If your quantum-security plan is built around 2035, it is already obsolete. That date may still matter for compliance. It should no longer govern risk.
The last few months have changed the board-level threat model: hardware roadmaps have accelerated, resource estimates for breaking elliptic-curve cryptography have dropped sharply, major platforms are moving to 2029, and Shor’s algorithm is now being improved in an open, competitive, AI-assisted optimization race.
This is no longer a distant theoretical problem.
It is a narrowing implementation window.
And for large organizations, the window is now shorter than the time required to complete enterprise-wide PQC migration.
The Acceleration Is Now Visible
In the last few months, the quantum threat model has changed materially.
Not in a way that only quantum physicists should care about.
In a way that CISOs and boards should understand.
Until recently, the working assumption was that breaking today’s public-key cryptography would require quantum computers so large that the threat still felt comfortably distant. Depending on the model, estimates were often in the many-millions-of-qubits range.
That assumption is now eroding.
Google Quantum AI recently published new resource estimates for using Shor’s algorithm against 256-bit elliptic-curve cryptography. The business translation is simple: Google estimates that the job could be done with fewer than 500,000 physical qubits on a superconducting quantum computer – roughly a 20x reduction from prior estimates.
That does not mean today’s quantum computers can break ECC.
They cannot.
But it does mean the size of the machine thought necessary to do it has just become dramatically smaller.
And that matters because hardware roadmaps are moving at the same time.
Today’s quantum processors are still far below the level needed to break production cryptography. But they are no longer laboratory curiosities with a handful of qubits. Atom Computing has already announced a neutral-atom platform with more than 1,200 physical qubits.
IBM’s public roadmap points to systems with more than 1,000 physical qubits by 2028, and a fault-tolerant system in 2029 with 200 logical, error-corrected qubits.
Microsoft has now stated that it expects to achieve a scalable quantum computer by 2029, cutting its original timeline in half.
On the software and cryptanalysis side, the trend is moving in the same direction.
Neutral-atom researchers published a separate architecture paper arguing that Shor’s algorithm could be executed at cryptographically relevant scale with as few as 10,000 reconfigurable atomic qubits. Under their assumptions, discrete logs on P-256 could run in days on a 26,000-qubit neutral-atom system.
Google moved its own post-quantum cryptography migration timeline to 2029.
Cloudflare moved its full post-quantum security target to 2029.
Ethereum now has a dedicated post-quantum roadmap targeting 2029 for full post-quantum protection. https://ethereum.org/roadmap/future-proofing/quantum-resistance/
And the algorithmic side is still moving. On June 1, André Schrottenloher published optimized elliptic-curve point-addition circuits that further reduce the estimated cost of attacking secp256k1, the elliptic curve used in Bitcoin and Ethereum signatures.
This Is No Longer Just a Research Timeline
This is the part boards need to understand: Q-Day is not moving closer because of one announcement. It is moving closer because several independent trends are reinforcing each other:
- The size of the quantum computer thought necessary to break ECC is shrinking.
- The hardware roadmaps are accelerating.
- Neutral-atom architectures are changing assumptions about scale.
Major players are publicly moving their own PQC migration targets to 2029.
And the algorithmic optimization process is becoming social, open, competitive, and AI-assisted.
There are now challenge environments where contributors are iterating on Shor circuits. One of the most interesting is ECDSA.fail, a public challenge environment focused on beating the current frontier for ECDSA-breaking Shor circuits.
There are prizes pushing adjacent cryptographic primitives. There are forums and private groups where experts, amateurs, and AI-assisted researchers are finding small improvements that compound.
That matters.
We just watched this movie with AI. For years, progress looked linear. Then models, infrastructure, tooling, data, capital, open-source communities, and automation loops all started reinforcing each other.
Timelines collapsed.
Quantum cryptanalysis is beginning to show the same pattern.
The prudent conclusion is not “Q-Day is definitely in 2029.”
The prudent conclusion is: 2029 must now be treated as the outer planning horizon for protecting your most critical quantum-vulnerable links.
That is roughly 3.5 years.
