Google has officially set 2029 as its target date for completing a full migration to post-quantum cryptography (PQC), in what the company describes as a necessary acceleration driven by faster-than-expected advances in quantum computing hardware, error correction and factoring resource estimates. The announcement, published on Google’s blog yesterday, has sent shockwaves through the cybersecurity community, pushing what was once considered a distant theoretical threat squarely into the realm of near-term operational planning.
The 2029 timeline is considerably more aggressive than existing government benchmarks. The NSA had previously set a 2031 target for implementing PQC, while broader US government guidance pointed to 2035 for full agency readiness. Google’s announcement effectively blows past both. For their part, Google’s security engineers cited progress on three specific fronts: quantum computing hardware development, quantum error correction, and quantum factoring resource estimates. A key milestone underpinning the concern is a report showing that a 2,048-bit RSA integer could theoretically be factored in under a week using a quantum computer equipped with one million so-called ‘noisy’ qubits, a far more achievable specification than the billion precise qubits that 2012-era estimates had demanded. The practical implication is stark: what once seemed an almost impossibly large engineering challenge is beginning to look like an engineering problem with a foreseeable solution.
Harvest Now, Decrypt Later: The Threat That Is Already Here
Google’s announcement was careful to distinguish between two distinct categories of quantum threat. The first and most immediately pressing is the so-called ‘Harvest Now, Decrypt Later’ or ‘Store Now, Decrypt Later’ attack model. Adversaries, including nation-state actors, are believed to already be systematically harvesting encrypted data today, with the intention of decrypting it once a cryptographically relevant quantum computer (CRQC) becomes available. Under this model, the threat is not abstract or future-tense but actively unfolding right now.
The second risk relates to digital signatures: the mechanisms underpinning secure websites, software updates, device identity and authentication. These are future threats, but ones that require action before a CRQC arrives, because retroactive protection is not possible once trust hierarchies have been compromised. Google said it has adjusted its own threat model accordingly, prioritising PQC migration for authentication services, and urged other engineering teams to do the same. Android 17, due for release in June, will integrate PQC digital signature protection using ML-DSA, the NIST-aligned algorithm, embedded directly into the operating system’s hardware root of trust.
Industry Reaction: Alarm, Affirmation and a Call to Act Now
The announcement drew immediate commentary from security professionals across the industry, who broadly welcomed Google’s willingness to set a specific date while stressing that for most organisations, the real danger window has already begun.
Simon Pamplin, Chief Technology Officer at Certes, said, “Google’s revised Q-Day estimate of 2029 is a significant wake-up call, but for many organisations, the most dangerous window isn’t when quantum computers arrive, it’s right now. Adversaries are already running Harvest Now, Decrypt Later campaigns: exfiltrating encrypted data today with the intention of unlocking it once a cryptographically relevant quantum computer exists. If your organisation is still relying on RSA, TLS, or standard PKI to protect sensitive data in transit, that data is already at risk, regardless of whether Q-Day lands in 2029 or 2035.
“Organisations should focus on when the threat arrives, but what deserves equal attention is the question of what happens to the data being harvested right now. Post-quantum migration is a multi-year project for most organisations, and with Gartner predicting a cryptographically relevant quantum computer could arrive by 2029, the gap between where most businesses are and where they need to be is closing fast. Action should be taken today.
“Challenges such as legacy systems that may not be able to be natively upgraded to PQC, multi-cloud environments creating security confusion due to different security models, and the end user and edge being the most vulnerable part of any organisation’s data security posture, mean that firms need to look at end-to-end PQC solutions that are able to protect data across any app, any infrastructure, anywhere. Quantum readiness isn’t about predicting a date. It’s about eliminating a long-term exposure before that date becomes irrelevant.”
Kieran B, Head of Security Engineering at Bridewell, echoed the sentiment that Google’s move is less a change to the nature of the threat and more a tightening of the window in which organisations can act responsibly. He said, “Google’s decision to set a 2029 deadline for completing its migration to post-quantum cryptography is a significant signal to the wider market. It does not reflect a fundamental change in the nature of the quantum threat, but rather that progress in quantum computing hardware, software and error correction is accelerating faster than previously anticipated. As one of the organisations most deeply involved in both quantum research and large-scale cryptographic engineering, Google is effectively signalling that the window for preparation is narrowing.
“For businesses, the key point is understanding what is at stake. Today’s public-key cryptography underpins almost every digital interaction: secure websites, software updates, device identity, digital signatures and authentication. A cryptographically relevant quantum computer would be capable of breaking widely used algorithms such as RSA and elliptic-curve cryptography, undermining these trust mechanisms.
“One of the biggest risks with post-quantum security is assuming there will be a clear, visible moment when the threat arrives. In reality, ‘Q-day’ is likely to be quiet, sudden, and only obvious in hindsight. Google’s timeline makes it clear that the transition to post-quantum cryptography is now a multi-year change programme — and organisations that begin in earnest today will be far better placed to manage it in a controlled, risk-based way.”
