Q-Day and Quantageddon: Post-Quantum Cryptography Can't Wait

For years the quantum computing debate has been framed as a clash between two extremes: imminent apocalypse on one side, and the idea that there's nothing to worry about for at least a couple of decades on the other. Both positions are misleading. The point is not to predict precisely the day a quantum computer will compromise today's most widely used algorithms. The point is to understand when an organization must start moving.

NIST, meanwhile, has already published the first final post-quantum cryptography standards and is urging organizations to begin the transition immediately.

The Q-Day rule: when your margin hits zero

There is a decision rule, formulated by cryptographer Michele Mosca, that translates this risk into an inequality. Its best-known form is:

x + y > Q

x = security shelf-life — how long data, keys or signatures must remain trustworthy

y = time needed to complete the migration

Q = estimated time before the arrival of cryptographically relevant quantum capability

The reading is straightforward: if the time your data must stay secure, plus the time you need to migrate, exceeds the time remaining before the threat, then you are already in the risk zone. Not because quantum is breaking your systems today, but because your operational margin has already been consumed.

This framing is referenced in numerous educational materials and technical slides, including the calendar format "current year + Q − x − y" used to translate the reasoning into a transition start date.

Figure 1 — Practical interpretation of the Q-Day rule: risk emerges when the security shelf-life (x) plus migration time (y) exceeds the time remaining before a credible quantum threat (Q).

TODAY

Q-DAY

x (secrets)

y (migration)

⚠ RISK

From prediction to planning

This rule's real value lies here: it shifts the discussion from prediction to planning. An organization doesn't need to know exactly when the first quantum computer capable of breaking RSA or ECC at useful scale will arrive. It needs to know how long it takes to:

inventory where vulnerable cryptography is used;
identify which data has a long shelf-life;
replace algorithms, libraries, protocols, certificates, devices and processes;
manage legacy environments that can't be updated in a few months.

This is the point many organizations underestimate. Cryptographic migration is not a simple software update. It involves PKI infrastructure, key management, network protocols, embedded systems, third-party interfaces, compliance and operational validation. That's why NIST has also published specific transition guidance, emphasizing the need for realistic, coordinated roadmaps.

Harvest now, decrypt later: the risk that's already here

There is a second element, often more concrete than the "Q-Day" risk: the harvest now, decrypt later model. An attacker can intercept encrypted data today and store it, waiting for future technology to decrypt it.

This means that data with long-term value should not be assessed solely based on current security, but also on its future exposure. If information must remain confidential for ten years, and migration takes four or five years, the math gets very tight very quickly.

The key point

Data intercepted today with classical encryption can be decrypted tomorrow with quantum capabilities. The damage isn't future: the exposure is already underway.

What to do now: classify, prioritize, design

From an operational standpoint, the Q-Day rule doesn't say "everyone rush to change everything tomorrow." It says something more useful: start now to classify, prioritize and design. The post-quantum transition should be approached as a transformation program, not an emergency reaction.

NIST has already standardized ML-KEM, ML-DSA and SLH-DSA as the first main references, and is continuing work on additional algorithms, including HQC as a backup algorithm for encryption. This makes the topic no longer theoretical, but concretely embedded in technology roadmaps.

NIST Standard	Type	Status
ML-KEM (FIPS 203)	Key Encapsulation	Final
ML-DSA (FIPS 204)	Digital Signature	Final
SLH-DSA (FIPS 205)	Digital Signature	Final
HQC	Key Encapsulation (backup)	In progress

Q-Day through an ISMS lens

Cryptography is not an isolated topic: it is a security control governed within an Information Security Management System. For organizations certified — or working towards — ISO/IEC 27001, the post-quantum transition fits naturally into the processes already required by the standard.

Clause / Control	Implication for PQC transition
A.8.24 — Use of cryptography	The cryptographic policy must be updated to include an assessment of quantum-vulnerable algorithms and a migration plan toward post-quantum algorithms.
Clause 6.1 — Risk assessment	The "harvest now, decrypt later" risk must be recorded in the risk register, with an impact assessment on long-retention data.
Clause 8.1 — Operational planning	Cryptographic migration is an operational plan that must be governed like any other change within the ISMS scope: resources, timelines, responsibilities.
Clause 10.1 — Continual improvement	The PQC transition is a concrete case of continual improvement driven by the evolution of threats and the publication of new standards.

Warning

An ISMS that has not yet inventoried its post-quantum cryptographic exposure has a gap in its risk assessment. This is not a future threat: it is a gap that already exists in the current risk evaluation.

The PQC transition is not just an IT project. It is an update to the organization's security posture, and as such it must be managed within the ISMS lifecycle.

Conclusion

The problem is not guessing the exact year of Quantageddon. The problem is being ready before that breakthrough makes the change too costly, too slow, or too late. The Q-Day rule doesn't predict the future — it prevents using it as an excuse not to plan the present.

Want to know if your organization is already in the risk zone?

We can help you map your cryptographic exposure and design a post-quantum transition roadmap.