Get Involved
Activities Post‑Quantum Migration: Strategic Imperatives in the 2026–2035 Horizon

Post‑Quantum Migration: Strategic Imperatives in the 2026–2035 Horizon

Articles

March 12, 2026
POSEIDON Article

Recently, the transition to post-quantum cryptography (PQC) has shifted from a theoretical discussion to a mandatory operational requirement. For IT professionals and security specialists, this is no longer a simple "patch-and-restart" cycle; it is a fundamental re-engineering of the trust layers that protect our digital ecosystems.

The POSEIDON project is at the forefront of this transformation. By developing scalable, quantum-resistant tools and practical migration roadmaps, POSEIDON provides the technical foundation needed to secure data in transit and at rest. The project specifically focuses on ensuring that European digital identities—and the critical infrastructure they support—remain resilient against both current "Harvest Now, Decrypt Later" (HNDL) threats and the emerging capabilities of the next generation of quantum processors.

In this article, we analyse the current regulatory deadlines, evaluate the impact of recent quantum research on your infrastructure, and outline the core technical strategies required to maintain institutional trust.

Beyond the Upgrade: PQC as a Systemic Foundation for Digital Trust

Migration to post‑quantum cryptography (PQC) is not a simple key update but a systemic transformation of trust foundations across IT (Information Technology), OT (Operational Technology), and business ecosystems. It spans network protocols, core platforms, embedded systems, and supply chains. In regulated sectors: financial services, insurance, telecommunications, and critical infrastructure, this transition must integrate with DORA, NIS2, CRA, the European Commission’s coordinated roadmaps, and national cybersecurity strategies

Organisations realistically require 5–10 years to complete cryptographic inventorying, architecture modernisation, deployment of hybrid PQC + classical solutions, and replacement of update‑constrained devices (IoT, embedded systems, automotive). This long migration window makes the Harvest Now, Decrypt Later threat immediately relevant, despite practical RSA‑2048 breakage estimates still pointing to the 2030s. 

Shor, Grover, and “Pinnacle”: Scientific Advancements vs. Migration Timelines 

Shor’s algorithm compromises asymmetric cryptography (RSA, ECC) once cryptographically relevant quantum computers accumulate sufficient logical qubits and stability. Grover’s algorithm accelerates brute‑force attacks on symmetric schemes, effectively requiring doubled key lengths (e.g., AES‑256 over AES‑128), but poses far less disruption than Shor. 

Research published in early 2026 demonstrates that the Pinnacle architecture, leveraging QLDPC codes, could theoretically factor RSA‑2048 using ~100,000 physical qubits, albeit requiring weeks of uninterrupted computation (check more here). Importantly, standardisation bodies have not accelerated their official timelines: 

  • NIST finalised FIPS 203/204/205 and designated HQC as a backup KEM, 
    but maintained existing Q‑Day assumptions;
  • The European Commission continues to reference 2030/2035 migration milestones for critical and non‑critical sectors. 

Despite that, the realistic window for orderly, non‑abrupt migration is narrowing. 

Regulatory Landscape: From Compliance to Mandated Phased Migration 

The Commission’s Recommendation of 11 April 2024 and June 2025 coordinated roadmap define a phased European approach: 

  • End‑2025 – national post‑quantum strategies; 
  • 2026 – hybrid PQC pilots in critical infrastructure; 
  • 2030 – full migration (KEMs & signatures) in critical sectors; 
  • 2035 – migration for all other sectors. 

Though non‑statutory, these milestones underpin regulatory obligations embedded in EU-level NIS2, DORA, CRA, DNA, and implemented by national laws:

  • DORA mandates cryptography governance, ICT supply chain oversight, resilience testing, and business continuity planning;
  • NIS2 requires essential/important entities to maintain cryptography policies and secure ICT supply chains;
  • CRA introduces certifiable product security requirements—including cryptographic posture;
  • ENISA EUCC promotes hybrid quantum‑resistant schemes for high‑assurance levels. 

For a number of business sectors cyber resilience is a business imperative: regulators and clients increasingly require proof of operational continuity across entire supply chains. PQC readiness becomes a component of resilience—not simply a cryptographic upgrade. 

HNDL: The Silent Threat Requiring Immediate Mitigation 

Harvest Now, Decrypt Later attacks involve mass interception and storage of encrypted data today, anticipating future quantum decryption. Particularly at risk: 

  • medical records, 
  • financial data, 
  • trade secrets, 
  • long‑term contracts, 
  • legally binding archives requiring decades of integrity. 

The sensitivity of certain types of data, for example personal data, industrial and military secrets to HNDL effectively moves PQC urgency from the 2030s to the present: data confidential in 2026 often retains value into the 2035–2040 period, coinciding with plausible quantum breakthroughs. 

Digital signatures represent a critical vulnerability: after cryptographic breakage, archival documents become editable while retaining valid signatures, undermining legal, financial, and insurance frameworks. 

For enterprises and institutions managing vast portfolios of long‑lived data, HNDL introduces cascading risks, including claims, liabilities, and systemic trust degradation. 

Strategic Implications

Taken together, these factors form a single strategic message: 

Post‑quantum migration is unavoidable. The choice is not whether to migrate, but how:  through controlled transformation, or through crisis‑driven urgency.

Implementation and Beyond

Building a quantum-resilient future is a shared effort that demands precision, persistence, and collaboration. The POSEIDON project is helping to drive Europe’s transition to post-quantum-secure digital identity systems by developing scalable, crypto-agile solutions and easy-to-deploy tools, while contributing to standardisation and future European cybersecurity policy. By prioritising crypto-agility and hybrid deployment models today, IT professionals can meet their obligations under NIS2 and DORA while mitigating the long-term risks of “Harvest Now, Decrypt Later” attacks.

For those responsible for the low-level mathematical implementation or deep architectural audits, we encourage you to explore our Advanced Level resources for a deep dive into lattice-based security and FIPS-standardised algorithms. For regular updates on project milestones, visit our About page, follow our LinkedIn channel, or subscribe to our newsletter to receive the latest PQC migration insights directly in your inbox.

Pawel Kowalik

Pawel Kowalik
Quantum Blockchains

Beginner

Back to Level 1: Post-Quantum Foundations

For users new to PQC or wanting a high-level overview.

Expert

Go to Level 3: Cryptographic Foundations & Security Analysis

For those seeking research outputs, standards, or advanced material.
See also:
POSEIDON Logo
Securing European Digital Identities with Post-Quantum Solutions

contact@poseidon-pqc.eu

Cookies & Privacy Policies Funded by the European Union
Copyright © 2026. All rights reserved.
Navigation
Home About Activities Knowledge Contact

Subscribe to our newsletter

Stay informed by following us on LinkedIn and subscribing to our newsletter.
Privacy*