Most enterprises that have engaged with quantum risk planning have encountered 2030. It appears in NIST's deprecation schedule. It appears in NSA CNSA 2.0. It appears in BSI and ANSSI guidance. From a distance it reads as: do this by 2030. But that is not what it says.

Read it again: RSA-2048 and ECDH are deprecated (meaning no new systems should use them) after 2030. The deadline is when you must be done, not when you must start. A 5-to-7-year enterprise migration programme starting today finishes in 2031 to 2033. The window has already closed for on-time compliance under the NIST deprecation timeline if organisations have not begun work. The window has already closed.

That is the planning error this article corrects. Not the threat model. Not the algorithm choices. The timeline arithmetic that is quietly wrong in the risk registers of a substantial number of large organisations.

What the Official Guidance Actually Says About 2030

The five major guidance bodies have each published what 2030 means for them. The figures below come from primary sources, not summaries.

NIST IR 8547 (Initial Public Draft, November 2024): RSA-2048 and ECC P-256/P-384 are classified as deprecated after 2030 for federal systems. Deprecated means no new implementations after that date. They are disallowed after 2035, meaning no use whatsoever. The document is a draft, but the direction is established and no reversal is anticipated based on the public comment record. For FIPS-compliant organisations, 2030 is the last date on which a new RSA-2048 deployment is permissible. See the NIST FIPS standards overview for the algorithm-by-algorithm picture.

NSA CNSA 2.0 (PP-22-1338, September 2022): This is where the 2030 misreading causes the most operational damage, particularly for US defence contractors. New National Security System acquisitions and upgrades must use CNSA 2.0 algorithms from 1 January 2027. Not 2030. 2027. That deadline is now less than nine months away. All NSS must exclusively use CNSA 2.0 algorithms (ML-KEM-1024, ML-DSA-87, SLH-DSA-256, AES-256, SHA-384) by 2030. Complete transition for all NSS by 2035. Organisations in the US defence supply chain that read "2030" and concluded they had until 2030 to begin have read the wrong deadline.

BSI TR-02102-1 (Version 2026-01): Critical infrastructure operators in Germany must complete migration to post-quantum cryptography by 2030. All other organisations by 2032. These are migration completion targets. The planning work, cryptographic inventory, and programme design that precede implementation are not included in those timelines.

ANSSI (Position Paper March 2022, follow-up October 2023): France's national cybersecurity agency has mandated hybrid cryptography for sensitive applications: classical and post-quantum algorithms running simultaneously. ANSSI's position is that neither alone is acceptable for high-sensitivity data. The 2030 target for sensitive application migration was set in the 2022 document. It is the completion date, after hybrid deployment has been validated and rolled out.

NCSC (PQC Migration Timelines, March 2025): The UK's three-phase structure is the most explicit about what 2030 requires in terms of preceding work. Phase 1, discovery and planning, must be complete by 2028. Phase 2, high-priority system upgrades, runs 2028 to 2031. Phase 3, full migration, runs 2031 to 2035. An organisation that has not completed Phase 1 by 2028 is already behind schedule. Phase 1 is not implementation. It is inventory, risk assessment, and migration strategy. For a large enterprise, that phase alone takes 12 to 24 months.

The consistent thread across all five bodies: 2030 is a finish line, not a starting gun. Planning must be complete by 2030, which means the work must be well advanced before it.

The Migration Window Squeeze: PQC migration programmes started today finish in 2031, past the NIST RSA-2048 deprecation boundary of 2030 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 GRI 2025: 34% by 2030, 49% by 2035 Started 2023 → finishes 2028 Started 2024 → finishes 2029 Starting 2026 → finishes 2031 Starting 2028 → finishes 2033 NSA: new NSS acquisitions NCSC: Ph.1 NIST/BSI/NSA: RSA-2048 sunset NIST: disallowed
Migration programmes started today finish in 2031. The NIST RSA-2048 deprecation boundary is 2030. The lower bound of the expert Q-Day consensus range is approximately 2029-2030. The diagram shows why 2030 is a planning threshold, not a start date. Sources: NIST IR 8547 (2024); NSA CNSA 2.0 (2022); NCSC PQC Migration Timelines (2025); BSI TR-02102-1 (2026); GRI Quantum Threat Timeline 2025.

How Long Does PQC Migration Actually Take?

