The clock on post-quantum cryptography (PQC) did not start last week.
Last week, a U.S. Presidential Executive Order, Securing the Nation Against Advanced Cryptographic Attacks – The White House, mandated that federal agencies complete their transition to Post-Quantum Cryptography (PQC) by the end of 2030. Around the same time, Google projected that “Q-Day”—the point when quantum computers can break today’s elliptic-curve cryptography (ECC) protecting much of TLS traffic—could arrive as early as 2029.
That is closer than most organizations realize.
But focusing only on 2029 misses the bigger problem.
Adversaries are not waiting for Q-Day.
They are already executing harvest-now, decrypt-later attacks; collecting encrypted traffic today with the expectation that future quantum compute will allow them to decrypt it later.
That means the sensitive data you are protecting right now may already be compromised.
This Is Not a Federal Problem. It’s Everyone’s Problem
It would be a mistake for enterprises to treat the federal directive as relevant only to government agencies.
We have seen this exact pattern before.
Organizations delayed transitions from:
- RSA 1024 to RSA 2048
- 3DES to AES
- TLS 1.0 to TLS 1.2+
Each time, the laggards eventually scrambled when:
- browsers stopped supporting older protocols,
- regulators flagged noncompliance,
- insurers increased cyber requirements,
- and customers began demanding stronger security controls.
PQC will be no different.
In fact, the consequences may be bigger.
Unlike prior migrations, this transition impacts nearly every digital system that depends on public-key cryptography.
That includes:
- Browser-to-application communication
- APIs and microservices
- Containers and service meshes
- Database connections
- VPNs
- Firewalls
- Identity and access systems
- Software signing pipelines
In short:
If your business depends on encrypted communication, PQC affects you.
The attack surface is massive.
And that is what makes the timeline deceptive.
2030 sounds comfortable.
It isn’t.
The Smartest First Step: Start at the Edge
Organizations do not need to wait for application teams to rewrite code.
They can begin at the application delivery layer.
Because ADCs, reverse proxies, and WAFs already sit in the TLS termination path, they are the natural control point for early PQC adoption.
An edge-first approach enables organizations to:
- Terminate hybrid PQC TLS sessions
- Protect browser-to-application traffic
- Reduce long-term exposure immediately
- Avoid backend application disruption
This enables something every executive wants:
Meaningful risk reduction without massive architectural change.
The Bottom Line
The White House directive did not start the quantum countdown.
It simply made it impossible to ignore.
The organizations that move early will:
- reduce long-term data exposure,
- avoid rushed migrations,
- and gain a strategic security advantage.
The organizations that wait will face rising pressure from regulators, customers, insurers, and the market.
The PQC clock is already ticking. The smartest first step is to start protecting applications at the edge—today.
Looking for Guidance? What C-Level Leaders Must Do Now—Before It Becomes a Crisis