PQC Migration Will Not Finish in Time
For a large enterprise, 3.5 years is not enough time for full PQC migration.
PQC migration is not a patch. It is not a certificate rotation. It is not a library upgrade.
It requires cryptographic inventory, PKI modernization, HSM upgrades, certificate-chain redesign, protocol testing, embedded-device replacement, vendor coordination, application refactoring, regression testing, auditability, and phased deployment across business-critical systems.
For a large organization, realistic PQC migration is a 10–15 year program.
That creates a gap.
A compliance gap.
A fiduciary gap.
And, most importantly, a protection gap.
Boards Have Two Separate Duties
Boards and CISOs have two responsibilities.
First: comply with NIST-aligned PQC requirements.
Second: protect the organization’s data, customers, shareholders, operations, and reputation before the compliance program is complete.
Those are not the same obligation.
Compliance asks: “Are we following the approved transition plan?”
Risk management asks: “Will our crown-jewel data survive if the quantum timeline moves faster than expected?”
For critical data-in-motion, the answer cannot be: “Wait until every application, service, endpoint, vendor product, embedded system, and certificate chain has been migrated to PQC.”
That will not happen fast enough.
Start at the Pipes
The practical answer is to start at the pipes.
Protect the critical communication links first:
- Data-center to data-center.
- Data-center to cloud.
- Cloud interconnects.
- Backbone routes.
- Financial trading links.
- Defense and critical infrastructure links.
- Sovereign data flows.
- High-value R&D networks.
- Board and executive communications.
This is where QKD becomes strategically important.
The question is not “QKD or PQC?”
The answer is PQC plus QKD.
PQC is essential for broad cryptographic modernization and regulatory alignment.
But QKD gives you something PQC does not: an out-of-band keying layer for the most critical links.
Why QKD Is Different
That distinction matters operationally.
PQC usually requires changes inside the software and protocol stack. You have to touch applications, libraries, certificates, endpoints, HSMs, vendors, firmware, embedded devices, middleboxes, and authentication flows.
That creates cost, delay, and outage risk.
QKD works differently.
QKD can sit beside the data plane and feed keys into existing encryption infrastructure such as MACsec or IPsec. Your production traffic does not need to traverse the QKD device. You do not need to upgrade every application before the link becomes quantum-hardened. You do not need to remediate one service at a time before improving the security posture of the entire route.
That is the core advantage:
QKD can provide umbrella coverage for all traffic crossing a critical link.
One QKD-secured interconnect can protect many applications, including legacy systems, bespoke internal services, cloud workloads, and vendor platforms that will take years to migrate individually.
For critical links, this can be easier, faster, lower-risk, and more cost-effective than trying to force immediate PQC coverage across the entire enterprise stack.
This is the pipe-first argument: secure the routes where the highest-value data actually flows, rather than trying to boil the ocean application by application.
QKD is not a replacement for PQC.
It is the fastest way to reduce exposure where the blast radius is highest while the broader PQC program runs in parallel.
That is why HEQA’s approach is PQC + QKD:
- Use PQC to align with standards and regulatory direction.
- Use QKD to add immediate, physics-based protection to the links where compromise is unacceptable.
My Prediction on NIST
The NIST 2035 framework was built for a world where the quantum timeline looked slower.
That world is gone.
My prediction: NIST and other standards bodies will amend their guidance within the next 12–18 months at the outer limit to recognize QKD as a formal complementary path for critical-link protection.
Not as a replacement for PQC.
As the missing operational layer for the links that cannot wait.
If they want their guidance to remain credible, they will have to acknowledge the difference between enterprise-wide cryptographic migration and immediate protection of crown-jewel communication links.
Those are different problems.
They require different tools.
The Board-Level Takeaway
For boards and CISOs, the message is direct:
- Do not wait for Q-Day.
- Do not assume 2035 is your safety margin.
- Do not confuse compliance progress with actual protection of your highest-value data.
Begin PQC migration.
But protect your critical links now.
If your organization has communication paths where compromise would be existential, those links should already be on a QKD implementation roadmap.
HEQA can help you identify them, prioritize them, and protect them.