Deploy Bravely — Secure your AI transformation with Prisma AIRS
Table of contents

What Is Q-Day, and How Far Away Is It—Really?

4 min. read
Table of contents

"Q-Day" refers to the moment when quantum computers can break today's public-key cryptography.

It's not a calendar date but a milestone—one most experts expect in the 2030s or later. It marks the point when a cryptographically relevant quantum computer (CRQC) can run algorithms like Shor's to break RSA and elliptic-curve encryption, forcing a global shift to quantum-safe standards.

 

Why do experts disagree about when Q-Day will happen?

Experts disagree because there's no single path to building a cryptographically relevant quantum computer. The timeline depends on progress across several independent challenges.

"There is large variability among the opinions of the experts: some lean towards optimism, while others are more cautious about the pace at which quantum computers will be developed."
- Global Risk Institute, Quantum Threat Timeline Report 2024

Starting with hardware.

Different types of quantum computers use different physical approaches. Such as superconducting circuits, trapped ions, or photons. Each has its own trade-offs. Some can be built up quickly but are unstable. Others are more accurate but difficult to produce in large numbers. That's why progress varies by design.

Then there's error correction.

Quantum bits are fragile. They lose coherence in microseconds. That means a quantum computer can't simply add more qubits and expect better performance. To perform long calculations, millions of physical qubits must work together to create a few thousand logical ones. Estimates of when that will happen vary from the 2030s to beyond 2045.

Finally, algorithmic efficiency adds more uncertainty.

Breakthroughs in quantum algorithms—or classical countermeasures—could shift the timeline in either direction.

To put it simply, experts disagree because they're betting on different breakthroughs. Some focus on physics. Others on engineering. Others on math. Each discipline defines “close” differently.

Here's the consensus:

The exact date doesn't matter as much as the preparation window. The risk begins long before Q-Day itself, when stolen data can be stored now and decrypted later.

 

What would actually happen if Q-Day arrived tomorrow?

Chart titled 'Why organizations are turning to hybrid cryptography' divided into four colored quadrants surrounding a central circular icon with an abstract network symbol. The top left orange box is labeled 'Redundancy & resilience' with the text 'Remains secure if one algorithm fails or is broken.' The top right blue box reads 'Migration readiness' with the text 'Enables a gradual shift toward post-quantum cryptography.' The bottom left light blue box is labeled 'Interoperability' with the text 'Bridges classical and post-quantum systems without disruption.' The bottom right teal box reads 'Protection from harvest now, decrypt later' with the text 'Keeps sensitive data secure against future quantum decryption.'Infographic titled 'If Q-Day happened tomorrow'. Subheading reads 'Would the internet collapse? Not quite.' A faint world map forms the background. Four white rectangular boxes with icons and black connecting arrows describe sequential concepts. Top left box labeled 'What breaks first' contains a broken lock icon and states 'RSA and elliptic-curve encryption would fail. Keys could be derived. Digital signatures could be forged.' Top right box labeled 'What survives' shows a key icon and reads 'Symmetric encryption like AES and hashing algorithms like SHA-2 stay secure with longer keys. Most systems keep running.' Middle right box labeled 'Where the real risk lies' displays a circular network icon and says 'The issue isn't downtime—it's trust. Public-key infrastructures, certificate authorities, and digital identities would need rapid replacement.' Lower left box labeled 'How recovery happens' includes a gear icon and notes 'Recovery depends on speed of migration. Post-quantum standards—FIPS 203, 204, 205—enable replacement of vulnerable algorithms.' A final red box at bottom right labeled 'Disruption, not collapse' carries a triangular warning icon and text stating 'Q-Day would be disruptive, but survivable. Preparation determines how fast trust is restored.'

If Q-Day happened tomorrow, the internet wouldn't go dark. But encryption based on RSA and elliptic curves would no longer be secure.

Why?

Because a cryptographically relevant quantum computer could solve the math problems those algorithms rely on. Keys protecting everything from emails to VPNs could be derived. Digital signatures could be forged.

