Q-Day is coming — is your business ready? asks Kirsty Paine, pictured, Field CTO and Strategic Advisor, at the platform Splunk.
Earlier this month, the European Commission unveiled a sweeping strategy to establish the EU as a global leader in quantum technologies by 2030. This initiative spans quantum computing, secure communications, and advanced sensing, signalling that quantum capability is rapidly becoming a geopolitical and cybersecurity priority.
As governments race to invest, businesses must get their heads around a challenge: how do you prepare for a threat that isn’t fully realised yet, but could, in time, theoretically, render many of today’s principal data encryption methods obsolete? While no one can predict exactly when ‘Q Day’ will come, or even if it ever will, the time for calm, strategic preparation is open now.
If there’s a story that mirrors our current situation, it’s Goldilocks and the three bears. The Goldilocks Theory suggests that the sweet spot for quantum preparation lies not in extremes, but in a carefully-calibrated approach (or being “just right”). Overreact, and you risk deploying half-baked cryptographic tools that create more vulnerabilities than they solve. Under-prepare, and you could be at risk of leaving your most sensitive data — intellectual property, financial transactions, citizen records — exposed to future decryption by adversaries already stockpiling encrypted data.
The UK’s National Cyber Security Centre (NCSC) recently laid out a phased approach for organisations to transition to post-quantum cryptography (PQC): begin discovery and planning by 2028, start early migrations by 2031, and complete full adoption by 2035.But as generous as that timeline sounds, many organisations aren’t prepared.
Between science fiction and security strategy
Part of the challenge is perception. Quantum computing is often framed in dramatic sci-fi-esque terms, where a single machine suddenly breaks every digital lock in the world. This kind of narrative doesn’t help. It fuels anxiety, oversimplifies the issue, and distracts from the practical work that must be done now.
The real story is more nuanced. Yes, quantum poses potential threats. No, they are not immediate (in fact, they may never exist). But the data you protect today, if it requires long-term confidentiality, may still be at risk decades from now if intercepted and stored by quantum-capable adversaries. So, what’s the realistic path forward?
Why PQC is the practical choice
When it comes to protecting against future quantum threats, organisations have two main options: quantum key distribution (QKD) and post-quantum cryptography (PQC). While QKD may sound cutting-edge – using quantum physics to securely share encryption keys – its practicality is limited. PQC, on the other hand, is a much more practical choice. It uses algorithms designed to withstand quantum attacks, and can be integrated into existing systems without needing to rebuild everything from scratch. Think of it as upgrading the locks on your house rather than moving to a high-security bunker. It’s scalable, cost-effective, and much closer to implementation today.
Global standards are still taking shape, and organisations should be paying close attention. The National Institute of Standards and Technology (NIST) is leading the effort, having already standardised algorithms like CRYSTALS-Kyber and CRYSTALS-Dilithium as FIPS 203 and FIPS 204, with others like BIKE or Classic McEliece, still under review. The algorithmic primitives and foundations are in place, but the practical implementation guidelines are still evolving.
What to do today to be prepared for tomorrow
You don’t need a quantum physicist on payroll to get started (luckily…). But you do need a plan. Start by auditing your cryptographic assets. Understand where and how you currently rely on public-key cryptography, and identify the systems and data that require long-term confidentiality or verifiability. These are your priorities.
Next, track standards shaping the post-quantum era, from NIST, the Internet Engineering Task Force (IETF), and ETSI’s Quantum Safe Cryptography Working Group. Their recommendations will guide what “secure” will mean in a post-quantum world.Finally, start improving your crypto hygiene now. Use ephemeral keys, adopt encryption security features such as perfect forward secrecy (PFS), and design your systems with algorithm agility in mind, so you can adapt quickly as standards change. These are practical steps you can take today to future-proof your defences.
Calm is a strategy
If Y2K taught us anything, it’s that informed, methodical preparation beats panic every time. That deadline was fixed: January 1, 2000. Q-Day is still unknown, making level-headed planning even more important. Quantum computing may feel like a distant threat, but the smart organisations are laying the foundations. The key is balance. So start now, and embrace the Goldilocks Theory. In the end, those who will win will be the ones who time their transition just right.
