Proton Mail’s announcement of post-quantum encryption this week joins Signal (2023), Apple (2024), and a growing list of infrastructure providers making the same migration. The technology is no longer research-stage: NIST finalised ML-KEM (formerly Kyber) in August 2024 under FIPS 203, providing the stable algorithm specification that deployment requires. The hybrid approach — combining classical RSA/ECC with ML-KEM — is the consensus recommendation from NSA, NIST, and the European Union Agency for Cybersecurity.
The question for most organisations is no longer whether post-quantum migration is necessary. It is whether the timeline their security programmes are using to plan that migration is calibrated to the actual threat.
The Timeline Confusion
The dominant framing of the post-quantum threat — “quantum computers that can break RSA will not exist for 10–20 years” — leads organisations to conclude that PQC migration is a future problem with a future deadline. This framing is incorrect for a significant category of data, and the confusion between “when will quantum computers exist” and “when does PQC migration need to be complete” is widespread.
The relevant question is not when quantum computers that can break current encryption will exist. The relevant question is: what is the confidentiality requirement for data being generated and transmitted today?
If data needs to remain confidential for three years, and quantum computers that break RSA are not available for fifteen years, the data is safe under current encryption. But if data needs to remain confidential for twenty years — legal proceedings, classified intelligence, trade secrets with long exploitation timescales, health records — and a nation-state adversary is archiving encrypted communications today, that data may already be at risk.
The harvest-now-decrypt-later attack does not require waiting for quantum computers before it begins. It requires only that the adversary archives encrypted data now and decrypts it later. The archiving phase is happening now.
Who Should Be Running This Assessment
The HNDL threat is most relevant for data with long confidentiality requirements. A pragmatic assessment:
High urgency (start migrating now):
- Government agencies and defence contractors — national security data with multi-decade classification periods
- Legal firms and judiciary — case records, attorney-client privileged communications
- Healthcare systems — patient records with statutory protection periods of 20+ years in many jurisdictions
- Financial services — trading strategies, M&A communications, long-term derivative contracts
- Intellectual property-intensive companies — pharmaceutical research, semiconductor design, aerospace engineering
Medium urgency (plan migration within 3–5 years):
- Enterprise communications generally — email and messaging systems often contain information whose aggregated value over time is significant even where individual messages are not classified
- Enterprise IT infrastructure credentials — VPN certificates, PKI hierarchies with long validity periods
Lower urgency:
- Short-term transactional data — payment card transactions, session tokens, and data with inherent short expiry
Most organisations have not done this assessment. Most security roadmaps treat PQC migration as a 2028–2030 activity — driven by the NSA’s formal mandate deadline for national security systems — without considering whether the data they are responsible for has confidentiality requirements that make the HNDL threat relevant on a shorter timescale.
The Migration Complexity Is Real
The argument for delaying is not unreasonable. PQC migration is genuinely complex. TLS libraries, VPN products, certificate management systems, key management infrastructure, and custom cryptographic implementations all need updating. The migration creates interoperability challenges during the hybrid period where some systems have migrated and others have not. ML-KEM’s larger key sizes have performance implications for bandwidth-constrained environments.
These are real implementation challenges. But they are challenges to be planned around, not reasons to defer planning. The organisations that have started PQC migration programmes — Signal, Apple, Google, Proton — have demonstrated that it is technically achievable in production systems at scale.
The practical question for most organisations is not “should we migrate?” but “what is our inventory of cryptographic dependencies, what is our migration priority order, and what is our target completion date?” These are project management questions with clear answers once the initial data is gathered. Most organisations do not have that inventory.
The Next Three Years
NIST’s timeline calls for migration of national security systems by 2030 and broad commercial adoption by 2035. But Proton, Signal, Apple, and Google are not migrating because a regulatory deadline compels them — they are migrating because their users’ threat models require it.
The useful framing for enterprise security teams is: among the data your organisation holds and transmits, what portion has a confidentiality requirement that makes the HNDL threat material? The answer to that question should determine whether PQC migration is a 2026 priority, a 2028 project, or genuinely something that can wait until the industry-wide 2030 deadline.
Most organisations, when they do this assessment honestly, will find that PQC migration needs to start sooner than their current roadmap reflects. The Proton Mail announcement is a useful prompt to ask the question.
Share this article