In the shadow of discussions about artificial intelligence and cloud computing, a quiet arms race is underway. It is not about present dominance, but about access to the greatest treasure of the future: today’s encrypted data.
Attackers collect and store packets of information on a massive scale, from trade secrets to government data, in the full knowledge that they are useless today. However, they assume that in a few years they will have the key that will open all these locks – a quantum computer.
This strategy, known as ‘Harvest Now, Decrypt Later’, is fundamentally changing the perception of cyber security. The problem is no longer just the day a quantum computer breaks the first security, but the fact that data with a long shelf life is being stolen now.
The paradox of uncertainty
The debate about the maturity of quantum technologies is fraught with contradictions. Optimists point to the first practical applications in the next few years. Sceptics speak of a time horizon of a decade or more.
This divergence of forecasts creates a dangerous sense of distant threat that leads organisations to postpone action.
However, from a risk management perspective, it does not matter whether that moment arrives in five years or fifteen. Sensitive data – strategic company plans, patient medical data, intelligence information or intellectual property – must remain confidential for decades.
Meanwhile, these, secured today with standard asymmetric algorithms such as RSA or ECC, are the main target of ongoing theft. For cybercriminals and hostile states, this is a low-cost investment with a potentially gigantic return.
Global mobilisation and a concrete schedule
Awareness of this threat is growing in standardisation and government institutions around the world. The US National Institute of Standards and Technology (NIST) has already completed the crucial step of selecting and standardising the first post-quantum cryptography (PQC) algorithms to be resistant to attacks using quantum computers. This has given the market a clear signal to start preparing for the migration.
In Europe, momentum is being generated by the NIS Cooperation Group, which published a concrete action plan in June 2025. It leaves no illusions about the urgency of the task. Gartner analysts predict that the first serious threat to commonly used asymmetric processes could emerge as early as 2029. Time is therefore short.
A challenge greater than algorithm replacement
The transition to post-quantum cryptography is much more than a simple update to cryptographic libraries. New PQC algorithms often feature larger key and signature sizes, which can impact the performance and architecture of existing systems, especially in resource-constrained environments like IoT.
Organisations face the need to conduct a detailed audit of their cryptographic assets – to understand where and what encryption is being used. This task in itself is complicated in distributed cloud and hybrid environments.
Moreover, the migration process will have to take place in stages. Hybrid solutions, allowing the parallel use of classical algorithms and their post-quantum counterparts, will become necessary to ensure business continuity and backward compatibility.
The quantum threat is no longer a theoretical scenario. It is a real and active data collection campaign that is happening before our eyes. Organisations that ignore the need to prepare a PQC migration strategy today may discover in a few years’ time that their most valuable secrets, secured to yesterday’s standards, have become publicly accessible.
The time for action is now.
