HomeResourcesWhitepapers › Technology & AI
Whitepaper · 11 pages · Free

Post-Quantum Cryptography: What Organisations Must Do Now to Prepare

Quantum computers capable of breaking current encryption are not yet operational. But adversaries are harvesting encrypted data today for future decryption. For organisations with long-lived sensitive data, the threat is real now. This whitepaper explains the timeline, the NIST standards, and the migration programme.

Published May 2026·Technology & AI·Post-Quantum Cryptography Cyber Security NIST PQC

Why the Quantum Threat Is Real Today

The cryptographic algorithms protecting most digital communications — RSA, ECDSA, Diffie-Hellman — are based on mathematical problems classical computers cannot solve in a practical timeframe. A sufficiently powerful quantum computer running Shor's algorithm can solve these problems efficiently — breaking the encryption protecting banking transactions, government communications, pharmaceutical intellectual property and personal data.

Quantum computers capable of breaking current 2048-bit RSA at operational scale do not yet exist. But this does not mean organisations can wait to act.

Y2QYears to Quantum — estimated 8–15 years for cryptographically relevant quantum computers. PQC migration takes 5–10 years for complex organisations.
NIST 2024NIST published first three post-quantum cryptography standards in August 2024 — ML-KEM, ML-DSA and SLH-DSA
HNDLHarvest Now Decrypt Later — the active threat making PQC migration urgent today, not when quantum computers arrive
Download the complete whitepaper
All 11 pages — free, instant access.
No spam. No sales calls. We will email you a copy for reference.

The Harvest-Now-Decrypt-Later Threat

The most immediate quantum threat is not an attacker using a quantum computer to break today's encryption — it is an attacker harvesting encrypted data today and storing it for decryption when quantum computers become available. For any data remaining sensitive for more than five years — medical records, intellectual property, government intelligence, long-term financial data — the harvest-now-decrypt-later threat is real and active now.

Nation-state adversaries are known to be conducting HNDL collection against high-value targets. Data encrypted today with current algorithms may be decrypted by adversaries in 2032 or 2035. The sensitivity of that data at that future date determines the urgency of migration today.

NIST Post-Quantum Cryptography Standards

StandardAlgorithmUse CaseStatus
FIPS 203ML-KEM (Kyber)Key encapsulation / key exchange — primary PQC standardNIST standard, Aug 2024
FIPS 204ML-DSA (Dilithium)Digital signatures — authentication and integrityNIST standard, Aug 2024
FIPS 205SLH-DSA (SPHINCS+)Digital signatures — hash-based conservative alternativeNIST standard, Aug 2024
Draft FIPS 206FN-DSA (Falcon)Digital signatures — compact for constrained environmentsDraft standard

The Six-Step PQC Migration Programme

  1. Cryptographic inventory. Identify every algorithm in use — in applications, APIs, databases, network infrastructure, IoT devices and embedded systems. Include vendor-supplied software where you may not have visibility of the underlying cryptographic implementation.
  2. Data sensitivity classification. Not all data requires immediate PQC protection. Classify by sensitivity and longevity. Data remaining sensitive beyond 2030 that is encrypted today is the highest priority for early migration.
  3. Crypto-agility assessment. Assess how easily systems can transition to new algorithms. Systems with crypto-agility can migrate faster and more cheaply than those with hard-coded cryptographic dependencies.
  4. Vendor roadmap assessment. Most cryptographic functionality comes from vendors — security infrastructure providers, CAs, cloud platforms, HSM manufacturers. Assess key vendors' PQC roadmaps and align your timeline to their product delivery.
  5. Hybrid cryptography implementation. During transition, implement hybrid cryptography — classical and PQC algorithms in parallel — for highest-priority systems. This protects against both classical and quantum threats during the migration period.
  6. Migration programme execution. Execute in priority order: highest-sensitivity, longest-lived data first. Plan for 5–10 years of migration effort for large complex organisations.
PQC Migration Readiness Assessment
Cryptographic inventory completed — all algorithms identified across applications, infrastructure and embedded systems
Data classified by sensitivity and longevity — highest-priority PQC migration candidates identified
Crypto-agility assessed for all systems in PQC migration scope
Key vendor PQC roadmaps reviewed and timeline alignment assessed
NIST PQC standards (FIPS 203, 204, 205) reviewed against current cryptographic infrastructure
Hybrid cryptography implementation planned for highest-priority systems
Beginning your PQC migration programme?

Cyber security specialists. PQC readiness assessment within 48 hours.

Get a Proposal →WhatsApp
About AjaCertX
AjaCertX is a specialist compliance, certification and assurance partner. Our Cyber and Digital Security practice delivers ISO 27001, advanced threat assessment and cryptographic resilience programmes.
WhatsAppConnect