For years, the looming threat of quantum computing has occupied a comfortable corner of the “future problems” folder — something to worry about eventually, but not urgently. That folder just caught fire.
Last week, Google — one of the most powerful voices in both internet security and quantum hardware development — officially moved up its deadline for migrating to post-quantum cryptography (PQC). The new date: 2029. That is a full year ahead of NIST’s previously accepted deprecation target and six years ahead of NIST’s full-disallowance timeline of 2035. For compliance professionals, this is not a minor calendar adjustment. It is a fundamental shift in the risk calculus of data protection.
Google Just Changed the Timeline — Here’s What Happened
To understand the significance of Google’s announcement, it helps to understand what quantum computing actually threatens. Modern asymmetric encryption — the backbone of HTTPS, financial transactions, secure email, and virtually every authentication system in use today — relies on mathematical problems that are computationally infeasible for classical computers to solve. A sufficiently powerful quantum computer running Shor’s algorithm would shred that protection in hours, or even minutes.
The critical question has always been: how powerful does a quantum computer need to be to do that, and how far away are we?
The answers are shifting at an alarming pace:
- 2019: Google estimated it would take approximately 20 million qubits to break RSA encryption.
- May 2025: Google revised that estimate down sharply — to roughly 1 million qubits.
- February 2026: Researchers at Australia’s Iceberg Quantum published a pre-print study suggesting the threshold could be as low as 100,000 physical qubits.
To put that in context: current quantum processors are already crossing into the tens of thousands of qubits, with rapid scaling underway. The gap between “theoretical threat” and “operational threat” is closing faster than anyone anticipated — not just because hardware is improving, but because error correction techniques and underlying algorithms are maturing simultaneously.
“The magnitude of change is tough to deny,” said Jordan Kenyon, Chief Scientist in the quantum practice at Booz Allen Hamilton. “It’s not just hardware getting better — there have also been significant advances in error correction and algorithms.”
Google’s revised timeline reflects all of this. The company has updated its internal threat models and is now prioritizing PQC migration for authentication services — urging other engineering teams across the industry to do the same.
Your Data May Already Be in the Wrong Hands
Here is where compliance officers need to sit up straight: the quantum threat is not purely a future concern. It is, in important ways, already here.
In a post published last month, Kent Walker, President of Global Affairs at Google and Alphabet, was direct: “Malicious actors are not waiting until a cryptographically relevant quantum computer is ready. They are likely already carrying out ‘store now, decrypt later’ attacks and collecting encrypted data, just waiting for the day when a quantum computer can unlock it.”
This means that sensitive data transmitted today — over connections protected by today’s encryption standards — may already be sitting in adversarial databases, waiting to be decrypted the moment quantum capability crosses the threshold. Health records. Financial data. Legal communications. Trade secrets. Anything transmitted over conventional asymmetric encryption is potentially at risk, retroactively.
For organizations subject to regulations like HIPAA, GDPR, CCPA, PCI-DSS, or SOC 2, this creates a profound compliance exposure that most frameworks have not yet caught up to. The legal and regulatory landscape will follow the threat. The question is whether your organization will lead or be caught flatfooted.
The Readiness Gap Is Stark
If Google’s revised timeline is alarming, the state of enterprise readiness is even more so. The data paints a picture of widespread unpreparedness:
- 91% of businesses do not have a roadmap for PQC migration, according to the Trusted Computing Group.
- 80% say their current cryptographic libraries and hardware security modules are not ready for PQC integration.
- Only 39% have even begun their PQC compliance readiness assessments.
- 61% of organizations lack full visibility into their own cryptographic systems, per Gartner.
That last point is particularly critical. You cannot migrate what you cannot see. Without a complete cryptographic inventory — a map of every certificate, key, algorithm, and protocol in use across your environment — a PQC migration is impossible to plan, let alone execute.
Where NIST Stands — and Where the Industry Lags Behind
The good news is that the cryptographic community has not been idle. NIST has already finalized four quantum-resistant algorithms and selected a fifth. These algorithms are designed to withstand attacks from both classical and quantum computers, and they form the foundation of any credible PQC migration strategy.
The bad news, as noted by the Post Quantum Cryptography Coalition, is that most PQC standards have not yet achieved broad adoption. Awareness has outpaced action across nearly every sector.
The original NIST roadmap called for deprecating quantum-unsafe algorithms by 2030 and fully disallowing them by 2035. Google’s announcement suggests that even the 2030 deprecation date may be optimistic — and that organizations operating with long-sensitivity data (healthcare records, financial histories, legal documents) should treat 2029 as a hard ceiling, not a soft guideline.
Industry analysts expect Microsoft and AWS to announce similar revised timelines in the near term. When the major hyperscalers align on a deadline, the downstream compliance pressure on enterprise organizations follows quickly.
Six Steps to Get Ahead of This
Gartner and the broader security community have converged on a practical framework for PQC readiness. Here is what compliance and privacy professionals should be driving within their organizations:
1. Conduct a Comprehensive Cryptographic Inventory Map every instance of cryptographic usage across your environment — certificates, keys, VPNs, APIs, authentication systems, and data-at-rest encryption. You need full visibility before you can act.
2. Assess Long-Sensitivity Data First Prioritize any data that is intended to remain confidential for five years or more. This data is most exposed to store-now-decrypt-later attacks and warrants the most urgent PQC protection.
3. Invest in Cryptographic Agility Build systems that can swap cryptographic algorithms without a full infrastructure overhaul. Cryptographic agility is not just good quantum hygiene — it’s sound security practice for any threat landscape.
4. Establish a Cryptographic Center of Excellence Create internal ownership over your cryptographic posture. This cross-functional team should include security, compliance, legal, and engineering stakeholders, with a mandate to monitor PQC standards and drive migration.
5. Update Your Risk Register and Vendor Assessments Quantum risk needs to be reflected explicitly in your organization’s risk register. Additionally, assess your third-party vendors — a weak link in your supply chain can undermine your own PQC readiness.
6. Engage With Your Regulators Early Regulatory frameworks are evolving. Proactively engaging with your relevant regulatory bodies — and documenting that engagement — positions your organization favorably when requirements formally arrive.
Google Warns 2029 Quantum Year
Google’s revised 2029 deadline is a signal, not just a schedule. It reflects a genuine acceleration in quantum capability that multiple independent research teams are corroborating. For compliance and privacy professionals, the message is clear: post-quantum cryptography migration is no longer a future-state project. It is a present-day compliance imperative.
As ABI Research analyst Michela Menting put it plainly: “It’s not a side project anymore, with an extended time frame that they can just get to whenever they have extra time to work on it. They really can’t afford to watch and wait anymore.”
The organizations that begin their PQC journey now — with a proper inventory, a migration roadmap, and executive buy-in — will be the ones that avoid regulatory penalties, data breach liability, and reputational damage when the quantum era arrives. And based on where the science is heading, that era is arriving on an accelerated schedule.
