PQC deadlines in 2029 and beyond
Extended analysis with industry context, action checklists, and Qtangl product tie-ins.
Read blog post →
Compliance
Compliance deadlines
Multiple frameworks set migration clocks. Your inventory must map findings to the deadlines your auditors already track.
Industry acceleration: 2029 planning signal
Google and Cloudflare moved internal full post-quantum readiness — including authentication — to 2029. Federal mandates (NSM-10 by 2035, CNSA 2.0 tiers through 2030–2033) and NIST IR 8547 (2030 guidance) already set clocks. Mid-market teams must map inventory findings to whichever frameworks their auditors enforce.
Federal and defense
NSM-10 mandates federal migration away from quantum-vulnerable algorithms by 2035. CNSA 2.0 sets tiered deadlines for national security systems through 2030–2033. CMMC 2.0 (2026–2030) drives defense contractors and FedRAMP-path SaaS toward crypto inventory evidence for Level 2 audits.
Industry frameworks
PCI-DSS 4.0 emphasizes crypto agility for payment environments. NIST IR 8547 provides transition guidance for federal and regulated-adjacent organizations. HIPAA and EU CRA add sector-specific pressure for healthcare payers and med-tech vendors.
ECC may break before RSA
Recent research suggests ECC-256 — widely used in TLS and VPNs — may fall on an earlier timeline than RSA-2048 for offline retrospective attacks. Inventory must tag both algorithm families and prioritize authentication infrastructure, not assume RSA migration comes first.
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-03
- NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
- Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)NSA · 2022NSA migration tiers for national security systems through 2030–2033.
- National Security Memorandum on Post-Quantum Cryptography (NSM-10)White House · 2022-05Federal mandate requiring migration away from quantum-vulnerable algorithms by 2035.
- Q-Day: Accelerated Timeline Across Wider Attack SurfaceQuantum Computing Report · 2026-04Research summary on ECC-256 potentially breaking before RSA-2048 on accelerated timelines.
- Cloudflare targets 2029 for full post-quantum securityCloudflare · 2026Cloudflare's accelerated PQ roadmap including post-quantum authentication milestones.
Deep dive
Related
What is Q-Day?
When cryptographically relevant quantum computers break today's public-key crypto.
Read guide →
FIPS 203 / 204 / 205
Available now (2024)
ML-KEM, ML-DSA, and SLH-DSA standards published — migration can start.
PCI-DSS 4.0
2025–ongoing
Crypto agility and inventory expectations for payment environments.
CMMC 2.0
2026–2030
Defense contractors need crypto inventory evidence for Level 2 audits.
NIST IR 8547
2030
Transition guidance for federal and regulated-adjacent organizations.
CNSA 2.0
2030–2033
NSA suite migration tiers for national-security systems.
NSM-10
2035
Federal mandate to migrate away from quantum-vulnerable algorithms.