Bridewell’s own research into post-quantum readiness has highlighted a concerning gap: many organisations report confidence in their preparedness, yet a significant proportion have not yet fully assessed their cryptographic exposure or engaged with existing guidance. Kieran B noted this suggests the challenge is not just technical, but a fundamental misunderstanding of the scale and complexity of the transition ahead.
A Race Against Embedded Encryption and Legacy Infrastructure
One of the most persistent obstacles to rapid PQC migration is the extent to which encryption is embedded deep within legacy systems, supply chains, and multi-cloud architectures, often invisibly. Peter Jones, cyber security specialist at Conscia UK, described how dramatically the narrative has shifted in just a few years. “If we go back to 2022, the narrative was that quantum computers would be able to outperform traditional computers in 15 or 20 years’ time. The NSA and NCSC initially issued guidance to critical infrastructure providers to implement quantum-resistant cryptography by 2035. However, they are now both encouraging the adoption of the new standards faster than originally thought.
“For many organisations, encryption is embedded into devices, processes and supply chains, making it difficult to understand the dependence on specific algorithms, but it’s now time to take action. Start by engaging with senior leadership to ensure they understand the challenge and drive the initiative company-wide. Create a team to discover and identify all sensitive data in the organisation, especially any data that will remain sensitive for an extended period of five to ten years. Once organisations have completed a full inventory of the data they hold, consider how it is being protected and build a plan to implement crypto agility — the ability to migrate from current cryptographic standards to the new NIST standards of ML-KEM (FIPS 203), ML-DSA (FIPS 204) or SLH-DSA (FIPS 205).
“While the exact timing of Q-Day remains uncertain, preparation is the key to success. Start early and ensure your company is able to migrate to the new standards when the time comes.”
Luis Ruiz-Lopez, Director of Cryptographic Success at Optalysys, framed the migration challenge in strikingly human terms, noting that the leadership responsibility for acting falls on those in post today, not on successors who will inherit a compromised estate. “Transitioning must be taken seriously. It is not an abstract project that will happen in the future, but something that needs to start now. In other words, transitioning is not a task for future company leadership; it’s a task for the current leadership.
“Enterprises should start by setting up a plan and realistic timelines. This could include making a cryptography inventory and finding out the plan of each of the software and hardware providers. There is a lot of learning that needs to happen, so it is important to account for that too.
“Future changes and transitions can be made easier by implementing an ‘agile’ design of the cryptographic infrastructure. Changes might need to happen for various reasons, so this is important. This includes things like abstract use of cryptographic algorithms, automated management of certificates, and centralised control of the crypto policy.”
The Practical Steps: Where Organisations Should Start
Across the expert commentary, several consistent themes emerged about what organisations should prioritise in response to Google’s announcement.
The first is visibility. Before any technical migration can begin, organisations need to understand where cryptography is used across their entire estate, which systems, which data, and which algorithms are in play. Systems that protect high-value data with long confidentiality lifetimes, particularly in legacy environments, should be treated as the highest priority. Bridewell’s Kieran B noted that the earlier organisations build this picture, the more options they retain, and that delay narrows those options significantly.
The second is leadership engagement. Both Peter Jones of Conscia UK and Luis Ruiz-Lopez of Optalysys stressed the need to elevate PQC migration from a technical team project to a board-level strategic initiative. The complexity and duration of a full transition mean it will not happen without sustained senior ownership.
The third is crypto agility: designing cryptographic infrastructure so algorithms can be swapped out systematically as standards evolve. Given that further NIST updates are likely and that migration may be triggered by reasons beyond quantum computing alone, the ability to adapt quickly is itself a security asset.
Simon Pamplin of Certes also highlighted the particular challenge of protecting data in transit across fragmented environments such as legacy systems, multi-cloud deployments, AI workloads and edge devices, urging organisations to consider end-to-end PQC solutions that enforce sovereign, crypto-agile protection where the data owner retains control of the keys, and where protection travels with the data rather than being dependent on the underlying infrastructure.
The Bigger Picture: A New Kind of Urgency
What makes Google’s 2029 announcement distinctive is not just its ambition, but its framing. Previous industry guidance spoke in generalities; organisations should begin planning for a quantum future. Google has now put a specific date on the table, with its own reputation and infrastructure explicitly committed to that timeline.
The message to organisations is difficult to misread: if one of the most technically sophisticated and best-resourced companies in the world has concluded that it needs three years and every resource at its disposal to complete this transition, the question for any CISO or CTO is not whether to start — it is whether they have already left it too late to finish in time.
As Kieran B of Bridewell put it plainly: Q-Day is not going to announce itself. It will be quiet, sudden, and only obvious in hindsight. The only organisations in a position to respond effectively will be those that started preparing long before it arrived.
