Q-Day Just Got Closer: What Recent Quantum Breakthroughs Mean for Your Industry
Interlynk
Earlier this year, Google set an internal deadline of 2029 to complete its post-quantum cryptography migration. The announcement came from Google's VP of Security Engineering and a senior cryptography engineer. It was not a research roadmap or an aspirational statement. It was a deadline, and it was set earlier than Google had ever publicly committed to before.
Later that spring, in May 2026, the US Department of Commerce awarded $2 billion to American quantum computing firms. IBM received $1 billion to fund construction of the country's first dedicated quantum chip foundry, called Anderon. IBM's shares rose 12% on the day. The company committed a separate $1 billion of its own. When a government commits that kind of capital with that urgency, the technology in question is no longer speculative.
The relevance of these two events depends on your industry. But across financial services, critical infrastructure, and medical devices, the same underlying fact holds. The cryptographic controls protecting your systems, your data, and your customers are almost all based on RSA, elliptic curve cryptography, or Diffie-Hellman key exchange. Every one of those is mathematically vulnerable to a sufficiently powerful quantum computer. The question is no longer whether that vulnerability will be exploited. It is whether your systems will still be running the same cryptography when it is.
Three Technical Breakthroughs
Three concrete technical developments have each independently moved the estimated timeline for a Cryptographically Relevant Quantum Computer (CRQC) earlier. None of them are theoretical.
Google's Willow chip crossed a threshold researchers had been targeting for 30 years. In December 2024, Google Quantum AI published results in Nature showing that its 105-qubit Willow processor had demonstrated below-threshold error correction for the first time. Below this threshold, adding more physical qubits reduces error rates rather than compounding them. Every previous attempt had made error rates worse as systems grew larger. This reversal is the fundamental prerequisite for scaling to the qubit counts required to run Shor's algorithm against real cryptographic keys. The logical qubit lifetime in the Willow system exceeded the best physical qubit by a factor of 2.0, the first time a quantum memory had crossed that breakeven point. In January 2026, Google published follow-on research introducing dynamic surface codes, further extending the error correction capabilities of the Willow architecture.
IBM's Quantum Loon completed the hardware picture for fault-tolerant computing. In November 2025, IBM announced its Quantum Loon processor, integrating all the key hardware components needed for fault-tolerant quantum computing for the first time. Alongside Loon, IBM demonstrated a new error correction decoder achieving a 10x speedup over the previous leading approach, delivered a full year ahead of IBM's own published roadmap. IBM's roadmap targets quantum advantage by end of 2026, fault-tolerant quantum computing with Starling by 2029, and has intermediate milestones in Kookaburra (2026) and Cockatoo (2027). The company's shift to 300mm wafer fabrication for quantum chips doubled development speed while increasing chip complexity by 10x.
The resource estimates for breaking RSA dropped by 20 times in a single paper. In May 2025, Google Quantum AI researcher Craig Gidney published a paper showing that RSA-2048 could be factored with fewer than one million physical qubits running for approximately one week. The previous best estimate, which Gidney himself had published in 2019, required roughly 20 million qubits. Building on foundational 2024 work, a paper by Chevignard, Fouque, and Schrottenloher at CRYPTO 2025 reduced the logical qubit count for the same task to approximately 1,730 by introducing approximate modular arithmetic techniques. A third line of research from Google Quantum AI demonstrated similar reductions for elliptic curve cryptography, which protects most digital signatures and payment systems. Google's security team cited all three papers directly as the reason for moving the 2029 migration deadline.
These three developments explain why the organizations closest to the technology are not waiting for a CRQC to exist before migrating. For many systems, emergency migration is not possible. The cost of waiting until the threat is confirmed is a migration that cannot be executed on any reasonable timeline.
2029 is The New 2035
NIST's transition roadmap designates 2035 as the date by which CRQC-vulnerable asymmetric cryptographic algorithms will be classified as Disallowed. Most organizations are treating this as their planning horizon. That reasoning fails on two counts that apply across every industry.
The harvest-now, decrypt-later attack is already underway.