The first systems at risk would be those using older or static keys. Especially ones that secure data meant to stay private for decades. Think financial archives, intellectual property, and government records.

However:

This wouldn't mean instant chaos. Most symmetric encryption and hashing algorithms would remain safe with longer keys. Systems using AES or SHA-2 could continue operating if rekeyed appropriately.

The real concern would be trust.

Public key infrastructures, certificate authorities, and identity systems would all need immediate transition. Communication could continue, but verification would be uncertain until new keys and algorithms were deployed. And that's the primary quantum security risk.

In short:

Q-Day would cause disruption, not collapse. Recovery would depend on how quickly organizations could replace vulnerable algorithms with post-quantum standards finalized by NIST.

| Further reading: 8 Quantum Computing Cybersecurity Risks [+ Protection Tips]

 

Why "harvest now, decrypt later" matters more than Q-Day itself

The real threat isn't Q-Day. It's what's happening before it.

Attackers are already collecting encrypted data today. They know that once quantum computers reach decryption capability, that data can be unlocked. Which means the information being stolen now—financial records, personal data, intellectual property—could be exposed years from now.

That's what “harvest now, decrypt later” means. It's the practice of stealing encrypted traffic today to decrypt it later with quantum computing.

Horizontal process diagram titled 'Harvest now, decrypt later (HNDL)' showing five sequential steps connected by arrows. Step 1, in a blue square, reads 'Data exfiltration' with subtext 'Steals encrypted traffic or files.' Step 2, in a lighter blue square, reads 'Cold storage' with subtext 'Keeps ciphertext for years.' Step 3, in an orange square, reads 'Advances in quantum computing' with subtext 'Waits for quantum systems.' Step 4, in a white square with a blue lock icon, reads 'Decrypt later' with subtext 'Shor's breaks RSA/ECC.' Step 5, in a purple square, reads 'Use the plaintext' with subtext 'Read, sell, or forge identities.' Small text under several steps notes 'Years can pass' to indicate elapsed time between stages.

The risk is simple. Data with long confidentiality lifespans—like government archives, trade secrets, or medical research—will still matter when Q-Day arrives. So delaying migration increases exposure.

Important:

Quantum readiness isn't just about future encryption standards. It's about protecting what's already in motion.

| Further reading: Harvest Now, Decrypt Later (HNDL): The Quantum-Era Threat

 

How close are we based on today's progress?

We're not there yet—but we're getting closer. A cryptographically relevant quantum computer remains years, likely decades, away.

No one can pinpoint when Q-Day will happen. But current evidence gives a sense of scale.

Chart titled 'Quantum threat & readiness timeline'. The chart presents a two-track horizontal timeline spanning 2024 through 2035, showing parallel developments in quantum technology progress and cybersecurity readiness milestones. The top track, labeled 'Quantum technology progress', uses light blue background accents and lists milestones by year group. For 2024, it states that industry investment in quantum technology grows by nearly 50 percent to about $2 billion, with research shifting from scaling qubits to improving stability and error correction. The 2025 entry notes expert consensus that a cryptographically relevant quantum computer could emerge within a decade and mentions early hybrid quantum-classical systems demonstrating reliable logical qubits. The 2026–2028 group describes steady progress in qubit coherence and fault-tolerant design with public and private research advancing scalable prototypes. The 2029–2031 group highlights fault-tolerant systems achieving multi-day stability and global discussions on estimating Q-Day and assessing geopolitical implications. The 2032–2035 group shows large-scale quantum computers reaching commercial viability and legacy public-key encryption becoming increasingly vulnerable to quantum attack. The lower track, labeled 'Cybersecurity readiness milestones', uses orange highlights and lists corresponding security responses. For 2024, it cites NIST finalizing the first post-quantum cryptography standards FIPS 203–205 and governments beginning formal cryptographic inventories. The 2025 milestone mentions agencies publishing quantum-readiness roadmaps and hybrid cryptography pilots in cloud and network systems. The 2026–2028 span lists expanding cryptographic agility frameworks and vendor certification programs. The 2029–2031 range shows large-scale migration to quantum-safe cryptography and a growing focus on supply-chain coordination. The 2032–2035 period notes that PQC and hybrid encryption become global standards and fully integrated into enterprise and government infrastructure. The chart concludes with color bars separating the two tracks and a small caption attributing data sources from Global Risk Institute, IBM, McKinsey, NIST, CISA, NSA, and related quantum-readiness publications.

