Security experts warn that hackers are already harvesting encrypted data to decrypt later, making quantum‑safe cryptography an urgent priority for every sector.

If the phrase “Quantum Computing” is new to you, imagine computers so extraordinarily powerful that you might assume only an organization like NASA could possess them. Quantum computers can process vast amounts of information very quickly, solving complex problems in minutes that today’s conventional systems would struggle with or fail to solve entirely.

While the benefits of such high-power computers are substantial, it is also crucial to understand the risks associated with this development. The very power that makes quantum computing revolutionary also means that many of today’s standard security measures may not be sufficient in protecting information from future quantum enabled threats.

Quantum computing, like all computing power evolutions we’ve seen, will eventually become widely accessible. One day, you will have access to quantum‑driven tools. And so will hackers. They’re watching this evolution closely and are rubbing their hands together as they wait.

The Significant Milestone

Back in August 2024, the U.S. National Institute of Standards and Technology (NIST) achieved a significant milestone by officially finalizing the first three Federal Information Processing Standards (FIPS 203, FIPS 204, and FIPS 205) for Post-Quantum Cryptography (PQC).

This marks a foundational step to ensure that developers of both hardware and software are prepared to face the emerging threats posed by quantum computing.

• FIPS 203 is new standard for general encryption that secures web browsing (TLS), VPNs, and private messages.
• FIPS 204 is standard for digital signatures that helps ensure an update actually came from the vendor.
• FIPS 205 is a safety backup that uses a different type of hash just in case a threat actor ever finds a way to crack through the first two (FIPS 203, FIPS 204).

These newly established standards provide a unified, reliable framework that developers can use to secure a wide range of digital assets. Whether the goal is to protect software updates or safeguard financial transactions, the adoption of these FIPS standards is crucial in defending against the foreseeable challenges that quantum computers will introduce.

By following these guidelines, organizations can futureproof their security infrastructure, strengthen resilience against emerging threats, and maintain trust in their digital operations as quantum usage becomes more mainstream.

The HNDL Risk

Although Quantum Computers are not yet widely available, organizations are already preparing for the risks they pose. One of the most pressing concerns is the “Harvest Now, Decrypt Later” (HNDL) risk.

In this scenario, threat actors intercept traffic and store encrypted information that travels across the internet today, with the expectation that once quantum computers mature, they will be able to break the encryption protecting that data. This makes HNDL one of the primary drivers behind the global push toward Post Quantum Cryptography adaptation.

Even if an organization’s data has a 10-year lifespan, hackers could still steal it today and sit on it while waiting for quantum computers in the future to decrypt it. For example, encrypted patient records retained under HIPAA requirements could be stolen now and decrypted years later, still containing valuable data, once quantum capabilities advance. The same applies to national security information, which is often stored for decades to support long‑term strategic initiatives. If intercepted today, such data would remain highly valuable in the future.

What makes HNDL especially dangerous is its silent nature. Victims have no way of knowing their data has been captured, and the breach isn’t discovered until years later when the decrypted data suddenly appears in the wild. This is why it is urgent to quantum‑proof  today’s data practices. Organizations must ensure that sensitive information encrypted now will remain protected when quantum computers can break traditional cryptography.

Do Regulations Need It Yet?

Governments and regulators are quite serious about the HNDL risk, and they need organizations to step up their game as well. Here are some regulations that mandate becoming quantum safe:

U.S. Government: CNSA 2.0 & NSS

The National Security Agency (NSA) has issued the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) under which any vendor selling to the U.S. Government must support PQC by 2027 for software and 2030 for most hardware. Any hardware that cannot support the new standards must be phased out entirely by 2030.

The EU Coordinated Roadmap

The EU is treating Quantum Security as a top priority for digital sovereignty and expects all member states to have PQC migration roadmaps in place by the end of 2026, with critical infrastructure such as energy and water to be fully quantum-safe by 2030.

Financial Sector (DORA & NIS2)

EU’s Digital Operational Resilience Act (DORA) and the NIS2 directive are beginning to view "Quantum Readiness" as a core component of "state-of-the-art" security. For anyone in finance or critical infrastructure, this means the new FIPS standards are essentially mandatory for staying compliant. Under the DORA rules, banks will need to document their plans and demonstrate that they are putting these new tools into practice. The NIS2 directive is a lot more serious. It can hold senior bosses personally responsible if the company gets caught using outdated encryption. You can expect auditors to ask to see a full "Cryptographic Inventory" that proves you know exactly where the old encryptions lie and how you are actively replacing them.

Quantum Proofing Deadlines

From a private sector standpoint, here are some key deadlines for PQC adoption:

Gov-Tech Vendors

By January 2027, companies that sell software/firmware to the U.S. government National Security System must be PQC-ready. Under the CNSA 2.0 mandate, any new procurement under National Security System must be PQC-ready. This will force many vendors to upgrade their current practices this year to be eligible to conduct business with the federal government.

