Post-Quantum Cryptography Migration in 2026: The State of the Transition

NIST finalized the first post-quantum cryptography standards in August 2024 — CRYSTALS-Kyber (now ML-KEM) for key encapsulation, CRYSTALS-Dilithium (now ML-DSA) and SPHINCS+ (now SLH-DSA) for digital signatures, plus FN-DSA finalized in 2025. The 2024-2026 period has been the early operational deployment phase. By 2026, leading enterprises are progressing through the migration; the long tail is starting to recognize it as an immediate concern rather than a future one.

I want to walk through where PQC migration actually sits in 2026.

Why this matters#

The risk is not that quantum computers are about to break RSA. The risk is “harvest now, decrypt later” — adversaries collecting encrypted traffic today with the expectation of decrypting it once quantum computers are sufficient. For data with long secrecy lifetimes (decades), this risk is concrete now.

The specific cryptographic algorithms threatened by quantum computers:

• RSA, DSA, ECDSA, EdDSA for signatures.
• DH, ECDH for key exchange.
• All asymmetric encryption depending on the same hard problems.

Symmetric cryptography (AES, ChaCha20) is less threatened — Grover’s algorithm provides a quadratic speedup which can be addressed by increasing key sizes.

What needs to be migrated#

The migration scope is substantial:

1. TLS — every web service.
2. Code signing — every software distribution.
3. SSH — every server access.
4. VPNs — every secure connection.
5. Document signing — every legal document.
6. Email encryption — every secured email.
7. Hardware security modules — every HSM-protected operation.
8. Cryptocurrency wallets — every crypto address.
9. PKI infrastructure — every certificate authority.

The cumulative effect: every cryptographic operation in modern infrastructure.

What enterprises should be doing#

For most enterprises in 2026:

1. Cryptographic inventory — what algorithms are used where.

2. Crypto-agility assessment — can your systems support algorithm changes without major reengineering?

3. Prioritization by data secrecy lifetime — long-lived secrets (decades) should migrate first.

4. Vendor engagement — for hardware (HSMs, smart cards) and managed services.

5. Pilot deployments — particularly for TLS and code signing.

6. Hybrid mode adoption — running both classical and PQC algorithms in parallel during transition.

7. Standards tracking — NIST continues to finalize additional algorithms; new guidance continues.

The challenges#

PQC migration is more complex than typical crypto upgrades:

• Performance implications — PQC algorithms are typically larger and slower than classical alternatives.
• Protocol modifications — some protocols (TLS, SSH) need protocol-level updates.
• Hardware constraints — particularly for embedded systems and IoT devices.
• Interoperability during transition — hybrid modes are operationally complex.
• Long timeline — full migration is a multi-year program.

What’s coming in 2026 and 2027#

Three things to watch:

NIST additional algorithm finalization continues.

Vendor PQC support continues to mature.

Government deadlines — multiple jurisdictions are setting specific PQC adoption deadlines.

Where pdpspectra fits#

Our security engineering work spans the PQC migration as part of broader cryptographic infrastructure work. We help clients with inventory, prioritization, and implementation.

Related reading: the UK quantum computing post, the Germany cybersecurity post, and the cryptographic key management post.

---

PQC migration is a now problem, not a future one. Talk to our team about your migration plan.