The encryption protecting your most sensitive data has an expiry date, and adversaries have already started the countdown. "Harvest now, decrypt later" means data you send today can be quietly collected and stored until a quantum computer can crack it — so anything that must stay secret into the 2030s is exposed right now, not in some distant future. With NIST's post-quantum cryptography standards finalised and the UK's NCSC setting a hard 2035 migration deadline, the decision facing every UK risk owner in 2026 is simple: inventory your cryptography and build a migration plan, or accept that some of your data is being harvested unprotected.
What 'harvest now, decrypt later' actually means
Harvest now, decrypt later (HNDL) — sometimes called store now, decrypt later — is not a hypothetical. Adversaries, particularly well-resourced nation states, intercept and archive encrypted traffic and stored data today, betting that a future cryptographically relevant quantum computer (CRQC) will let them decrypt it retrospectively. The encryption looks unbroken now, which is exactly why the risk is invisible until it is too late.
The key insight comes from cryptographer Michele Mosca, whose simple inequality frames the whole problem. If X is the number of years your data must stay confidential, Y is the number of years it will take you to migrate your systems to quantum-safe cryptography, and Z is the number of years until a CRQC exists, then whenever X + Y > Z you already have a problem. Data with a long shelf life plus a slow migration can breach the quantum horizon even if that horizon is a decade away.
In other words, the trigger date is not when quantum computers arrive. It is today, for any data whose sensitivity outlives the migration timeline. That reframes post-quantum cryptography from a future IT upgrade into a present-day cyber security decision.
The standards are finished — this is now a migration problem, not a research one
On 13 August 2024, NIST published the first three finalised post-quantum encryption standards, ending an eight-year global competition. FIPS 203 defines ML-KEM (derived from CRYSTALS-Kyber) for key establishment — the replacement for RSA and elliptic-curve key exchange. FIPS 204 defines ML-DSA (from CRYSTALS-Dilithium) and FIPS 205 defines the hash-based SLH-DSA, both for digital signatures. In March 2025 NIST added a fifth algorithm, HQC, as a code-based backup for ML-KEM built on different mathematics, with a draft standard expected in 2027. A fourth signature standard, FN-DSA (FIPS 206, from Falcon), reached draft in late 2025.
The significance is that the excuse of 'the standards aren't ready' has expired. NIST's transition roadmap, draft IR 8547, spells out the consequences: quantum-vulnerable algorithms — RSA, ECDSA, ECDH, DSA and finite-field Diffie-Hellman — are set to be deprecated after 2030 and disallowed after 2035 in systems that follow NIST standards. For UK organisations in regulated supply chains, that is a compliance clock, not a suggestion.
Because so much of the world's cryptography is embedded in commodity software, browsers, TLS libraries and hardware security modules, a large part of the migration will arrive through vendor updates. But bespoke systems, industrial control systems, long-lived firmware and anything with hard-coded certificates will not fix themselves — and those are precisely the systems that protect the highest-value data.
The UK deadline: NCSC's three phases to 2035
In March 2025 the UK's National Cyber Security Centre published 'Timelines for migration to post-quantum cryptography', giving Britain one of the clearest national roadmaps in the world. It is aimed squarely at technical decision-makers and risk owners of large organisations, operators of critical national infrastructure including industrial control systems, and firms running bespoke IT. Smaller businesses on standard commodity software should largely be carried by their vendors.
The guidance breaks the journey into three dated phases. By 2028, you should have defined your migration goals, completed a full discovery exercise, and built an initial plan covering your whole estate. By 2031, you should have carried out your earliest, highest-priority migrations and refined that plan into a thorough roadmap. By 2035, migration to PQC of all your systems, services and products should be complete.
NCSC chose 2035 deliberately: it judged ten years enough for a rich set of standards to mature, for a product ecosystem to appear, and for adoption to become widespread. That sounds generous until you realise phase one — knowing what cryptography you even have — is due in barely two years. The roadmap below shows how these UK milestones interleave with NIST's deprecation dates.
When does the quantum threat become real?
Nobody can give a precise date for a cryptographically relevant quantum computer, and any article that claims to is guessing. The most credible ongoing measure is the Global Risk Institute's Quantum Threat Timeline Report, an annual survey of quantum-computing experts run with evolutionQ. Its 2025 edition — the seventh — records the most aggressive estimates in its history.
Read carefully, the surveyed experts put roughly a 5-14% chance (about one-in-ten) on a CRQC capable of breaking RSA-2048 within about five years, and around a 50% likelihood within ten to fifteen years — figures that should be treated as indicative expert opinion rather than hard forecasts. The report's authors, Michele Mosca and Marco Piani, note that the averaged expert estimate of a CRQC within a decade now sits somewhere between 28% and 49%, the highest ten-year figure the survey has ever produced.
A better-than-one-in-four chance of catastrophic cryptographic failure inside a decade is not a risk any board would knowingly accept for its crown-jewel data. And crucially, you do not need to believe the earliest estimates to act — the HNDL model means the harvesting is happening now regardless of when decryption becomes possible.
