Quantum computing’s progress is expected to solve complex problems radically faster than today’s classical computers. That progress should eventually yield cryptographically relevant quantum computing (CRQC), at which point quantum systems can break today’s public key cryptography. In anticipation of this expected change, governments around the world are developing new national quantum readiness strategies, including requirements to migrate to new quantum resistant PQC standards.

While the timeline for a capable quantum computer remains uncertain, enterprises are moving toward achieving cryptographic agility so they can adapt their inventory of cryptographic algorithms and practices without significantly disrupting the overall business operations. Cryptographic agility addresses the “brittleness” of today’s cryptographic infrastructure by enabling organizations to upgrade different cryptographic algorithms across applications, infrastructure, and hardware as standards, threats, and requirements change. There is no guarantee that today’s approved PQC algorithms or tomorrow’s future algorithms will provide the necessary security over time. And there are multiple PQC algorithms for different purposes. Crypto agility enables organizations to smoothly adapt without interrupting operations as the cryptography evolves.

Enterprises need to consider expected changes in evolving from classical public-key cryptographic algorithms to standardized PQC. The U.S. National Institute of Standards and Technology (NIST) released an Initial Public Draft (IPD) report in November 2024 detailing the NIST roadmap for the PQC adoption, which includes aggressive timelines for deprecating (2030) and disallowing (2035) a broad range of currently used algorithms. NIST subsequently published the finalized PQC standards (FIPS 203, FIPS 204, and FIPS 205), which provide a clear framework as well as requirements. Commercial enterprises will eventually need to consider deploying updated cryptographic algorithms in anticipation of quantum threats targeting classic encryption algorithms. This upcoming change is particularly relevant to public sector and regulated industries like financial services and healthcare.

Enterprises recognize the need to prepare for a PQC world, and the first step is getting visibility to their cryptographic inventory used for data in transit. Cryptographic assets permeate an enterprise environment, and organizations frequently struggle to identify all elements of their cryptographic technology. They then need to prepare to migrate that cryptographic infrastructure to emerging PQC standards for data in transit.