A CRQC is not needed to begin the attack. It is only needed to complete it. Nation-state actors are capturing and storing encrypted data today, at scale, with the expectation of decrypting it once quantum compute capability is available. Financial transaction records, patient data, industrial control system communications, intellectual property transmitted over encrypted channels: any of this captured now can be decrypted later. The 2035 deadline does not protect data being collected today.
System lifespans create a fixed migration problem.
In financial services, core banking systems and payment infrastructure run for decades. In critical infrastructure, operational technology controlling power grids, water systems, and pipelines has operational lifespans of 20 to 30 years. In medical devices, implantable and capital equipment routinely stays in service for 10 to 15 years after clearance. A system deployed in 2026 using RSA for authentication, which most do, and exposed to a CRQC arriving between 2029 and 2035, is cryptographically vulnerable for the remainder of its operational life. Unlike desktop software, these systems cannot be patched on a quarterly release cycle. In many cases, they cannot be patched at all without significant cost, downtime, or regulatory process.
Google set 2029 as its deadline because it has the engineering resources to execute a migration on that timeline and wants to be done before the threat window opens. Every organization should be asking what its equivalent deadline is, not what the regulatory minimum requires, but what the threat timeline actually demands.
The Regulatory Picture
The regulatory environment around post-quantum cryptography has shifted substantially in the past 18 months, and it has shifted in the same direction across every major jurisdiction: earlier and more binding.
NIST published its first final PQC standards in August 2024. FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, a hash-based alternative to lattice schemes) are now finalized. A fifth quantum-safe algorithm, HQC, was selected in March 2025 as a code-based backup to the lattice-based primary standards. As of early 2026, Android 17 has integrated ML-DSA for digital signature protection, making NIST's post-quantum standards production-deployed in consumer devices at scale.
The NSA moved its CNSA 2.0 deadline forward. The Commercial National Security Algorithm Suite 2.0, which requires all-post-quantum algorithms for national security applications, maintains its original final enforcement deadline 31, 2031. New National Security Systems must be quantum-safe by January 2027. For organizations supplying federal agencies including the VA, DoD, and federal financial regulators, these deadlines are already active.
Executive Order 14144 (issued January 2025, amended in June 2025), requires the federal government to maintain a list of product categories where PQC-capable products are widely available by December 2025, and mandates TLS 1.3 support by January 2030. TLS 1.3 is the only version of TLS that will incorporate PQC algorithms. Earlier versions will not be updated.
The EU Cyber Resilience Act is moving toward a Quantum-Safe-by-Design framework. The coordinated implementation roadmap calls for high-risk use cases to complete PQC migration by 2030, with broad adoption by 2035. For organizations with EU market exposure across any regulated sector, this creates a parallel compliance obligation running ahead of the US federal designation.
Sector-specific regulators are following suit. In financial services, the Basel Committee on Banking Supervision and several national banking regulators have issued guidance requiring institutions to assess their quantum exposure as part of operational risk management. In critical infrastructure, sector-specific cybersecurity directives from federal agencies are increasingly referencing PQC migration as an expected control. In medical devices, FDA's June 2025 premarket guidance explicitly addresses cryptographic algorithm selection and recommends against algorithms heading toward Disallowed status.
Three Industries, Three Risk Profiles
The quantum threat is universal but the risk profile in each industry is shaped by different factors. Understanding the specifics matters for prioritizing migration work.
Financial Services
Financial institutions carry the longest tail of sensitive data. Transaction records, account histories, customer identity data, and trading information have value that does not expire. A record encrypted today and decrypted in 2031 is still a breach with real consequences, regulatory exposure, and litigation risk. The harvest-now-decrypt-later attack is most acutely damaging in financial services because the data being harvested today has long-term economic and legal value.
Beyond data, financial institutions run settlement infrastructure, payment networks, and interbank communication systems where authentication and non-repudiation are load-bearing. A compromise of digital signatures in a payment clearing system does not produce a data breach. It produces fraudulent transactions. The consequence is operational, not just reputational.
Core banking system replacement cycles run 10 to 15 years. Payment infrastructure longer. The institutions that begin PQC assessment and migration planning now will be in orderly migration by 2031. The institutions that wait for a regulatory mandate will be migrating under pressure, at the same time as everyone else, competing for the same scarce cryptographic engineering expertise.