Post-quantum cryptography migration is not a software update. It is a multi-year programme with five sequential workstreams, each of which creates dependencies for the next: cryptographic inventory, risk classification, algorithm selection and library testing, phased migration, and vendor and supply chain management. NIST SP 1800-38D (Volumes A through E, August 2024) is the definitive enterprise migration guidance. It frames the work as a phased programme across all five workstreams, not a single event.

Industry consensus on total migration time is 3 to 7 years for large organisations, depending on cryptographic estate complexity. A 500-person professional services firm with a modest cryptographic footprint can complete the programme in 2 to 3 years. A global financial institution with custom-built trading platforms, HSM infrastructure, TLS termination at scale, and third-party integration dependencies is looking at 5 to 7 years or more.

The cryptographic inventory phase alone regularly takes 6 to 18 months in large organisations. Most do not have a complete picture of what they have deployed. Shadow IT, legacy integrations, and vendor-managed encryption all contain cryptographic dependencies that are not visible to the security team without active discovery. An organisation that begins inventory in mid-2026 and takes 12 months to complete it will not start active migration until 2027. At a 5-year migration timeline, completion falls in 2032. Two years past the NIST deprecation boundary for RSA-2048, and inside the GRI 2025 lower-bound estimate for Q-Day.

This is the arithmetic problem. Present the numbers to your own situation and the conclusion arrives on its own.

The Data Has Already Been Harvested

There is a second reason why 2030 is the wrong planning horizon, and it operates independently of migration timelines. HNDL (harvest now, decrypt later) is the practice of collecting encrypted data in transit today, storing it, and decrypting it once a cryptographically relevant quantum computer (CRQC, meaning a device specifically capable of running Shor's algorithm on RSA-2048 at production scale) becomes available. The attacker invests storage cost now. The return comes later. More on the full threat picture at the dedicated HNDL in Motion analysis.

NSA CNSA 2.0 explicitly cites HNDL as the justification for the 2027 deadline on new NSS acquisitions. The argument is direct: data encrypted under current algorithms for new national security systems will potentially still be in active use in 2030 and beyond. If a CRQC arrives during that window, the data is compromised retroactively. The 2027 date is not about hardware available in 2027. It is about data created in 2027 that needs to remain confidential through a period when a CRQC might exist.

Three categories of data face acute HNDL exposure today. Government secrets and national security communications with 10 to 30-year sensitivity windows, where data encrypted now could fall within the GRI 2025 lower-bound Q-Day estimate range of 2029 to 2032. Genomic and biometric data retained under long-term healthcare regulations: a genomic dataset encrypted under RSA-2048 today and retained for 25 years is exposed across the entire plausible Q-Day range. Long-duration financial records retained under MiFID II (7 years) or SEC Rule 17a-4 (6 years): a trade record encrypted in 2024 and retained until 2031 sits within the GRI lower bound.

The asymmetry matters. The attacker's cost is storage. The defender's only reliable protection is migration before Q-Day. Re-encrypting data that has already been harvested is not possible.

Mosca's Inequality: The Calculation Enterprises Are Not Doing

Michele Mosca formalised the exposure in a 2018 IEEE Security & Privacy paper. The inequality: if the time remaining before a CRQC is available (x) is less than the time needed to migrate (y) plus the remaining lifetime of the data (z), the data is at risk. Written simply: x < y + z means risk confirmed.

The GRI 2025 survey of 44 domain experts gives a 34% probability of a CRQC by approximately 2030 and a 49% probability by approximately 2035. The median expert estimate is 2029 to 2032. Use the Q-Day Timeline Risk Calculator to apply these figures to your specific migration timeline.

Three scenarios illustrate why the answer is not universal:

Large bank, transaction records. Time to CRQC (conservative estimate): 7 years. Migration time: 5 years. Data sensitivity window under MiFID II retention plus forward exposure: 7 years. Mosca check: 7 < (5 + 7) = 12. Risk confirmed. Migration must begin now to finish before the Q-Day lower bound.

Healthcare provider, genomic data. Time to CRQC: 7 years. Migration time: 4 years. Data sensitivity window (lifetime genetic sensitivity): 20 years. Mosca check: 7 < (4 + 20) = 24. The data sensitivity window alone exceeds the most optimistic Q-Day estimate. The risk is not marginal.

Professional services firm, contract data. Time to CRQC (conservative): 10 years. Migration time: 2 years. Data sensitivity window: 3 years standard retention. Mosca check: 10 is not less than (2 + 3) = 5. Not satisfied. This organisation may have time, depending on data classification.

