Post-quantum: the 2026-2035 timeline and where to start

Post-quantum migration has left the realm of speculation: the replacement standards are published, the end-of-life dates for today's cryptography are written down, and the first US regulatory deadlines land this year. Yet adoption remains low, and few organisations have anything in production. That is precisely the window where starting is still cheap.
What is already settled: three standards and a scheduled end of life
The official starting point is 13 August 2024: NIST finalised three post-quantum standards — a key-establishment mechanism (ML-KEM) and two signature schemes (ML-DSA and SLH-DSA). The target algorithms exist; the question is no longer "what" but "when" and "in what order".
NIST then published the exit path for current cryptography (NIST IR 8547): the scheduled deprecation of RSA-2048 and ECC P-256 in 2030, followed by the disallowance of vulnerable algorithms in 2035. These dates are not predictions about the quantum computer: they are standardisation decisions that will apply whether or not the machine exists. And because NIST standards are the worldwide reference for software and equipment vendors, they shape the market far beyond the United States.
2026-2027: the deadlines that set the market in motion
Two closely spaced milestones accelerate the vendor side of the equation:
- On 21 September 2026, FIPS 140-2 certificates move to "Historical" status: only FIPS 140-3 validations remain accepted for new US federal purchases. Every vendor of cryptographic modules, HSMs, firewalls or VPNs selling to the US public sector must re-certify its products under the new scheme — and it is in that re-certification cycle that post-quantum support enters product lines.
- From 1 January 2027, acquisitions of US National Security Systems must support CNSA 2.0, the NSA's post-quantum algorithm suite. Again, the requirement weighs on vendor catalogues, not just on their federal customers.
The Quantum Insider's analysis of migration timelines shows how these government deadlines propagate through the whole industry: no vendor maintains two cryptographic product lines, so whatever becomes mandatory for US federal buyers becomes the standard product for everyone. At the same time, the Cloud Security Alliance's migration roadmap observes that adoption remains low: few organisations have post-quantum deployments in production. The gap between regulatory pressure and reality on the ground is currently the defining feature of this topic.
Why these dates concern you even without a US federal client
Three mechanisms make this timeline universal:
- The supply chain. Your network equipment, HSMs, VPN solutions and software come from vendors aligning their roadmaps with FIPS 140-3 and CNSA 2.0. End-of-support dates for older product lines will follow that movement, not your internal calendar.
- Equipment lifecycles. Hardware or a contract signed today will still be in service in 2030, when RSA-2048 and ECC P-256 are deprecated. Every non-crypto-agile purchase between now and then is debt.
- The "harvest now, decrypt later" threat. Long-lived confidential data intercepted now can be decrypted later. For that data, the effective deadline has already passed.
This is not legal advice: depending on your sector and markets, specific requirements may apply on top of this — check with your advisors what applies to your situation.
Where to start: a realistic migration plan
The good news in the low-adoption finding: nobody has built a decisive lead, and the approach can stay methodical. Recommended sequence:
- Cryptographic inventory: certificates, VPNs, SSH, encryption at rest, signatures, supplier dependencies. We detail the method in our article on the enterprise cryptographic inventory.
- Classification by lifetime: cross each usage with how long the protected data must remain confidential. Whatever must outlive 2030 goes to the top.
- Crypto-agility: require in every new purchase the ability to change algorithms through configuration. It is the criterion that costs nothing today and avoids forced replacements tomorrow.
- Supplier pressure: request in writing the post-quantum (and FIPS 140-3) roadmaps of your software vendors, hosting providers and equipment makers. The fundamentals of data encryption — above all key management — condition everything that follows.
- Hybrid pilots: test modes combining classical and post-quantum algorithms on non-critical flows, to measure the impact on performance and compatibility before generalising.
The timeline in one table
| Deadline | What changes | What it means for you |
|---|---|---|
| 13 August 2024 | NIST finalises three post-quantum standards | Target algorithms exist; vendor roadmaps can be demanded |
| 21 September 2026 | FIPS 140-2 certificates move to "Historical" status; only FIPS 140-3 validations accepted for new US federal purchases | Re-certification wave among vendors; check the status of the products you buy |
| 1 January 2027 | National Security Systems acquisitions must support CNSA 2.0 | Catalogues align; crypto-agility becomes a standard purchasing criterion |
| 2030 | Scheduled deprecation of RSA-2048 and ECC P-256 (NIST IR 8547) | Your priority usages should have migrated; everything else has a dated path |
| 2035 | Disallowance of vulnerable algorithms (NIST IR 8547) | Complete end of life: no exceptions, no compatibility mode |
The timeline is public, the standards are published, and low adoption still leaves a window to migrate without a crisis. A cryptographic assessment is the first step that turns these dates into an action plan specific to your infrastructure.
How SOVALYX can help
SOVALYX helps organisations turn this timeline into an action plan: a cryptographic inventory as part of an infrastructure audit, prioritisation by data lifetime, then a managed migration path on its private cloud, with 24/7 monitoring under SLA during cutovers. The goal: reach the deprecation deadlines with everything that matters already migrated.
Talk security with an engineer🧰 The companion tool: Would your backups survive a ransomware attack? — free · 2 minutes.
Reviewed and optimised by AI.