Post-quantum cryptography (PQC) has officially crossed the line from a risk that seems far away to an active mandate that is driving change. There is no better time than now to start a PQC readiness plan, if you haven’t already.
The Executive Order: Securing the Nation Against Advanced Cryptographic Attacks doesn’t introduce new risks; it just validates what leading organizations already know about how a cryptographically relevant quantum computer (CRQC) will be able to break the algorithms that we use today inside our enterprises.
We’ve heard this already from other nations and companies, including leading hyperscalers, and when those guys move, it signals that the timeline is compressing and the date is becoming more real.
Shifting from planning to action
Organizations must shift the mindset from “we’ll deal with this later” to “we need to act now.” Don’t wait and risk some catastrophic event. It’s not about the question of “when is Q-day actually going to be here,” similar to how we were waiting for Y2K. It’s really about protecting the data that is being created today.
We’ve been talking about the real risk of Harvest Now, Decrypt Later attacks, which means that we have to assume that even applications that are encrypted today, could be decrypted later and confidential data could be stolen and compromised.
Taking ownership of PQC
This Executive Order moves PQC from guidance and recommendations to an actual policy with accountability. It introduces the requirement to have clear leadership and ownership around PQC readiness for the whole organization.
Cryptography is critical infrastructure and is embedded in all the systems that drive enterprises. As such, it impacts all areas of the business, and cross-functional collaboration is required to ensure all systems are quantum-safe.
These steps are essential to the success of every business in the quantum and AI era:
- Set clear ownership and responsibilities across teams with a well-defined reporting and tracking system to measure progress of PQC migration.
- Allocate funding and establish a budget to hire staff, engage necessary tools or vendors, and allot time to ensure PQC-readiness.
- Maintain ongoing efforts towards the continuous upkeep of crypto-agility across the trust infrastructure to be prepared for further regulatory changes, technology advancements, and future threats.
All of these recommendations enable organizations to shift from thinking of PQC readiness as an experiment to embedding it into an actual corporate program.
Starting sooner rather than later
Some of the key dates mentioned in this EO help elevate urgency to act.
- 2030
By December 31, 2030, federal agencies must transition their most critical systems to use PQC for key establishment. The EO also directs the Federal Acquisition Regulatory Council to propose requirements that would make compliance with NIST-approved PQC standards mandatory for covered federal contractors by the same date.
- 2031
The EO extends the push for quantum readiness beyond encryption. By December 31, 2031, federal agencies must transition their most critical systems to use post-quantum cryptography for digital signatures, helping ensure the long-term integrity and authenticity of software, communications, and digital identities.
Those dates are not that far away. In fact, they are within the enterprise planning cycles, which typically span 3-5 years. That means, the time is now.
Organizations must act now to be ready by 2030 and 2031.
Scaling trust across enterprises
This is a trust problem at scale, not just a cryptographic upgrade challenge.
It’s also not about choosing the best PQC algorithm. It’s more about getting all your ducks in a row to have visibility, control, and coordination across all your enterprise systems.
Cryptography is no longer a back-office topic; it’s foundational infrastructure.
It matters because cryptography is embedded inside systems and applications that the business thinks are already safe (which it is, by today’s standards). But the risk is what happens in the future, and how organizations need to create a roadmap today that starts with visibility, risk assessment and prioritization, and, ultimately, crypto-agility.
This is not just a single point in time event; It is going to be an ongoing program that needs continuous automation and improvement.
The question for organizations isn’t should you prepare; it’s how far behind you are today, and why not start now.
Got questions on executive order? We’ve got answers.
- What is Cryptography?
Cryptography is the practice of protecting data in the presence of an adversary, providing guarantees such as confidentiality, integrity and authenticity, and leveraging different techniques from mathematics, information theory and physics. - What is the executive order on securing the nation against advanced cryptographic attacks?
The Executive Order directs federal agencies and critical infrastructure organizations to accelerate the transition to post-quantum cryptography (PQC) and strengthen protections against future quantum-enabled cyberattacks. - Does this executive order apply only to federal agencies?
While the requirements primarily target federal systems, the guidance will likely influence cybersecurity expectations across critical infrastructure sectors, government contractors, and private enterprises. - What should organizations do to prepare for post-quantum cryptography?
Organizations should start by inventorying cryptographic assets, identifying quantum-vulnerable systems, developing a crypto-agility strategy, and planning for the migration to NIST-approved PQC algorithms. - What is crypto agility, and why is it important?
Crypto agility is the ability to quickly and seamlessly replace or update cryptographic algorithms, certificates, and keys. It helps organizations respond to emerging threats, regulatory requirements, and future cryptographic transitions. - How can organizations assess their readiness for quantum-safe security?
A good first step is conducting a cryptographic inventory and risk assessment to identify where vulnerable algorithms are used and prioritize systems for modernization and PQC migration.