The question "when do we need to act?" depends entirely on the data, not on a universal deadline. For most large enterprises holding long-lived sensitive data, the Mosca calculation returns a date in 2024 or 2025. That date has passed.

The Hardware Picture: Why 2030 Feels Closer Than It Did in 2020

The urgency in this article comes from migration timelines and HNDL, not from hardware hype. But the hardware context has changed, and the assumptions embedded in many 2030 planning frameworks were formed before two significant developments.

In December 2024, Google announced the Willow processor: a 105-physical-qubit superconducting chip that demonstrated below-threshold error correction. Errors decreased as the system scaled. This is a prerequisite for fault-tolerant quantum computation. What it does not mean: that a CRQC is imminent. The gap between 105 physical qubits performing below-threshold error correction and the hundreds of thousands or millions of physical qubits needed to run Shor's algorithm on RSA-2048 remains substantial. What Willow demonstrated is that the principle of error correction works as predicted by theory at this scale, reducing a key theoretical uncertainty about whether large-scale fault-tolerant quantum computation is physically achievable.

The second development is algorithmic. As covered in the companion piece on RSA threat evolution 1994-2026, Craig Gidney's 2025 paper reduced the estimated physical qubit requirement for breaking RSA-2048 from approximately 20 million (Gidney-Ekerå 2019) to fewer than one million. The threshold is closing from both ends: hardware scaling up, algorithmic requirements scaling down. IBM's published roadmap targets approximately 100,000 physical qubits in the early 2030s. Under current algorithmic estimates, that figure approaches the threshold.

The GRI 2025 figures capture where informed expert opinion now sits: a 34% probability of a CRQC by 2030. Risk managers routinely act on lower probabilities than that for physical threats. A one-in-three chance is not a reason to defer.

The Action Frame: Not If, But Which Data, and When

The correct question is not "when is Q-Day?" The correct question is: what data does your organisation hold that must remain confidential for more than five years, and is it currently protected by RSA-2048 or ECDH? That question can be answered today with a cryptographic inventory.

A practical three-tier risk classification:

Tier 1: Act immediately. HNDL exposure is already active. Government contractors and national security system operators where CNSA 2.0 applies and the new acquisitions deadline is January 2027. Organisations holding genomic, biometric, or long-duration health data. Organisations holding intelligence, defence, or classified commercial data with 10-plus year sensitivity windows. Financial institutions with multi-year transaction records protected by RSA or ECDH.

Tier 2: Begin planning now, implement in 2026 to 2027. Large enterprises in financial services, critical infrastructure, healthcare, and legal services. Organisations that are NIST FIPS-bound across a US federal supply chain. Organisations with complex cryptographic estates requiring multi-year inventory work before migration can begin.

Tier 3: Begin planning in 2026, implement in 2027 to 2028. Mid-size enterprises with low cryptographic complexity and short data retention periods. Organisations where all cryptographic functions are handled by major cloud providers that have published their own PQC migration roadmaps.

The starting point for any organisation is the cryptographic inventory: a complete enumeration of all assets, libraries, protocols, and dependencies that use public-key cryptography. Without it, migration cannot be sequenced or prioritised. NIST SP 1800-38D provides a detailed methodology.

On algorithm choice: ANSSI and BSI both recommend hybrid deployment as the transition strategy. ML-KEM plus X25519 for key exchange; ML-DSA plus ECDSA for signatures. Running classical and post-quantum algorithms simultaneously protects against both classical cryptanalysis of the post-quantum algorithm and quantum attack during the transition window. It is the technically conservative position, it is what both European regulatory bodies have made mandatory for their most sensitive applications, and it gives the most flexibility if the post-quantum algorithm landscape shifts before migration completes.

Use the HNDL Risk Calculator to assess your current exposure against the HNDL threat model before prioritising your inventory work.

2030 in official guidance is a finish line, not a starting gun. For organisations with long-lived sensitive data, the starting gun fired two years ago.

The two tools below apply the Mosca Theorem to your specific situation. The Q-Day Timeline Risk Calculator takes your data sensitivity window and estimated migration duration and maps them against the GRI probability distribution. The HNDL Risk Calculator assesses your current exposure based on what algorithms are protecting which data today. Neither substitutes for a structured programme, but both give you the quantified starting point for the internal prioritisation argument.

If your results show high-priority exposure, the next step is a structured migration programme with defined milestones. QSECDEF membership connects you to practitioners who have run this work in regulated and defence environments. View membership options.