UK’s trusted IT infrastructure partner since 2003
Servnet
FinanceToolsConfiguratorGet in Touch
Cyber Security

Post-Quantum Cryptography: Harvest-Now Readiness

Servnet Editorial · IT infrastructure analysis11 min read

The encryption protecting your most sensitive data has an expiry date, and adversaries have already started the countdown. "Harvest now, decrypt later" means data you send today can be quietly collected and stored until a quantum computer can crack it — so anything that must stay secret into the 2030s is exposed right now, not in some distant future. With NIST's post-quantum cryptography standards finalised and the UK's NCSC setting a hard 2035 migration deadline, the decision facing every UK risk owner in 2026 is simple: inventory your cryptography and build a migration plan, or accept that some of your data is being harvested unprotected.

Harvest-now: the countdown to 2035
W0W2W4W6W8W10W11'24 Standards2w'26 Inventory2w'28 Migrate P23w'31-'35 Complete4wTotal: 11 weeks end-to-end

What 'harvest now, decrypt later' actually means

Harvest now, decrypt later (HNDL) — sometimes called store now, decrypt later — is not a hypothetical. Adversaries, particularly well-resourced nation states, intercept and archive encrypted traffic and stored data today, betting that a future cryptographically relevant quantum computer (CRQC) will let them decrypt it retrospectively. The encryption looks unbroken now, which is exactly why the risk is invisible until it is too late.

The key insight comes from cryptographer Michele Mosca, whose simple inequality frames the whole problem. If X is the number of years your data must stay confidential, Y is the number of years it will take you to migrate your systems to quantum-safe cryptography, and Z is the number of years until a CRQC exists, then whenever X + Y > Z you already have a problem. Data with a long shelf life plus a slow migration can breach the quantum horizon even if that horizon is a decade away.

In other words, the trigger date is not when quantum computers arrive. It is today, for any data whose sensitivity outlives the migration timeline. That reframes post-quantum cryptography from a future IT upgrade into a present-day cyber security decision.

The standards are finished — this is now a migration problem, not a research one

On 13 August 2024, NIST published the first three finalised post-quantum encryption standards, ending an eight-year global competition. FIPS 203 defines ML-KEM (derived from CRYSTALS-Kyber) for key establishment — the replacement for RSA and elliptic-curve key exchange. FIPS 204 defines ML-DSA (from CRYSTALS-Dilithium) and FIPS 205 defines the hash-based SLH-DSA, both for digital signatures. In March 2025 NIST added a fifth algorithm, HQC, as a code-based backup for ML-KEM built on different mathematics, with a draft standard expected in 2027. A fourth signature standard, FN-DSA (FIPS 206, from Falcon), reached draft in late 2025.

The significance is that the excuse of 'the standards aren't ready' has expired. NIST's transition roadmap, draft IR 8547, spells out the consequences: quantum-vulnerable algorithms — RSA, ECDSA, ECDH, DSA and finite-field Diffie-Hellman — are set to be deprecated after 2030 and disallowed after 2035 in systems that follow NIST standards. For UK organisations in regulated supply chains, that is a compliance clock, not a suggestion.

Because so much of the world's cryptography is embedded in commodity software, browsers, TLS libraries and hardware security modules, a large part of the migration will arrive through vendor updates. But bespoke systems, industrial control systems, long-lived firmware and anything with hard-coded certificates will not fix themselves — and those are precisely the systems that protect the highest-value data.

The UK deadline: NCSC's three phases to 2035

In March 2025 the UK's National Cyber Security Centre published 'Timelines for migration to post-quantum cryptography', giving Britain one of the clearest national roadmaps in the world. It is aimed squarely at technical decision-makers and risk owners of large organisations, operators of critical national infrastructure including industrial control systems, and firms running bespoke IT. Smaller businesses on standard commodity software should largely be carried by their vendors.

The guidance breaks the journey into three dated phases. By 2028, you should have defined your migration goals, completed a full discovery exercise, and built an initial plan covering your whole estate. By 2031, you should have carried out your earliest, highest-priority migrations and refined that plan into a thorough roadmap. By 2035, migration to PQC of all your systems, services and products should be complete.

NCSC chose 2035 deliberately: it judged ten years enough for a rich set of standards to mature, for a product ecosystem to appear, and for adoption to become widespread. That sounds generous until you realise phase one — knowing what cryptography you even have — is due in barely two years. The roadmap below shows how these UK milestones interleave with NIST's deprecation dates.

When does the quantum threat become real?

