The cryptographic foundation of the internet is approaching an expiration date, and most organizations are not prepared for it. While the timeline for a cryptographically relevant quantum computer remains debated, the threat is not hypothetical. Adversaries with long time horizons are already harvesting encrypted data today, banking on the ability to decrypt it once quantum computing matures. The question is not whether post-quantum migration is necessary but whether the industry will complete the transition before the window closes.

This analysis examines the current state of post-quantum cryptography (PQC) readiness across industries, evaluates the practical challenges of migration, and identifies the widening gap between organizations that are preparing and those that are not.

The Standard Is Settled. The Migration Is Not.

NIST’s finalization of the first post-quantum cryptographic standards in 2024 marked the end of a multi-year selection process and the beginning of a far more difficult phase: global deployment. The three initial standards cover the core cryptographic primitives that underpin virtually all secure communications.

ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), derived from CRYSTALS-Kyber, provides post-quantum key exchange. ML-DSA (Module-Lattice-Based Digital Signature Algorithm), derived from CRYSTALS-Dilithium, provides post-quantum digital signatures. SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), derived from SPHINCS+, offers a hash-based signature alternative that rests on different mathematical assumptions for defense-in-depth.

These standards are technically mature and have undergone extensive public review. The algorithms are well-understood, reference implementations exist, and performance characteristics are documented. Yet standardization is merely the prerequisite. The actual migration requires changes to every protocol, library, hardware module, and application that touches cryptography, which is to say, essentially everything.

The Harvest-Now-Decrypt-Later Calculus

The urgency of post-quantum migration is driven by a threat model that does not require a quantum computer to exist today. The harvest-now-decrypt-later (HNDL) attack is straightforward: a sufficiently motivated adversary intercepts and stores encrypted communications now, with the intention of decrypting them once a cryptographically relevant quantum computer becomes available.

This threat model transforms the migration timeline calculation. The relevant question is not when a quantum computer will break current encryption but how long the data being encrypted today needs to remain confidential. If an organization’s sensitive data has a confidentiality requirement of 15 years, and the migration itself will take 5 years to complete, then the organization needed to begin migrating if a quantum computer might arrive within 20 years. By most credible estimates, that window is either open now or opening shortly.

Intelligence agencies, defense contractors, and financial institutions with long-duration confidentiality requirements face the most acute HNDL risk. But the threat extends to any organization that handles data with long-term sensitivity: healthcare records, trade secrets, diplomatic communications, infrastructure control systems, and identity credentials.

State-level adversaries are widely understood to be conducting large-scale collection of encrypted traffic. The operational assumption in the intelligence community is that major nation-states have been storing intercepted encrypted communications for years, creating vast archives of ciphertext that will become readable once quantum decryption is feasible.

Sector-by-Sector Readiness Assessment

The gap between sectors that are actively migrating and those that have barely begun planning is substantial and growing.

Financial Services: Moving, But Slowly

The financial sector has the regulatory pressure and the technical sophistication to lead the post-quantum migration, and some institutions are indeed making progress. Major banks and payment networks have initiated PQC pilot programs, particularly for internal communications and high-value transaction systems.

However, the financial sector’s migration is complicated by its dependence on shared infrastructure. Payment networks, interbank messaging systems like SWIFT, and securities settlement platforms require coordinated migration across hundreds of institutions simultaneously. No single bank can complete its migration in isolation because its cryptographic choices must interoperate with counterparties, clearinghouses, and regulators.

The financial sector’s timeline is further complicated by regulatory requirements. Many financial regulations mandate specific cryptographic standards, and those mandates need to be updated before institutions can deploy PQC algorithms in regulated systems. Regulatory bodies are aware of the issue but are moving at regulatory speed, which is to say, slowly.

Government and Defense: Mandated but Constrained

Government agencies, particularly in the United States, have the clearest mandates for post-quantum migration. The White House National Security Memorandum on quantum computing, issued in 2022, directed federal agencies to inventory their cryptographic systems and begin migration planning. The Cybersecurity and Infrastructure Security Agency (CISA) has published migration guidance, and the NSA has issued timelines for the transition of National Security Systems.

In practice, government migration faces enormous challenges. Federal IT systems are notoriously heterogeneous, running legacy software that in some cases predates modern cryptographic standards entirely. The inventory phase alone, identifying every system that uses cryptography and classifying its migration priority, has proven far more complex than anticipated.

