Compliance & timelines
PQC deadlines in 2029 and beyond: what CISOs should track
Google and Cloudflare moved internal post-quantum readiness targets to 2029 — roughly five years sooner than prior plans. Federal and industry frameworks already set migration clocks. Your inventory must map to the deadlines auditors track.
Why industry timelines accelerated
In early 2026, Google and Cloudflare announced 2029 targets for full post-quantum security — including authentication, not just hybrid key exchange. The shift reflects new research suggesting ECC-256 may fall before RSA-2048 on accelerated hardware timelines.
Most experts still doubt a CRQC arrives by 2029. Treat the acceleration as a planning signal: migration is multi-year work across TLS, code signing, VPNs, and vendor dependencies. Waiting for certainty means starting too late.
Framework deadline matrix
FIPS 203/204/205 (ML-KEM, ML-DSA, SLH-DSA) are available now — migration can start immediately. PCI-DSS 4.0 emphasizes crypto agility for payment environments. CMMC 2.0 drives defense contractors toward inventory evidence by 2026–2030.
NIST IR 8547 sets 2030 transition guidance. CNSA 2.0 tiers national security systems through 2030–2033. NSM-10 mandates federal migration away from quantum-vulnerable algorithms by 2035. HIPAA and EU CRA add sector-specific pressure.
ECC may break before RSA
For years, RSA-2048 was the headline benchmark for Q-Day planning. Recent research from Google, Oratomic, and Alice & Bob suggests ECC-256 — widely used in TLS, VPNs, and cryptocurrencies — may be vulnerable on an earlier timeline for offline retrospective attacks.
That changes prioritization: authentication and certificate infrastructure may need attention before bulk RSA migration. Inventory must tag both algorithm families, not assume RSA is always first.
A 90-day action checklist
Days 1–30: Run baseline cryptographic inventory on external TLS and critical SaaS dependencies. Export a CycloneDX CBOM and map findings to your active frameworks.
Days 31–60: Prioritize by deadline tier and data shelf-life. Identify owners for top findings. Schedule re-scans aligned to your change cadence.
Days 61–90: Pilot hybrid TLS on non-production paths. Attach re-scan proof to remediation items. Pitch Monitor before the next board cycle — one scan satisfies this quarter's slide; it does not catch drift.
Continue on the Q-Day hub: Compliance deadlines guide
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-03
- Google bumps up Q Day deadline to 2029Ars Technica · 2026-03Coverage of Google's accelerated 2029 post-quantum readiness target and industry timeline shift.
- Cloudflare targets 2029 for full post-quantum securityCloudflare · 2026Cloudflare's accelerated PQ roadmap including post-quantum authentication milestones.
- NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
- Q-Day: Accelerated Timeline Across Wider Attack SurfaceQuantum Computing Report · 2026-04Research summary on ECC-256 potentially breaking before RSA-2048 on accelerated timelines.
- Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)NSA · 2022NSA migration tiers for national security systems through 2030–2033.
- National Security Memorandum on Post-Quantum Cryptography (NSM-10)White House · 2022-05Federal mandate requiring migration away from quantum-vulnerable algorithms by 2035.
See your exposure with evidence
Run a live PQC inventory scan, export a CBOM, and verify signed reports independently.