Critical Infrastructure
Operational technology in power generation, water treatment, oil and gas, and transportation was not designed with cryptographic agility in mind. Many OT systems run proprietary protocols. Some run no encryption at all, relying on air-gap or physical security assumptions that have eroded as connectivity has expanded. For those that do run cryptographic controls, the firmware update process is often manual, infrequent, and requires significant operational coordination.
The threat profile for critical infrastructure is different from financial services. The primary concern is not data confidentiality. It is the integrity and availability of control systems. A compromised software update signature on a power grid control system does not leak records. It delivers malicious firmware to equipment controlling physical processes. The blast radius of a successful attack against critical infrastructure authentication is measured in physical consequences, not records exposed.
Critical infrastructure operators also face a coordination challenge that financial institutions largely do not. A bank can migrate its own systems on its own timeline. A power grid interconnects with dozens of other operators, utilities, and control systems, each with their own update cycles and cryptographic dependencies. Migration requires coordinated planning across the ecosystem, not just within a single organization.
Medical Devices
Medical devices face the migration challenge in its most constrained form. The regulatory pathway for changing cryptographic controls in a cleared device is not a software patch process. Under FDA's QMSR framework, a cryptographic change is a design change, and design changes require documented justification, updated risk analysis, and depending on the significance of the change, a new premarket submission. The regulatory cost of migration for a device not designed for crypto-agility can exceed the engineering cost.
For implantable devices, the constraint is more absolute. An implantable cardiac monitor or neurostimulator cannot receive a firmware update without a clinical procedure or a programmer device in physical proximity. Cryptographic migration for devices already implanted in patients may not be practically achievable at all for some device generations.
The consequence is that decisions made today during device design determine what migration options will exist in 2031. A device designed with a configurable cryptographic layer costs marginally more to build. A device with hardcoded RSA in firmware costs significantly more to migrate, if migration is possible, and may face a product discontinuation decision instead.
Quantum Research Pipeline
Quantum factoring resource estimates. The trajectory of resource estimates for breaking RSA has moved consistently downward since 2019. The 2021 state of the art required roughly 20 million physical qubits. Craig Gidney's May 2025 paper brought that below one million. Chevignard, Fouque, and Schrottenloher's CRYPTO 2025 work showed the logical qubit requirement dropping to approximately 1,730. These are not the same number expressed differently: logical qubits and physical qubits relate through error correction overhead, and that overhead is itself shrinking as error correction improves. Organizations whose threat models are based on resource estimates from 2022 or 2023 are working from numbers that have been materially revised.
Error correction scaling. IBM's published roadmap targets quantum advantage by end of 2026 with Nighthawk-class processors, and fault-tolerant quantum computing by 2029 with Starling. Fault tolerance is the prerequisite for the qubit counts required to run Shor's algorithm at cryptographically meaningful scale. Published roadmaps show processor gate counts reaching 15,000 two-qubit gates supported by 1,000 or more connected qubits in the 2027 to 2028 timeframe. Google's dynamic surface code research published in early 2026 continues to extend what is achievable in error correction without increasing physical qubit requirements.
Post-quantum algorithm robustness. The current NIST FIPS standards are based on lattice problems and hash functions rather than the integer factorization and discrete logarithm problems underlying RSA and ECC. Active research continues on the security proofs for these algorithms. One candidate algorithm in an earlier NIST standardization round was broken using classical computation. The current standards are considered robust, but the research community continues to evaluate them. The selection of HQC, a code-based algorithm, as a fifth standard reflects a deliberate hedge against lattice weaknesses being discovered.
Crypto-agility architecture. The security research community is developing frameworks that allow cryptographic algorithm substitution without full system redesign. Systems built with crypto-agility today have a fundamentally different migration profile than systems where cryptographic implementations are tightly coupled to hardware or application logic. This applies in every sector.
What Leaders Should Do Right Now
The specific actions differ by industry but the sequence is consistent across all three.