Defense and intelligence agencies are further along, driven by the HNDL threat model and by direct access to classified assessments of adversary quantum computing progress. These agencies have the institutional motivation and the budget authority to prioritize migration, but even they face timelines measured in years rather than months.

European government agencies present a more uneven picture. Some EU member states have issued national quantum readiness strategies, but implementation varies widely. The European Union Agency for Cybersecurity (ENISA) has published recommendations, but binding migration mandates at the EU level remain in development.

Healthcare: Dangerously Behind

The healthcare sector is among the least prepared for post-quantum migration, which is alarming given the long-term sensitivity of medical records. Health data has effectively permanent confidentiality requirements. A patient’s genetic information, mental health history, or chronic disease records do not become less sensitive with time.

Healthcare IT systems are characterized by legacy infrastructure, tight budgets, complex vendor ecosystems, and regulatory frameworks that prioritize data availability over cryptographic modernization. Many healthcare organizations are still completing their migration to TLS 1.3; post-quantum cryptography is not on their roadmap.

The healthcare sector’s vulnerability to HNDL attacks is severe. Encrypted health data intercepted today could be decrypted in the future, creating risks for patients, insurers, and providers. The regulatory framework, including HIPAA in the United States and GDPR in Europe, does not currently mandate post-quantum protections, creating a compliance gap that leaves organizations without regulatory pressure to act.

Technology and Cloud Providers: Leading the Way

The major cloud providers and technology companies are the furthest along in post-quantum deployment. Google, Amazon, Apple, Cloudflare, and Signal have all implemented or announced PQC support in their products and services.

Google deployed hybrid post-quantum key exchange in Chrome as early as 2023 and has expanded PQC support across its infrastructure. Cloudflare has enabled post-quantum key agreement for connections to its edge network. Signal implemented the PQXDH protocol for its messaging platform, combining X25519 with ML-KEM for forward secrecy against quantum adversaries, building on its end-to-end encryption foundation. Apple deployed PQ3, its post-quantum protocol, across iMessage.

These deployments share a common architectural approach: hybrid key exchange, where a classical key exchange mechanism (typically X25519 or ECDH) is combined with a post-quantum mechanism (typically ML-KEM). This hybrid approach ensures that security is maintained even if the post-quantum algorithm is later found to have a vulnerability, providing a conservative migration path.

However, even among technology leaders, post-quantum deployment remains incomplete. Most PQC implementations cover key exchange but not digital signatures, where the larger key and signature sizes of PQC algorithms create more significant performance and compatibility challenges. Certificate chain migration, firmware signing, and code signing remain largely on classical algorithms.

Critical Infrastructure: The Quiet Crisis

Industrial control systems, energy grids, water treatment facilities, and transportation networks represent a particularly concerning gap in post-quantum readiness. These systems often run specialized protocols with embedded cryptographic implementations that cannot be easily updated. Equipment lifecycles in critical infrastructure are measured in decades, and many systems in operation today were designed before post-quantum cryptography was a consideration.

The convergence of long equipment lifecycles, operational technology constraints, and the potentially catastrophic consequences of compromise makes critical infrastructure a high-priority migration target. Yet the sector’s migration progress is among the slowest, constrained by the technical difficulty of updating embedded systems and the operational risks of modifying systems that cannot tolerate downtime.

The Cryptographic Agility Problem

One of the most significant lessons emerging from the early stages of post-quantum migration is the critical importance of cryptographic agility, the ability to swap cryptographic algorithms without redesigning entire systems.

Most existing systems were not designed with cryptographic agility in mind. Algorithms are hardcoded into protocols, embedded in hardware, and woven into application logic in ways that make replacement extraordinarily difficult. The migration to post-quantum algorithms is revealing just how deeply assumptions about specific algorithms, key sizes, and signature lengths are embedded in the infrastructure stack.

Organizations that invested in cryptographic abstraction layers, where cryptographic operations are mediated through configurable interfaces rather than direct algorithm calls, are finding the migration significantly easier. Those that hardcoded RSA-2048 or ECDSA into their systems are facing rewrites at every layer.

This experience is driving a broader industry recognition that cryptographic agility is not merely a convenience but a security requirement. Any system deployed today should be designed to allow algorithm substitution without architectural changes, because the post-quantum transition will not be the last cryptographic migration the industry undertakes.

