The clock is ticking on Q-Day. Google now estimates it will arrive by 2029, and most organizations haven’t started migrating.
Quantum computing does not yet exist at the scale needed to break modern encryption. But that has not stopped adversaries from collecting encrypted data today, waiting for the day it does. The strategy has a name — “harvest now, decrypt later” — and it is the single most urgent driver behind the push for post-quantum cryptography.
What’s new. In March 2026, Google published a formal timeline to transition its entire infrastructure to post-quantum cryptography by 2029. The deadline is a significant acceleration from earlier estimates of 2035, driven by both faster-than-expected quantum hardware advances and the growing threat of store-now-decrypt-later attacks, as reported by Ars Technica.
The ZDNet article that kicked off this discussion frames the problem starkly: organizations are nowhere near ready. Experts quoted in the piece urge an immediate move from 128-bit to 256-bit encryption as a baseline mitigation, while acknowledging that the real challenge is replacing RSA and ECC entirely with quantum-resistant algorithms.
The key angle. The standards exist. In August 2024, after an eight-year evaluation process involving 69 submissions, NIST released three finalized post-quantum encryption standards: FIPS 203 (ML-KEM, based on CRYSTALS-Kyber) for general encryption, FIPS 204 (ML-DSA, CRYSTALS-Dilithium) for digital signatures, and FIPS 205 (SLH-DSA, SPHINCS+) as a backup. A fourth standard, FN-DSA (FALCON), is coming as FIPS 206, and NIST selected HQC as a fifth backup algorithm in March 2025.
The problem is not a lack of standards — it is adoption. Most enterprise systems lack the “crypto-agility” to swap out cryptographic primitives without major architectural overhauls. The World Economic Forum noted in February 2026 that the quantum security skills gap is a bottleneck, and that leaders who delay migration are exposing their organizations to retroactive decryption.
Context / What’s next. Google’s 2029 target sets a de facto deadline for the rest of the industry. If Google — which runs one of the world’s largest cryptographic infrastructures — needs five years to migrate, most organizations should have started yesterday. The US federal government’s CNSA 2.0 suite already mandates a transition to quantum-resistant algorithms by 2030 for national security systems.
For symmetric encryption, the fix is relatively straightforward: double the key size. Grover’s algorithm gives quantum computers a quadratic speedup against symmetric ciphers, but AES-256 remains secure — AES-128 does not. That is why experts are pushing for an immediate move to 256-bit encryption wherever possible.
The big picture. The quantum threat is unusual in cybersecurity because the damage has already begun. Data encrypted today with RSA or ECC is being collected and stored by state-sponsored actors, waiting for the moment a sufficiently powerful quantum computer comes online. By the time Q-Day arrives, it will be too late to protect that data.
The industry has the standards, the timelines, and the warnings. What it lacks is urgency. Most organizations have not started their post-quantum migration, and the skills to do so are scarce. As the WEF put it: “Quantum security is a question leaders cannot ignore.” The answer, so far, has largely been silence.
Sources: ZDNet (May 31, 2026); Ars Technica (March 2026); World Economic Forum (February 2026); NIST (August 2024)