For most executives, quantum computing still sits comfortably in the category of future disruption. Q-day, the moment when traditional encryption methods are rendered useless by quantum advances, is something important and inevitable, but still relatively distant.
A Wednesday (March 25) report from Google is throwing those assumptions out the window. The tech giant is now suggesting that if firms don’t migrate their data over to PQC (post-quantum cryptography) in the next three years, by 2029, they’ll be exposed to one of the most existential threats in 21st century business history.
“This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates,” wrote Google’s researchers.
Essentially, the company is arguing that the timeline for risk exposure has already started. Data captured in 2026 and earlier may be compromised years later, regardless of whether systems were “secure” at the time of transmission.
The subtle but critical shift for enterprise leaders is this: The Q-Day threat is no longer defined by when quantum computers arrive, but by how long it could take to prepare for them.
And preparation, in this case, is not incremental. It is structural.
Advertisement: Scroll to Continue
See also: How the Math Powering Payments Adds Up in the Quantum Era
Data Risk Accumulates in Silence
For finance teams, the implication is that Q-Day is not a singular event but a migration challenge.
Replacing cryptographic systems is a multiyear effort. It requires identifying where encryption is used, updating software dependencies, coordinating with vendors, and ensuring systems remain operational throughout the transition. Even in well-resourced environments, this process is measured in years.
Encryption is embedded across virtually every layer of operations. It underpins cloud services, financial systems, communications networks, and third-party integrations. It is often entangled with legacy systems that were never designed to be easily modified. In many cases, organizations do not have a complete inventory of where and how cryptography is used.
Google’s own approach underscores this point. The company began preparing for post-quantum cryptography as early as 2016, investing in what it calls “crypto agility” — the ability to update algorithms without disrupting services. That decade-long runway reflects the complexity of real-world migration, not theoretical readiness.
“The time to start thinking about migrating to quantum-resistant methods of encryption is now,” said Professor Scott Aaronson, who recently joined StarkWare as scientific adviser, during a conversation hosted by PYMNTS CEO Karen Webster in February.
In this context, the three-year window being pushed by Google is less about when quantum computers will arrive and more about how long organizations have to begin meaningful migration before their data exposure becomes irreversible.
See also: Preparing for a Quantum and Crypto-Ready Financial Landscape
Slow-Moving Crisis With Fixed Endpoint
One of the more counterintuitive aspects of the current moment is that the technical solution is largely known. The National Institute of Standards and Technology finalized the first set of post-quantum cryptography standards in 2024, providing a clear blueprint for migration.
The bottleneck is execution.
The most useful way to think about quantum risk is not as a technology problem, but as a timing problem. The question is not whether quantum computers will eventually break current encryption, but whether organizations can complete the necessary transition before that happens.
This dynamic is where risk accumulates. Organizations tend to prioritize immediate threats — those that can disrupt operations or impact earnings in the near term. A slow-moving issue with a multiyear horizon struggles to compete for attention, even when its potential impact is significant.
The question is no longer, “When will quantum computers arrive?” It is, “Will the data we generate today still be secure when they do?”
In this sense, quantum readiness becomes a proxy for broader digital maturity. Institutions that can adapt quickly will not only mitigate risk but also gain flexibility in other areas.
The work ahead is neither glamorous nor immediate in its rewards. It involves audits, upgrades, coordination and sustained attention. It competes with other priorities and unfolds over years. But it is precisely this kind of work — quiet, complex, and cumulative — that defines how organizations navigate structural change.