Let's consider the latest assessments.

The Global Risk Institute's Quantum Threat Timeline 2024 finds most specialists expect cryptographically relevant quantum computers sometime in the 2030s or later. Even in optimistic forecasts, the probability of such a machine arriving within ten years remains under 20%.

Recent technical progress supports that view.

Both the Quantum Threat Timeline 2024 and McKinsey's Quantum Monitor 2025 note measurable advances in qubit stability and error correction over the past year. But even with those gains, cryptographically relevant systems remain far off—requiring millions of fault-tolerant qubits, compared with the hundreds available today.

Migration planning is already under way.

Following the release of NIST's post-quantum standards in 2024—ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205)—governments and vendors began adopting these algorithms. It's worth noting, though, that readiness varies widely, with larger institutions beginning pilot deployments while others wait for regulatory deadlines.

Here's the key takeaway:

Q-Day isn't imminent, but it's not theoretical either. The point is that while a cryptographically relevant system is still decades away, the migration window is now. Transitioning this decade ensures data protected today will remain secure when that milestone finally arrives.

| Further reading: What Is Post-Quantum Cryptography (PQC)? A Complete Guide

 

What are governments and standards bodies doing to prepare?

Chart titled 'Global quantum readiness landscape' showing major government and standards-body initiatives shaping post-quantum migration. The diagram includes four labeled boxes positioned over a light blue world map background. The left box, titled 'United States,' lists 'NIST-FIPS 203–205: ML-KEM, ML-DSA, SLH-DSA, FN-DSA (draft)' followed by 'NSA – CNSA 2.0,' 'NSM-10,' and 'CISA / NSA / NIST Roadmap,' each with concise descriptions about mandates, federal directives, and migration guidance. The center box, titled 'Europe,' includes 'ETSI TR 103 967,' 'ENISA,' and 'ISO / ITU / JTC 1,' with notes on frameworks for post-quantum migration, coordination across EU member states, and early global standard alignment. The right box, titled 'Japan & Canada,' states 'National initiatives aligning with NIST standards and conducting independent PQC trials.' Above it, a smaller orange box labeled 'Shared global challenge' explains that readiness is advancing unevenly across jurisdictions and emphasizes the need for aligned timelines and consistent implementation.

Governments and standards bodies are no longer just studying the quantum threat. They're executing coordinated migration plans.

As mentioned, in the United States, NIST has finalized the first post-quantum cryptography standards, FIPS 203-205:

ML-KEM, ML-DSA, and SLH-DSA are established as the new federal baseline. Those standards align with broader guidance in NIST SP 800-131A r3, which outlines the transition from classical to quantum-resistant algorithms.

Policy direction is equally clear.

As discussed, National Security Memorandum-10 requires all federal agencies to complete their post-quantum migration by 2035. The NSA's Commercial National Security Algorithm Suite 2.0 supports that goal, defining approved algorithm families and timelines for defense and national security systems.

This effort extends globally.

ENISA and ETSI are leading European initiatives to harmonize post-quantum adoption and interoperability. ISO/IEC 23837 defines shared testing and evaluation criteria for technologies such as quantum key distribution. The World Economic Forum has emphasized the governance side of quantum readiness, encouraging collaboration across industries and integrating quantum risk into existing cybersecurity strategies.

The direction is set. Global standards are converging, timelines are published, and implementation is underway.

What varies now is pace.

Some nations are ahead, others are still planning, but the transition to quantum-safe infrastructure has already begun.

For enterprises, that means migration planning must now align with these public timelines to avoid falling behind the broader shift.

