Post-Quantum Cryptography: The Countdown for Corporate IT Is Running

14.05.2026

7 Min. Read Time · Strategy Briefing

The post-quantum discussion is leaving the research department and landing in corporate IT in 2026. NIST has released its three final PQC standards FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) since August 2024, and added the fourth module HQC in May 2026. CISA and NSA have obligated all US federal agencies in their April 2026 memorandum to a binding phase-out of classical cryptography by 2035, with intermediate stages in 2030 and 2033. What sounds like detailed regulatory requirements is actually the starting shot for a ten-year corporate migration task. If you don’t start with inventory in 2026, you no longer have control over the quantum risk, but are under time pressure.

Key Takeaways

NIST has delivered, now it’s up to the industry: FIPS 203/204/205 plus HQC are production-ready in 2026. The question is no longer whether, but how quickly corporations will complete their cryptography inventory.
Harvest-now-decrypt-later is real: Data that is encrypted today can be decrypted with quantum computers in seven to ten years. If you work with research, legal, or patent data life cycles beyond 2032, you already have the problem in 2026.
Migration is an architecture question, not a patch: Hybrid cryptography, crypto-agility, and PKI renovation are the three pillars. If you treat this as a pure algorithm update, you’ll end up with an expensive rebuild in 2030.

What’s Changed in Recent Weeks

Three developments since early 2026 are intensifying the strategic situation. Firstly, NIST published the final specification for HQC in March, a fourth standard module with different mathematical foundations than ML-KEM. For the first time in 2026, this brings real algorithm diversity to the PQC world, changing the crypto-agility discussion in corporate architectures.

Secondly, the NSA and CISA memorandum in April 2026 sharpened the US roadmap: federal agencies must complete their crypto inventory by the end of 2027, implement hybrid PQC migration in key systems by 2030, and completely phase out classical public-key procedures by 2035. European corporations are taking this seriously because their US subsidiaries, suppliers, and transatlantic data flows are affected.

Thirdly, Microsoft, Google, and Cloudflare have enabled the first productive PQC hybrid modes for cloud TLS and VPN gateways in Q1 2026. This means the technology is no longer theoretical but can be productively tested. If you start a pilot operation in 2026, you can rely on hyperscaler stacks that have already been launched, rather than building your own curves.

Timeline 2026 to 2035

2026 inventory, 2027 pilot operation, 2030 hybrid PQC in key systems, 2033 quantum-resistant in all critical paths, 2035 phase-out of classical procedures in US authorities and key industries. NSA-CISA Memorandum April 2026, Microsoft/Google/Cloudflare hybrid modes Q1 2026, HQC standard March 2026.

Why CIOs Need to Start Now

The temptation is great to push the topic into the realm of research projects. Three arguments make this a wrong decision for corporations in 2026.

Firstly, the inventory problem. Classical cryptography is used in thousands of places in a corporate IT: TLS certificates, VPN configurations, code signing pipelines, document signatures, backup encryptions, hardware security modules, database encryption, container image signatures, IoT devices. A serious inventory takes between twelve and eighteen months in medium-sized corporations. If you don’t start in 2026, you won’t have a reliable view of where migration is needed in 2027.

Secondly, the supply chain problem. Corporate IT consists largely of purchased products and services in 2026. Which of them have their roadmap on PQC, which do not, is not transparent today. If you don’t actively inquire about this, you will be dependent on supplier decisions in 2030 that you didn’t make yourself. Procurement and IT must bring PQC roadmap requirements into all relevant contracts as soon as they are extended in 2026.

Thirdly, the harvest problem. Encrypted data traffic from 2026 is secure against today’s attackers, but storable. State actors and organized criminal groups are demonstrably collecting encrypted data traffic in order to decrypt it later. For data with a lifecycle beyond 2032, i.e., patents, contract bases, research results, M&A documentation, the quantum threat is already effective in 2026, even if the decrypting quantum computer doesn’t run until 2032 or later.

