Harvest Now, Decrypt Later: The Quantum Threat is Active Today

Most organizations are treating quantum security as a 2030 problem. That framing is wrong, and adversaries are counting on it.

The quantum threat doesn't require a working quantum computer to be active now. State-sponsored actors are already intercepting encrypted data: financial records, M&A communications, healthcare data, government intelligence, and stockpiling it with the expectation that a future quantum computer will decrypt it. This strategy is known as "harvest now, decrypt later" (HNDL), and it has been publicly acknowledged as an active threat by the FBI, CISA, and NIST.

The data your organization transmitted this year is already exposed in this sense. The window of risk opened the moment that data entered circulation, not when a quantum computer eventually arrives.

The Calculation That Changes the Conversation

There's a framework that makes this concrete. Three variables:

A is how long it takes to assess your cryptographic exposure and migrate to quantum-resistant infrastructure. For any enterprise with custom applications, a real PKI, hardware security modules, and a supply chain. That timeline is measured in years, not months.

B is how long your data needs to remain confidential. Financial records carry regulatory retention requirements of 7–10 years. Patient records, often 30. Intelligence and genomic data, indefinitely.

C is the time before a quantum computer capable of breaking today's encryption exists.

If A + B exceeds C, the problem has already started.

And C is compressing. Google researchers revised the estimated qubit count needed to break RSA-2048 from roughly 20 million (2019) down to under one million in a 2025 paper. This is a 20-fold reduction achieved through software optimization alone, with no new hardware required. A February 2026 preprint reduced the estimate further, to under 100,000 physical qubits. These figures are directional, not definitive. But they move in one direction only, and consistently faster than most enterprise security timelines anticipated.

For organizations in financial services, healthcare, defence, and critical infrastructure, the A + B > C threshold has very likely already been crossed.

What Regulators Have Already Decided

The compliance framing is, if anything, starker than the technical one.

• DORA has required active monitoring of quantum risk from all EU financial entities since January 2025.
• The EU's coordinated PQC roadmap, backed by 21 member-state cybersecurity agencies, sets 2030 as the migration deadline for critical infrastructure.
• In the US, the NSA's CNSA 2.0 requires all new national security system acquisitions to use quantum-safe algorithms from January 2027.
• NIST has published final post-quantum standards (FIPS 203, 204, 205) and plans to deprecate RSA and elliptic curve cryptography across federal systems entirely by 2033.

The regulatory community has, effectively, already made its decision. Migration is mandatory. The question for your organization is whether that migration happens on your timeline or someone else's.

The First Step Most Organizations Haven't Taken

The immediate priority isn't a full cryptographic overhaul. It's understanding your actual exposure, which most organizations don't yet have visibility into.

That means mapping where quantum-vulnerable cryptography lives in your environment: your TLS configuration, your certificate infrastructure, your hardware security modules, your digital signing infrastructure. You cannot scope a migration you haven't mapped, and you cannot defend against a risk you haven't quantified.

ISACA's 2025 survey of over 2,600 security professionals found that 62% are concerned quantum computing will compromise today's encryption, but only 5% have a defined quantum strategy in place. The gap between awareness and action is where exposure accumulates.

The standards, the expertise, and the assessment tools exist now. What's shortening is the lead time before regulatory enforcement and the harvest-to-decryption gap start to close simultaneously.

The organizations that face the worst outcomes won't be caught off guard by a sudden breakthrough. They'll be the ones that understood the risk, had time to act, and waited.

****************************

Horizen Labs delivers quantum-resistant security assessments and cryptographic advisory to enterprise, financial services, and government organizations. Our Quantum Threat Assessment is a PhD-led review that maps your cryptographic exposure and defines where to focus.

Learn more at quantum.horizenlabs.io.