 

How to prepare for Q-Day (without overreacting)

"A successful post-quantum cryptography migration will take time to plan and conduct. CISA, NSA, and NIST urge organizations to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation."
- NIST, NSA, CISA, Quantum-Readiness: Migration to Post-Quantum Cryptography

Quantum readiness isn't about panic. It's about preparation.

  • Start with leadership.

    Accountability at the executive level ensures readiness isn't an isolated project.

  • Next comes visibility.

    Organizations need a complete inventory of where and how cryptography is used across applications, APIs, and devices. Without that baseline, you can't prioritize what to protect or migrate.

  • Then triage.

    Identify long-life data that must remain confidential for decades. Those assets should move first, since they're already vulnerable to harvest-now-decrypt-later exposure.

  • Focus on flexibility.

    Crypto-agility lets you replace algorithms and keys without rebuilding entire systems. It's the foundation for adopting post-quantum standards safely.

  • Testing matters too.

    Hybrid models that combine classical and post-quantum algorithms allow organizations to validate performance before scaling broadly.

  • Finally, governance keeps progress sustainable.

    Define ownership for cryptographic management and align internal policy with emerging standards.

Ultimately, the goal isn't to future-proof everything overnight.

It's to build systems ready to evolve. So when Q-Day comes, migration is planned, not improvised. And the collective result of that preparation is what determines whether Q-Day becomes a crisis or a milestone we're ready for.

| Further reading:

 

Will Q-Day be a crisis, or a milestone we're ready for?

Q-Day won't be a single moment of collapse. It'll be a milestone that measures how well the world prepared.

The transition to quantum-safe encryption is meant to be managed. Not improvised. The algorithms, timelines, and coordination frameworks are already defined.

So:

When a cryptographically relevant quantum computer finally arrives, the systems built for flexibility will adapt. The ones that planned early will transition with minimal disruption.

In the end, Q-Day isn't a surprise waiting to happen. It's the predictable outcome of a process already in motion.

The challenge isn't the day itself. It's making sure readiness keeps pace with technology. Because preparation only matters if execution continues until the transition is complete.

Explore the future of quantum security
Dive into an interactive overview of quantum threats, post-quantum cryptography, and NIST's new standards.

Launch experience

 

Q-Day FAQs

Q-Day refers to the point when quantum computers can break today’s public-key cryptography, such as RSA and elliptic-curve algorithms. It marks a capability milestone—not a literal date—and signals when post-quantum encryption must fully replace classical systems to keep digital communications secure.
The term “quantum apocalypse” exaggerates the risk. The real challenge is migration. Preparation means inventorying cryptographic systems, prioritizing long-life data, adopting post-quantum and hybrid algorithms, and building crypto-agility. Done gradually and strategically, this transition prevents disruption and ensures readiness long before large-scale quantum computers exist.
Yes. Post-quantum cryptography (PQC) provides mathematically secure alternatives resistant to quantum decryption. NIST’s FIPS 203-205 standards—ML-KEM, ML-DSA, and SLH-DSA—are the new baselines for encryption and digital signatures. Combining PQC with strong symmetric encryption and proper key management mitigates quantum threats effectively.
No one knows precisely. Most experts expect cryptographically relevant quantum computers decades away. Hardware progress is steady, but scaling to millions of stable qubits remains unresolved. That’s why governments target migration completion by 2035—ensuring systems are ready well before such machines emerge.
Related content
YouTube playlist: A CISO's Guide to Quantum Security
Binge a 6-video series breaking down why quantum computing is closer than you think but not as difficult.
Podcast: Threat Vector | Is the Quantum Threat Closer Than You Think?
Hear how to start your transition to quantum-resistant cryptography now.
TechDocs: Quantum Security Concepts
Get the facts on resisting the quantum computing threat straight from PANW’s solutions documentation.
Blog: Palo Alto Networks Announces New Quantum Security Innovations
Learn about the new crypto inventory tool, quantum-optimized firewalls and PAN-OS 12.1 enabled quantum readiness.

Get the latest news, invites to events, and threat alerts