The Quantum Cyber Threat is Real: Why PQC Migration Starts Now
Quantum computing is no longer a theoretical concern for cyber security leaders; the risk is now live and represents a structural shift that will render today’s encryption obsolete.
For Australian organisations – particularly those handling sensitive, long-lived data in critical industries – the question is no longer if to act, but when and how fast.
At the core, the issue is simple.
The encryption standards that underpin digital business – RSA, DH, ECC and public-key cryptography – will eventually be broken by quantum computers.
While a cryptographically relevant quantum computer (CRQC) may still be years away, the risk is already live and organisations can’t afford to take such a dangerous gamble.
Marc Hocking – Principle Consultant, OneStep Group
The most immediate threat is ‘harvest now, decrypt later’ – where attackers capture encrypted data today and decrypt it once quantum capability matures.
For sectors such as government, utilities, healthcare and financial services, this is critical. Data with a long shelf life – intellectual property, citizen records, infrastructure designs – must remain secure for decades, not years.
Hence why a post-quantum cryptography (PQC) plan must now be in place.
“In the world of cyber security, we often talk about ‘Zero-Day’ threats – vulnerabilities that catch us off guard. But the threat posed by quantum computing is a ‘Known Day’. We know it’s coming; we know exactly what it will break and as of 2026, we finally have the roadmap to fight back.”
The Quantum Clock is Ticking
According to the Australian Signals Directorate (ASD), guidance is clear: Organisations should begin planning their PQC transition now.
The clear line in the sand is that businesses should aim to cease the use of traditional asymmetric cryptography by the end of 2030.
But there are several reasons to address the risk early.
Here’s why migration timing matters:
Migration will take years, not months: Cryptography is deeply embedded across applications, networks, certificates and devices. Replacing it is complex and slow.
Timelines are uncertain but accelerating: Predictions for ‘Q-Day’ vary but some estimates suggest within the next decade, with major players already planning transitions by 2029.
Regulatory and sovereign risk is rising: Australia’s cyber agencies are already advising organisations to prepare now, citing both uncertainty and long implementation lead times.
In short, waiting creates a backlog of technical debt and risk exposure that will be far harder – and more expensive – to unwind later.
How to Act and Migrate
PQC migration is not a technology swap, it’s a multi-year transformation of how organisations manage cryptography.
To meet the end of 2030 goal, the ASD recommends a phased approach:
By end of 2026: Have a refined PQC transition plan in place.
By end of 2028: Commence the transition, prioritising critical systems and long-lived sensitive data.
By end of 2030: Complete the full migration to ASD-approved post-quantum algorithms.
The ASD suggests using the LATICE framework to structure the transition:
Locate: Inventory where traditional asymmetric cryptography is used (cloud, apps, OT).
Assess: Identify the value and sensitivity of the data being protected.
Triage: Prioritise systems based on risk and the effort required to update them.
Implement: Patch hardware and software or procure PQC-ready replacements.
Communicate and Educate: Ensure stakeholders understand the impact, from bandwidth changes to new security protocols.
Next Steps
Unlike previous migrations, PQC brings physical changes to data. Post-quantum keys and signatures are significantly larger than their classical counterparts.
This means:
Network Latency: Larger packets can lead to fragmentation or slower handshake times.
Resource Constraints: Older IoT devices or embedded systems might struggle with the increased memory requirements.
The solution for 2026 is Hybridisation. By wrapping a PQC algorithm around a traditional classical one, businesses can access the best of both worlds: protection against today’s hackers and a robust defence against tomorrow's quantum threats.
While the ASD notes that Hybrid Schemes (combining classical and PQC) can aid interoperability during the transition, the end goal remains a pure post-quantum environment.
Businesses don’t have to boil the ocean today.
Start by building a Cryptographic Bill of Materials (CBOM) – a detailed inventory of cryptographic dependencies.
By following the LATICE phases, organisations can move from ‘watching’ the quantum threat to actively neutralising it.
Quantum risk isn’t theoretical and neither is the response.
Start by engaging our professional services (PS) specialists to assess where cryptographic risk lives in your environment today.
Together, we’ll help you:
Identify critical systems and data most exposed to quantum threats
Prioritise action using proven frameworks aligned to ASD guidance
Connect with our strategic alliance partners to accelerate your PQC roadmap with confidence
Most importantly, working together collaboratively, knowing the real‑world challenges shape how we refine practical, scalable PQC outcomes for your organisation.
Contact us here.