Nobody can give a precise date for a cryptographically relevant quantum computer, and any article that claims to is guessing. The most credible ongoing measure is the Global Risk Institute's Quantum Threat Timeline Report, an annual survey of quantum-computing experts run with evolutionQ. Its 2025 edition — the seventh — records the most aggressive estimates in its history.

Read carefully, the surveyed experts put roughly a 5-14% chance (about one-in-ten) on a CRQC capable of breaking RSA-2048 within about five years, and around a 50% likelihood within ten to fifteen years — figures that should be treated as indicative expert opinion rather than hard forecasts. The report's authors, Michele Mosca and Marco Piani, note that the averaged expert estimate of a CRQC within a decade now sits somewhere between 28% and 49%, the highest ten-year figure the survey has ever produced.

A better-than-one-in-four chance of catastrophic cryptographic failure inside a decade is not a risk any board would knowingly accept for its crown-jewel data. And crucially, you do not need to believe the earliest estimates to act — the HNDL model means the harvesting is happening now regardless of when decryption becomes possible.

The readiness gap: why 2026 is the year to inventory

The uncomfortable truth is that most organisations are nowhere near ready. ISACA's 2025 survey of more than 2,600 digital-trust professionals found that 95% of organisations have no quantum-computing roadmap at all, only 5% treat it as a near-term high priority, and 62% are worried that quantum will break today's encryption before PQC is fully deployed. IBM's Quantum-Safe Readiness Index scored the average organisation at just 25 out of 100 in 2025.

That gap is the argument for treating 2026 as inventory year. You cannot migrate cryptography you cannot see, and almost every organisation underestimates how much it has: TLS certificates, VPNs, code-signing keys, database encryption, hardware security modules, embedded device firmware, and third-party integrations that quietly rely on RSA or ECC. A cryptographic bill of materials (CBOM) turns that invisible sprawl into a managed asset register — and it is the single deliverable NCSC expects you to have well before 2028.

Crypto-agility — the ability to swap algorithms without re-architecting systems — is the strategic goal. But it starts unglamorously, with discovery. The roadmap chart above maps the discovery-to-migration path onto NCSC's phases so risk owners can see where the effort lands. Fold this into your existing cyber security programme rather than running it as a separate quantum project; the disciplines of asset inventory, prioritisation and phased rollout are ones your security team already knows.

NCSC's three-phase PQC roadmap
PQC migration in three dated phases
by 2028
Discover & plan (CBOM)
by 2031
Migrate priority systems
by 2035
All systems on PQC

Which of your data is actually at risk?

Not all data carries the same HNDL exposure, and pretending it does wastes effort. The right lens is Mosca's inequality applied per data class: how long must this stay secret, and does that shelf life plus migration time cross the quantum horizon? Anything that must remain confidential beyond roughly 2030-2035 is a candidate for harvesting today.

UK retention rules make the long-lived categories concrete. NHS records can be held for a patient's lifetime, with hospital records kept at least eight years after last treatment and children's records until age 25; genomic and clinical-trial data can stay sensitive for a lifetime. Government and public records fall under the Public Records Act's 20-year rule, and defence or intelligence material can carry strategic value for decades. Financial and legal records must be kept six years under HMRC rules, and their sensitivity often outlasts that. Intellectual property, source code and R&D can be commercially damaging for fifteen years or more.

At the low-risk end sit ephemeral secrets — session tokens, short-lived operational data — whose value evaporates long before any quantum computer could decrypt them. The risk matrix below plots these classes against shelf life so you can prioritise. If you hold long-lived data on systems approaching a hardware refresh, that overlap is also your opportunity: migrating storage and servers nearing end of life is the natural moment to design in crypto-agility.

The UK buyer's angle: hardware, legacy risk and budget

Post-quantum migration is not only a software patch — it has a hardware and lifecycle dimension that IT buyers should plan for now. Newer processors and HSMs accelerate the larger PQC keys and signatures far more comfortably than ageing kit, and vendor firmware for quantum-safe algorithms increasingly targets current generations. When you specify a refresh, treat crypto-agility as a requirement: choose platforms with updatable firmware and TPMs, and capture it in your server configuration so it is not an afterthought.

Legacy systems are where HNDL risk concentrates. Kit that is past vendor support rarely receives PQC firmware, yet it often guards exactly the long-lived data adversaries want. Mapping your estate against server end-of-life and storage end-of-life dates tells you which assets can be upgraded in place and which must be replaced or ring-fenced. Where you need to keep an unsupported platform running securely through the migration window, third-party maintenance can bridge the gap without forcing a rushed rip-and-replace, and quality refurbished servers can stand up crypto-agile capacity affordably.