Start with a cryptographic inventory. Before any migration work, you need to know what cryptographic controls are in use across your systems and products. Which systems use RSA, which use ECC, which use Diffie-Hellman, and for what purpose: authentication, encryption, data signing, firmware update verification. That inventory does not exist in most organizations today. Building it is the prerequisite for every other decision.
Stratify by risk. Not all systems face the same urgency. Systems with long operational lifespans, systems handling long-lived sensitive data, systems with constrained update mechanisms, and systems supplying federal or regulated customers all face higher urgency. In financial services, prioritize payment infrastructure and long-term data stores. In critical infrastructure, prioritize authentication and firmware update mechanisms in OT systems. In medical devices, prioritize devices with long expected service lives and limited update pathways.
Design new systems for crypto-agility from the start. For systems in active development, the architectural decision is how hard it would be to swap out cryptographic primitives. Abstracting cryptographic implementations into configurable layers rather than hardcoding them into application logic or firmware is not a large engineering investment at design time. It is an expensive retrofit after deployment. This applies equally to a core banking system, a grid management platform, and a medical device.
Understand the migration cost before it becomes urgent. In financial services, that means understanding which systems require vendor coordination and which can be migrated independently. In critical infrastructure, it means mapping ecosystem dependencies and understanding which migrations require coordinated downtime. In medical devices, it means determining now whether a cryptographic update constitutes a design change requiring a premarket submission.
Engage your supply chain. Third-party components across every industry have their own cryptographic dependencies and migration timelines. A system with PQC-capable application code communicating with a third-party backend running RSA-2048 is not a PQC-ready system. The software bill of materials is the starting point for supply chain PQC analysis.
Treat harvest-now-decrypt-later as a current threat. The data your systems are encrypting and transmitting today can be captured now and decrypted later. For financial institutions, that is transaction and customer data. For critical infrastructure operators, that is control system communications and operational parameters. For medical device manufacturers, that is patient data and device telemetry. Migrating long-lived sensitive data stores to PQC-compatible encryption is a near-term action in every sector.
Start the regulatory conversation before it starts for you. In financial services, engage your primary regulator on your PQC assessment timeline before they ask for it. In critical infrastructure, engage with CISA's sector-specific guidance and the relevant sector risk management agency. In medical devices, use the FDA Q-submission process to discuss cryptographic migration approaches before they become a submission question. Regulators across all three sectors are paying attention. Being ahead of that conversation is a meaningfully better position than being reactive to it.
The SBOM Connection
Across all three industries, the cryptographic inventory required for PQC migration is, at its core, a specialized view of the software bill of materials: which components contain cryptographic implementations, what algorithms those implementations use, and what the migration dependencies are.
An SBOM that captures component names and versions without cryptographic metadata is insufficient for PQC planning. The MITRE April 2026 report on cybersecurity risk for medical devices referenced automated cryptographic discovery and inventory (ACDI) tools as a recognized approach, while noting that current tools are oriented toward general enterprise IT and are not validated for OT environments, medical device software, or long-lived financial infrastructure.
That gap needs to close across all three sectors before the regulatory and threat timelines force the work to happen under pressure.
Where Things Stand
Two significant things happened in the first five months of 2026. Google, which runs its own quantum computing research division, set a 2029 internal migration deadline rather than waiting for clearer threat visibility. The US government committed $2 billion to quantum computing infrastructure, with IBM receiving half to build the country's first dedicated quantum chip foundry.
Neither is speculative. The quantum threat timeline has not moved from theoretical to definite. But it has moved from comfortably distant to within the operational horizon of decisions being made today.
The decisions being made now about system architecture, cryptographic implementation, and software supply chain completeness are the decisions that will determine what migration looks like in 2029, 2031, and 2035. Starting that work now, from a position of planning, is a fundamentally different situation than starting it in 2030 because a deadline has arrived.
The window for orderly preparation is open. It will not stay open indefinitely.
Interlynk builds software supply chain security infrastructure for organizations navigating post-quantum cryptography requirements across regulated industries. If you are working through cryptographic inventory or software bill of materials completeness for your systems or products, book a demo or explore our open-source toolset.
Interlynk Inc. · interlynk.io · 2026