Pros and Cons of the Two Migration Paths

Pro Hybrid PQC (Avoid Big Bang)

Gradual migration without complete standstill
Security classic + PQC in parallel
Hyperscaler stack already available in 2026
Learning curve in the corporation is distributed

Contra Hybrid PQC

Higher computing effort per connection
More complex certificate lifecycle
Double audit trail over two algorithms
Transition phase with double risk profile

Pro Pure PQC (Later Cut)

Clean architecture status after migration
Less lifecycle complexity in the long term
Lower operational effort after cut-over
Better audit position post-migration

Contra Pure PQC

Big bang risk at switch date
High dependence on standard maturity
Late recognition of incompatibilities
Pressure from 2033 to 2035 without buffer zones

What the Executive Board Must Decide on in 2026

Three executive board decisions cannot be delegated to the IT department in 2026. They concern investment volumes, supplier contracts, and compliance position.

Firstly: Mandate and budget for a group-wide crypto inventory. Realistically, this involves one to three additional full-time equivalents (FTEs) plus a tooling budget of between 200,000 and 800,000 euros for medium-sized corporations. The mandate must be cross-sectional because the inventory must run across IT, OT, cloud, procurement, and legal.

Secondly: PQC clauses in the 2026 contract negotiations. Every relevant software, cloud, and hardware contract that is newly negotiated or extended in 2026 should contain a PQC migration clause: roadmap transparency, update path until 2030, liability for delayed delivery. If this is postponed, it includes a delay of twelve to sixteen months.

Thirdly: Position on hybrid vs. pure PQC. Most corporations will migrate hybridly, but the decision must be made consciously because it affects architecture, audit, and lifecycle logic. If this is not decided, operational teams will decide it unconsciously, often inconsistently across departments.

Where CIOs Still Underestimate in 2026

Two areas are regularly addressed too late in current practice. Firstly: PKI modernization. Many corporations have a public key infrastructure from the 2010s, which is not agile enough for PQC. A PKI renovation takes two to three years in large companies and must start in 2026 or 2027 to be productive by 2030. Without a modern PKI, crypto agility is a facade, not a state.

Secondly: Hardware lifecycles. HSMs, smart cards, IoT devices, and embedded controllers in the OT environment have lifecycles of seven to fifteen years. If new hardware is procured in 2026 that is not PQC-capable, it creates a migration bottleneck for 2030. Procurement must make this binding in its specifications, not as a desired criterion.

Frequently Asked Questions

How Realistic is the Quantum Threat in 2026?

For classic RSA-2048 and ECC-256 keys, the majority of experts expect cryptographically relevant quantum computers between 2030 and 2040. The risk in 2026 lies less in acute decryption than in the harvest-now-decrypt-later pattern. Data with a value beyond 2032 must be protected today; everything else is a time game.

Which Algorithm Should be Preferred in 2026?

FIPS 203 (ML-KEM, based on Kyber) for key encapsulation, FIPS 204 (ML-DSA, based on Dilithium) for signatures. HQC is available as a second KEM method in 2026 and is important for defense-in-depth strategies because it is based on a different mathematical foundation. A serious PQC strategy in 2026 does not rely on a single algorithm.

What Does a Group-Wide Crypto Inventory Realistically Cost?

In medium-sized DACH corporations, the effort lies between 600,000 and 1.8 million euros over twelve to eighteen months. This includes two to four FTEs internally, external specialists for PKI and HSM diagnosis, and tooling. For large corporations with OT share and global presence, the effort increases significantly.

How Does the EU Relate to NIST Standards?

ENISA and BSI have adapted the NIST standards for EU practice and published their own technical guidelines in Q1 2026. The BSI requires PQC migration concepts by the end of 2027 in all KRITIS industries, congruent with the NSA roadmap. Corporations with US-EU connections can migrate on a roadmap.

What is the Most Common Executive Board Error in PQC in 2026?

Delegating the topic as a pure IT task to the architecture department. PQC is simultaneously a supply chain, compliance, and investment issue. Without a clear executive board mandate, the inventory will not be conducted, supplier management will not switch to the correct mode, and investment decisions will come too late in 2029.