Google says the quantum future is arriving faster than expected

Google accelerates the PQC migration timeline

Google has moved faster than expected. It brought forward its post-quantum cryptography (PQC) migration deadline from the NIST recommendation of 2030–2035 to 2029. This is not just a schedule adjustment; it’s a signal that the quantum era is approaching faster than most security planners anticipated. Google, being both a major encryption provider and one of the leaders in quantum computing research, has a clear view of how close this technology is to having real-world impact.

The company has already begun restructuring its internal security priorities. PQC will come first, especially within authentication systems, which are the backbone of secure communications. By urging other engineering teams and industry peers to act now, Google is effectively reshaping the cybersecurity timeline for the entire tech ecosystem. When the world’s leading cloud and security player accelerates, it means the clock has already started ticking.

C-suite executives should take note. This change is a call to action. The speed at which encryption vulnerabilities could emerge will depend on how fast quantum technology progresses, and it’s moving faster every year. Senior leaders need to re-evaluate cryptographic strategies, budgets, and infrastructure investments ahead of the quantum curve. Post-quantum readiness is no longer a research topic; it’s a competitive requirement.

Kent Walker, President of Global Affairs at Google and Alphabet, has stated that “malicious actors are not waiting until a cryptographically relevant quantum computer is ready.” He warned that attackers may already be collecting encrypted information through “store now, decrypt later” attacks. His words point to a critical truth: the race has already begun, and defenders are behind the starting line.

Rapid advancements in quantum computing reduce qubit requirements

Quantum technology has advanced faster than expected, especially in how many qubits are needed to break traditional encryption like RSA. Five years ago, it was thought that 20 million qubits were necessary to crack RSA encryption. As of May 2025, Google revised that estimate to one million. Now, new research from Iceberg Quantum in Australia suggests that only about 100,000 physical qubits may be enough.

This reduction is more than an incremental improvement, it’s a restructuring of the threat landscape. A qubit is the building block of a quantum computer. Reducing requirements from millions to hundreds of thousands means that quantum threats could arrive years earlier than projected. The gains come from progress in error correction and smarter quantum algorithms, both of which improve computational stability and efficiency.

Leaders should interpret this shift carefully. It means that cryptographic systems once believed safe for a decade or more may only remain secure for a few years. Technology, regulation, and business strategy must align on a shorter timeline than before. Security investment cycles can no longer assume that encryption methods will outlast quantum development.

Jordan Kenyon, Chief Scientist in the Quantum Practice at Booz Allen Hamilton, summarized the situation clearly. She said that both algorithms and quantum hardware are improving rapidly and that “the magnitude of change is tough to deny.” Her insight captures the essence of today’s challenge: this is not a far-off possibility. It’s a technological certainty that demands leadership attention and immediate planning.

For executives, the key takeaway is clarity. Quantum change is no longer an abstract threat, it’s an emerging certainty shaped by measurable progress. Companies that act early to adopt post-quantum security measures will gain resilience and strategic advantage in a near future defined by quantum capability.

Widespread organizational unpreparedness for quantum-safe security

Most organizations are not ready for the post-quantum world. While NIST has finalized four quantum-resistant algorithms and identified a fifth, enterprise adoption remains limited. The majority of businesses have not yet created strong transition plans or upgraded their infrastructure for quantum-safe encryption. This leaves a wide gap between recognized standards and practical implementation.

Recent research highlights this lack of readiness. According to the Trusted Computing Group, 91% of organizations still have no defined roadmap for moving to post-quantum cryptography. Eighty percent report that their existing cryptographic libraries and hardware modules are not prepared for integration with post-quantum standards. Only 39% have started compliance readiness assessments. These numbers show a systemic issue, most businesses are not building at the speed the threat requires.

For executives, these findings reveal a critical leadership problem, not just a technical one. It’s not enough to delegate PQC to security teams or compliance units. The shift to quantum-safe encryption will affect supply chains, financial systems, and communication protocols. Senior leaders must give PQC readiness both financial and organizational priority. The companies that do not act will face avoidable disruption when quantum computers reach practical decryption power.