Finance and Banking

Between 2025 and 2027, banks and financial institutions will start creating an inventory of all the cryptography they use. From 2028 to 2030, they will begin upgrading high value systems that move large amounts of money between banks, to new, stronger cryptographic standards.

After 2030, older algorithms like RSA (a cryptographic algorithm developed in 1977 for secure data transmission) will no longer be allowed in financial services because they won’t provide enough protection in a post‑quantum world. In addition, new rules for international payments, especially those connected to the EU’s Digital Operational Resilience Act (DORA), will likely require banks to use post‑quantum cryptography (PQC) for any cross‑border transactions.

Critical Infra

Both EU and CISA (US) have targets for high-priority sectors such as energy, water and telecommunications to achieve full migration to quantum-safe systems by 2030. The need for operational readiness of these systems is already urgent because these sectors have critical systems that remain in service for decades. Consider an energy company purchasing a transformer today. That equipment will still be operating in the field well into the 2040s. This means it must be quantum‑safe from day one, because any vulnerability built into long‑lived infrastructure becomes a long‑term national risk. Protecting national power grids, communication networks, and other foundational infrastructure is a top priority. A successful quantum‑enabled cyberattack on these systems could have profound effects on societies and economies.

Tech & Software

Major browsers (like Google) are already adopting PQC to protect users from HNDL threats. Also, cloud providers (like AWS) are incorporating quantum proof security measures into their services.

Healthcare

Although the healthcare industry has a longer timeline to fully comply with post‑quantum requirements, it still faces very high risks because patient data must remain protected for decades. Between 2030 and 2035, healthcare organizations will likely be required to apply new PQC‑based digital signatures to their existing medical records. (A digital signature is a secure, cryptographic technique used to verify authenticity of digital documents).This ensures that sensitive patient information stays secure and cannot be decrypted during the 50‑ to 75‑year retention periods required by most privacy laws.

Coming Soon: Crypto Agility

Crypto Agility may sound like a complex tech term, but it’s actually a very practical business strategy. A simple way to think about it is like Lego‑style security. If one block becomes weak, you can easily remove and replace it with a stronger one without breaking the rest of your structure.

Traditionally, encryption was hardcoded directly into software, so when a new encryption algorithm was invented, the entire structure needed to be dismantled. Crypto agility changes this completely by allowing organizations to swap out encryption methods as easily as replacing a lightbulb.

The need for crypto agility is clear. Encryption standards continue to evolve, especially as quantum computing advances. Having an agile system that allows for smooth updates of encryption methods without expensive system overhauls offers financial efficiency, operational resilience, and long‑term security stability.

Even better, achieving crypto agility doesn’t require massive upfront investment. The core idea is to stop hardcoding specific algorithms into applications. Instead, developers should use “modular" architecture (an abstraction layer) where the encryption is managed in one central place. This enables fast, safe updates and ensures the organization is prepared for whatever cryptographic standards come next, including post‑quantum ones.

The 2026 Action Plan

Quantum proofing is a long-term commitment. Here are few guidelines to get the ball rolling without overwhelming your teams:

• Inventory: Start maintaining a Cryptographic Inventory. It should have complete details on where you are using encryption, what type it is, and the expiration of the encryption being used. Beyond meeting compliance requirements, a cryptographic inventory gives you visibility into which algorithms become obsolete or have been officially retired. With that insight, you can proactively plan upgrades or replacements instead of scrambling during an emergency.
• The Hybrid Model: You don’t need to kill your current security strategy to adopt a new one. Instead, organizations can transition gradually by using a hybrid cryptographic model. This approach allows you to keep your current, trusted encryption in place while adding an additional layer of quantum‑safe cryptography on top of it. It’s like having a co‑pilot in the cockpit: if one system becomes weakened or compromised, the other immediately takes over. This gives you the best of both worlds in terms of compliance and safety.
• Vendors: Check on vendors and ask them where their encryption architecture stands. Ask them where they stand in adopting the NIST post-quantum standards. If your vendors don’t have a plan for quantum proofing, they are going to be a liability for you.
• Swap-ability: Moving forward, make it a rule that any new software or hardware developed or bought should be crypto agile. This means the encryption isn't hard coded into the system. You want tools that allow you to swap out outdated algorithms for newer, stronger ones through a simple software update, much like updating an app on a device. This keeps you from having to rip out and replace the entire IT setup every time the security methods update.
• Identify Your Harvest Now Risks: Not all data needs to be quantum-proof with the same level of intensity. Focus on data that stays sensitive for years such as health records, trade secrets, 10-year contracts, etc. This is the data attackers are stealing today to decrypt later once quantum technology catches up. Identifying these "high-value targets" helps your team prioritize their workload so they don't feel overwhelmed with the migration.
• Quantum Ready Procurement Policy: Starting this year, add a simple clause to your new contracts. Ask vendors to guarantee that their products will be compatible with the finalized NIST PQC standards. It’s a zero-cost way to ensure you aren't buying "legacy debt" that you'll have to pay to fix three years from now.

For information about quantum proofing, email [email protected] or call 305-447-6750.