Finally, budget it. A migration spanning 2026-2035 is a multi-year capital and operational commitment, and spreading it across refresh cycles is far cheaper than an emergency scramble after a CRQC breakthrough. Modelling the phased spend with an IT finance calculator lets you align PQC readiness with the hardware refreshes you were going to make anyway — turning a compliance obligation into a planned, financeable programme rather than a shock. Baking quantum-safe requirements into your next procurement is the cheapest migration step you will ever take.

Sources

Every figure in this article is drawn from primary sources published by NIST, the NCSC, the Global Risk Institute, ISACA and UK government bodies. Quantum-computer probability figures are indicative expert survey opinion, not forecasts.

Data sensitivity vs shelf life
Shelf lifeSensitivityHarvest riskHealth & genomic50 yrsVery highCriticalDefence / intel30 yrsVery highCriticalGovt / CNI20 yrsHighHighIP / R&D15 yrsHighHighFinancial / legal7 yrsMediumHighCustomer PII5 yrsMediumMediumSession tokens1 yrLowLow
Key takeaways
  • Harvest now, decrypt later means long-lived data is exposed today — the risk trigger is your data's shelf life, not the arrival date of quantum computers.
  • The standards are final: NIST published ML-KEM, ML-DSA and SLH-DSA in August 2024 and added HQC in March 2025, so migration is now an engineering and compliance task, not research.
  • The UK has a hard deadline. NCSC wants a full crypto discovery and migration plan by 2028, high-priority systems migrated by 2031, and everything on PQC by 2035; NIST deprecates RSA/ECC after 2030 and disallows them after 2035.
  • Experts surveyed by the Global Risk Institute put an indicative ~5-14% chance of a code-breaking quantum computer within about five years, rising to 28-49% within a decade — odds no board would accept for crown-jewel data.
  • 95% of organisations still have no quantum roadmap (ISACA 2025), so the highest-value action in 2026 is a cryptographic inventory (CBOM) — you cannot migrate what you cannot see.
  • Use hardware refresh cycles for legacy, end-of-life servers and storage as the moment to design in crypto-agility, and finance the migration across multiple years rather than in a post-breakthrough panic.
Frequently asked

FAQs — Post-Quantum Cryptography

What is 'harvest now, decrypt later' and is it actually happening?

It is a strategy where adversaries intercept and store encrypted data today so they can decrypt it once a cryptographically relevant quantum computer exists. Security agencies and researchers treat it as an active threat, not a future one, because collecting and archiving traffic is cheap and undetectable. Any data that must stay confidential into the 2030s should be assumed to be at risk of collection now.

Are the post-quantum cryptography standards actually finalised?

Yes. NIST published FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) as finalised standards on 13 August 2024, selected HQC as a backup key-establishment algorithm in March 2025, and advanced FN-DSA (FIPS 206) to draft in late 2025. The core algorithms most organisations need are ready to deploy today.

When do RSA and ECC stop being allowed?

NIST's draft transition report, IR 8547, sets quantum-vulnerable algorithms such as RSA, ECDSA and ECDH to be deprecated after 2030 and disallowed after 2035 within systems that follow NIST standards. In the UK, the NCSC's roadmap targets completing migration to post-quantum cryptography across all systems, services and products by 2035.

What should a UK organisation do first in 2026?

Build a cryptographic inventory, sometimes called a cryptographic bill of materials. It catalogues every place you rely on cryptography — certificates, VPNs, code-signing keys, databases, HSMs, firmware and third-party integrations — and flags what is quantum-vulnerable. NCSC expects this discovery and an initial migration plan to be complete by 2028, so starting in 2026 leaves realistic headroom.

Which data is most exposed to the quantum threat?

Data with a long shelf life and high sensitivity: health and genomic records (retained for a lifetime), defence and intelligence material, government records under the 20-year rule, intellectual property and R&D, and financial or legal records. Short-lived data such as session tokens carries little HNDL risk because it loses value long before decryption becomes feasible.

Does post-quantum migration mean buying new hardware?

Not entirely, but hardware matters. Much of the change arrives through vendor software and firmware updates, yet larger PQC keys perform best on modern CPUs and HSMs, and end-of-life kit often never receives quantum-safe firmware. Aligning migration with planned server and storage refreshes, and specifying crypto-agile platforms, is the most cost-effective route.

Related

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →

Talk to a UK specialist

Get expert advice or a no-obligation quote — servers, storage, networking, maintenance, finance and cloud. We reply the same working day.

or call 0800 987 4111