Performance and Compatibility Challenges

Post-quantum algorithms impose real performance costs that complicate migration. ML-KEM key encapsulation is computationally efficient, but the encapsulated keys and ciphertexts are significantly larger than their classical counterparts. An ML-KEM-768 public key is 1,184 bytes, compared to 32 bytes for X25519. A ciphertext is 1,088 bytes versus 32 bytes.

For key exchange in TLS handshakes, these larger sizes increase handshake latency and bandwidth consumption but remain within acceptable bounds for most applications. The hybrid approach, combining X25519 and ML-KEM, results in a combined key share of approximately 1,216 bytes, which fits within a single TCP initial congestion window in most configurations.

Digital signatures present a more challenging profile. ML-DSA-65 signatures are 3,309 bytes, compared to 64 bytes for Ed25519. In certificate chains, where multiple signatures are verified in sequence, these larger sizes create measurable latency increases and bandwidth costs. For resource-constrained environments like IoT devices, embedded systems, and edge computing networks, these costs are not trivial.

The performance challenges are manageable for modern server infrastructure but create genuine obstacles for legacy systems, embedded devices, and bandwidth-constrained environments. This performance gap is one reason why the technology sector, with its modern infrastructure and frequent update cycles, is migrating faster than sectors with older, more constrained systems.

The Standards Gap

While NIST’s core PQC standards are finalized, the broader standards ecosystem required for deployment remains incomplete. Internet Engineering Task Force (IETF) standards for PQC integration into TLS, X.509 certificates, and other internet protocols are in various stages of development. Some, like hybrid key exchange in TLS 1.3, are well advanced. Others, like PQC certificate formats for the Web PKI, remain in early drafts.

This standards gap creates uncertainty for organizations planning their migration. Deploying PQC algorithms without finalized protocol standards risks interoperability issues and potential incompatibility with future standard versions. Yet waiting for all standards to be finalized before beginning migration means losing years of preparation time.

The pragmatic approach adopted by leading organizations is to begin migration where standards are mature, primarily key exchange, while monitoring and preparing for signature migration as those standards solidify. This phased approach allows organizations to address the most acute HNDL risk (protecting data in transit) while managing the standards uncertainty around signatures and certificates.

Recommendations for Organizations Beginning Migration

Organizations that have not yet begun post-quantum migration planning should start with several concrete steps.

Conduct a cryptographic inventory. Identify every system, protocol, library, and hardware module that uses cryptography. Classify each by the sensitivity and longevity of the data it protects, the feasibility of algorithm replacement, and the dependencies on external systems or standards.

Prioritize by HNDL exposure. Systems protecting data with long-term confidentiality requirements should be migrated first. VPN tunnels, encrypted storage, and key management systems that protect long-lived secrets are higher priority than systems protecting ephemeral session data.

Deploy hybrid key exchange where possible. For TLS-based communications, enabling hybrid X25519 plus ML-KEM key exchange provides immediate protection against HNDL attacks with minimal compatibility risk. Most modern TLS libraries already support or are adding support for hybrid PQC key exchange.

Invest in cryptographic agility. Any new system or major refactoring should incorporate cryptographic abstraction layers that allow algorithm substitution. This investment pays dividends not only for the current PQC migration but for all future cryptographic transitions.

Engage with your supply chain. Post-quantum migration cannot be completed in isolation. Organizations must understand their vendors’ PQC timelines, ensure that procured systems support PQC algorithms, and coordinate migration timelines with partners and counterparties.

The Widening Gap

The post-quantum migration is creating a two-tier security landscape. Organizations in the technology sector, defense, and intelligence communities are actively deploying PQC protections and will complete their migrations within the next several years. Organizations in healthcare, critical infrastructure, and many segments of the financial sector have barely begun.

This gap matters because the HNDL threat is indiscriminate. Adversaries conducting bulk collection of encrypted traffic are not selectively targeting only well-defended organizations. They are collecting everything, and the least-prepared sectors will be the most exposed when quantum decryption becomes feasible.

The organizations best positioned for this transition are those that treated cryptography as an architectural concern rather than an implementation detail, that invested in agility and abstraction, and that recognized that the threat model does not require a quantum computer to exist today to be operationally relevant. For everyone else, the clock is running.