and elliptic-curve key exchange, the step where two parties agree on a shared key over a public channel. This is the most common cryptographic operation on the internet, and the one most exposed to harvest-now attacks.
  • FIPS 204 (ML-DSA) is the main post-quantum digital signature standard, for verifying identity and integrity.
  • FIPS 205 (SLH-DSA) is a hash-based signature backup with different, conservative security assumptions, for when you want a second foundation that does not rely on the same math.

A fourth signature standard based on FALCON (FN-DSA) is expected to follow. The point for a business is not the acronyms. It is that vetted, standardised algorithms now exist, which removes the last excuse to wait. The tools are on the shelf.

Q-day, deadlines and the 10-year clock

Three timelines are converging, and none of them is comfortable.

First, the migration itself is slow. NIST's own guidance assumes a full enterprise cryptographic migration takes around ten years, because cryptography is buried in everything: TLS, VPNs, code signing, hardware, third-party libraries, decade-old systems nobody wants to touch. Second, regulatory deadlines start biting from 2027 onward, and regulated sectors will feel them first. Third, the harvest-now attacks are not waiting for any of that.

Put those together and the window is now, not later. By early 2026 only around 38% of large enterprises had even completed a partial inventory of where they use cryptography, up from 12% in late 2024. That inventory is step one, and most organisations have not finished step one. Being early here is cheap. Being late is a forced march.

A practical migration path

You do not migrate to post-quantum cryptography by flipping a switch. You do it the way you eat an elephant, and the first bites are unglamorous.

Build a cryptographic inventory. You cannot protect what you cannot see. Find every place you use encryption: TLS endpoints, VPNs, stored secrets, signed code, APIs, third-party services. This is the single most valuable thing you can do in 2026, and it is mostly discovery work, not cryptography.

Prioritise by data shelf life. Rank systems by how long their data must stay confidential and how exposed it is. Long-lived secrets crossing public networks go first. A cache that expires in an hour can wait.

Adopt crypto-agility. The real goal is not one migration, it is the ability to swap algorithms without re-architecting. Build so the specific cipher is a configurable choice, not a hardcoded assumption. You will change it again, and agility is what makes the next change cheap. This is the same design instinct behind passwordless authentication: decouple the mechanism from everything that depends on it.

Deploy hybrid encryption. The pragmatic near-term move is hybrid schemes that run a classical and a post-quantum algorithm together, so you are protected even if one has a flaw. Major browsers and cloud providers already support hybrid post-quantum key exchange in TLS, so for a lot of web traffic this is a configuration change, not a rebuild.

Most of this is inventory and vendor pressure, not maths

For a typical business, the bulk of PQC readiness is knowing where your cryptography lives and making your vendors commit to a timeline. You will rarely implement an algorithm yourself. You will enable it in your TLS config, update libraries, and hold suppliers to a roadmap.

Where to start this quarter

If this feels large, shrink it. This quarter, do two things: start the cryptographic inventory, and ask every critical software vendor a single written question, "what is your post-quantum roadmap and timeline?" The inventory tells you your exposure. The vendor answers tell you how much of the work is yours versus theirs. Most of the internet's migration will happen inside the platforms and libraries you already use, so knowing their plans shapes yours.

This work also sits naturally alongside the compliance pressure already building in Europe. The EU Cyber Resilience Act pushes security-by-design and a software bill of materials, and a cryptographic inventory is a large step toward both. Work done for post-quantum readiness rarely goes to waste on your wider security posture.

You will not finish this in 2026, and you are not meant to. The goal for this year is to stop being in the 62% who have not even looked. If you want help mapping where cryptography lives in your systems and building a migration plan that does not stall, that is the kind of work we do. The businesses that start the inventory now will migrate calmly over years. The ones that wait for Q-day headlines will do it in a panic.

#security#cloud#business
Share this article
Rafael Costa

Written by

Rafael Costa

Software Engineer & Technical Writer

Rafael is a software engineer at Lusivision who writes about web development, cloud architecture and applied AI. He has spent over a decade shipping production software for companies across Europe and enjoys turning hard technical topics into clear, practical guides.

View all articles

Related articles

MCP Security in 2026: Stopping Prompt Injection
EN
#ai#security

MCP Security in 2026: Stopping Prompt Injection

MCP connects your AI agents to real tools and data, and to a real attack surface. Here is how prompt injection and tool poisoning happen, and how to shut them down.

4 min read

Newsletter

Stay in the loop

Occasional notes on software, design and what we're building. No spam — unsubscribe anytime.