The readiness gap: why 2026 is the year to inventory
The uncomfortable truth is that most organisations are nowhere near ready. ISACA's 2025 survey of more than 2,600 digital-trust professionals found that 95% of organisations have no quantum-computing roadmap at all, only 5% treat it as a near-term high priority, and 62% are worried that quantum will break today's encryption before PQC is fully deployed. IBM's Quantum-Safe Readiness Index scored the average organisation at just 25 out of 100 in 2025.
That gap is the argument for treating 2026 as inventory year. You cannot migrate cryptography you cannot see, and almost every organisation underestimates how much it has: TLS certificates, VPNs, code-signing keys, database encryption, hardware security modules, embedded device firmware, and third-party integrations that quietly rely on RSA or ECC. A cryptographic bill of materials (CBOM) turns that invisible sprawl into a managed asset register — and it is the single deliverable NCSC expects you to have well before 2028.
Crypto-agility — the ability to swap algorithms without re-architecting systems — is the strategic goal. But it starts unglamorously, with discovery. The roadmap chart above maps the discovery-to-migration path onto NCSC's phases so risk owners can see where the effort lands. Fold this into your existing cyber security programme rather than running it as a separate quantum project; the disciplines of asset inventory, prioritisation and phased rollout are ones your security team already knows.
Which of your data is actually at risk?
Not all data carries the same HNDL exposure, and pretending it does wastes effort. The right lens is Mosca's inequality applied per data class: how long must this stay secret, and does that shelf life plus migration time cross the quantum horizon? Anything that must remain confidential beyond roughly 2030-2035 is a candidate for harvesting today.
UK retention rules make the long-lived categories concrete. NHS records can be held for a patient's lifetime, with hospital records kept at least eight years after last treatment and children's records until age 25; genomic and clinical-trial data can stay sensitive for a lifetime. Government and public records fall under the Public Records Act's 20-year rule, and defence or intelligence material can carry strategic value for decades. Financial and legal records must be kept six years under HMRC rules, and their sensitivity often outlasts that. Intellectual property, source code and R&D can be commercially damaging for fifteen years or more.
At the low-risk end sit ephemeral secrets — session tokens, short-lived operational data — whose value evaporates long before any quantum computer could decrypt them. The risk matrix below plots these classes against shelf life so you can prioritise. If you hold long-lived data on systems approaching a hardware refresh, that overlap is also your opportunity: migrating storage and servers nearing end of life is the natural moment to design in crypto-agility.
The UK buyer's angle: hardware, legacy risk and budget
Post-quantum migration is not only a software patch — it has a hardware and lifecycle dimension that IT buyers should plan for now. Newer processors and HSMs accelerate the larger PQC keys and signatures far more comfortably than ageing kit, and vendor firmware for quantum-safe algorithms increasingly targets current generations. When you specify a refresh, treat crypto-agility as a requirement: choose platforms with updatable firmware and TPMs, and capture it in your server configuration so it is not an afterthought.
Legacy systems are where HNDL risk concentrates. Kit that is past vendor support rarely receives PQC firmware, yet it often guards exactly the long-lived data adversaries want. Mapping your estate against server end-of-life and storage end-of-life dates tells you which assets can be upgraded in place and which must be replaced or ring-fenced. Where you need to keep an unsupported platform running securely through the migration window, third-party maintenance can bridge the gap without forcing a rushed rip-and-replace, and quality refurbished servers can stand up crypto-agile capacity affordably.
Finally, budget it. A migration spanning 2026-2035 is a multi-year capital and operational commitment, and spreading it across refresh cycles is far cheaper than an emergency scramble after a CRQC breakthrough. Modelling the phased spend with an IT finance calculator lets you align PQC readiness with the hardware refreshes you were going to make anyway — turning a compliance obligation into a planned, financeable programme rather than a shock. Baking quantum-safe requirements into your next procurement is the cheapest migration step you will ever take.
Sources
Every figure in this article is drawn from primary sources published by NIST, the NCSC, the Global Risk Institute, ISACA and UK government bodies. Quantum-computer probability figures are indicative expert survey opinion, not forecasts.
- •NIST — NIST Releases First 3 Finalized Post-Quantum Encryption Standards: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
- •NIST — NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption: https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption
- •NIST — IR 8547 (ipd), Transition to Post-Quantum Cryptography Standards: https://csrc.nist.gov/pubs/ir/8547/ipd
- •NCSC — Timelines for migration to post-quantum cryptography: https://www.ncsc.gov.uk/guidance/pqc-migration-timelines
- •Global Risk Institute — Quantum Threat Timeline Report 2025: https://globalriskinstitute.org/publication/quantum-threat-timeline-report-2025b/
- •ISACA — Organizations Lack a Quantum Computing Roadmap, ISACA Finds: https://www.isaca.org/about-us/newsroom/press-releases/2025/organizations-lack-a-quantum-computing-roadmap-isaca-finds
- •NHS England — Records Retention and Disposal Schedule: https://www.england.nhs.uk/wp-content/uploads/2024/03/20240111-NHSE-Records-Retention-Schedule.pdf
- •GOV.UK — Twenty-year rule on public records: https://www.gov.uk/government/publications/twenty-year-rule-on-public-records