This is a moment for decisive action. C-suite leaders need to ensure that quantum migration becomes part of corporate strategy discussions, risk assessments, and long-term digital transformation plans. The cost of inaction will not be measured just in money but in trust, continuity, and regulatory compliance.

Immediate action required by security leaders

Quantum security is no longer something chief security officers (CSOs) and technology leaders can postpone. The developments over the past year make one thing clear, waiting for deadlines or finalized regulations creates unnecessary exposure. The data already shows that adversaries may be collecting encrypted information now, storing it for future decryption once quantum technology reaches the required capability.

Leading technology providers have shifted gears. Google accelerated its timeline to 2029. Microsoft and AWS are expected to follow. This momentum means the industry standard for preparing against quantum threats is being reset. Cybersecurity leaders need to align their migration schedules with these earlier benchmarks if they want to stay competitive and credible.

Michela Menting, Senior Research Director at ABI Research, emphasized that PQC certification and migration “can’t be a side project anymore.” She called on organizations to move their post-quantum transition plans to the top of their priority lists and to act sooner than previously planned based on NIST’s deprecation timeline. Her point reflects a growing consensus, the time for discussion has ended, and migration efforts must start now.

Executives should understand that this shift extends beyond security teams. It impacts the full operational landscape, from data storage to customer trust. PQC migration demands new budgeting considerations, stronger coordination between technology and compliance units, and a willingness to act earlier than comfort allows.

The message is simple and direct: those who move first will control their future security posture. Those who delay risk losing control of it when quantum computing reaches commercial and adversarial maturity.

Adoption of structured cryptographic preparedness measures

A structured, well-governed approach to cryptographic preparedness is now a business necessity. As quantum computing advances, organizations must know exactly what cryptography they use, where it is deployed, and how quickly it can be replaced when new standards emerge. Without this clarity, even large enterprises will face significant challenges adapting to post-quantum requirements.

Gartner has reported that 61% of organizations lack full visibility into their cryptographic systems. This means most businesses cannot accurately assess their exposure or prioritize which assets are most vulnerable. To fix this, executives must invest in comprehensive cryptographic inventories, detailed maps of every encryption system and key dependency across all business operations. These audits allow companies to manage risk intelligently and act efficiently during migration.

Beyond inventory, organizations need cryptographic agility. This refers to the ability to switch algorithms or standards with minimal operational disruption. It requires flexible architectures, adaptable hardware, and skilled teams capable of executing secure migrations quickly. Establishing a cryptographic center of excellence is a practical step toward achieving that goal. Such a team would oversee governance, coordinate cross-departmental efforts, and ensure that PQC priorities align with enterprise strategy.

For leaders, the takeaway is clear. This is not a matter of adopting one new encryption method and moving on. It’s about building a capability that ensures the business remains secure as threats evolve. A structured cryptographic management plan improves not only security but also compliance readiness and operational resilience. The companies that treat this as an ongoing leadership mandate, not a one-time technical project, will be positioned to stay ahead in an environment where data security will increasingly define business viability.

Main highlights

• Google accelerates the post-quantum timeline: Google’s new 2029 deadline for post-quantum cryptography means leaders must fast-track encryption upgrades to stay aligned with the evolving security landscape. Early planning will prevent disruption as standards shift ahead of schedule.
• Quantum capability is advancing faster than expected: Rapid progress in hardware and algorithm design has cut the estimated qubits needed to break RSA encryption from 20 million to around 100,000. Executives should update risk forecasts and adjust cybersecurity roadmaps to reflect this compressed timeline.
• Most organizations are unprepared for quantum threats: With 91% of firms lacking a quantum migration roadmap and most infrastructure not PQC-ready, leaders must establish clear strategies and allocate resources to build post-quantum resilience before exposure widens.
• Security leaders must act now: Waiting for regulatory deadlines is no longer viable as attackers may already be storing encrypted data to decrypt later. Executives should make PQC transition a top-tier initiative across technology, compliance, and budgeting.
• Structured cryptographic governance is critical: Executives need to implement comprehensive cryptographic inventories, strengthen algorithm agility, and establish dedicated centers of excellence. This approach ensures long-term security, visibility, and readiness for rapid cryptographic shifts.