TL;DR: Google says organizations should expect threat actors with previously stolen encrypted material to begin cracking it with quantum techniques by 2029, and urges an immediate transition to post-quantum encryption as standards such as ML-DSA mature. The critical risk is not a sudden collapse of all encryption, but a long-dated exposure window for data already collected today.
NHIMG editorial — based on content published by Swarmnetics: When Will “Q-Day” Happen, Really? Google Says Be Ready With Encryption Transition by 2029
By the numbers:
- Q-Day may no longer be 10 years away, according to a new warning from Google.
- Android 17, expected in June, will incorporate the NIST-approved ML-DSA for digital signature protection.
- Organizations should expect that, at minimum, threat actors that have already stolen encrypted materials will potentially be able to start cracking them with quantum computing techniques by 2029.
Questions worth separating out
Q: How should organisations prepare for post-quantum cryptography without breaking existing systems?
A: Start with a complete cryptographic inventory, then prioritise the systems that protect long-lived sensitive data, identity proofs, and signing workflows.
Q: Why does post-quantum risk matter for IAM and NHI programmes?
A: IAM and NHI systems depend on certificates, keys, signatures, and token validation to establish trust between services and users.
Q: What breaks if organisations leave long-lived encrypted data untouched?
A: The main failure is deferred exposure.
Practitioner guidance
- Inventory all cryptographic dependencies Catalog every system, application, certificate chain, signing workflow, and secret store that relies on RSA, ECC, or long-lived keys.
- Prioritise long-retention data first Rank encrypted archives, identity records, and regulated datasets by how long they must remain confidential.
- Map certificate and signature dependencies Identify where digital signatures, certificate trust chains, and token verification are embedded in operational workflows.
What's in the full article
Swarmnetics' full analysis covers the transition detail this post intentionally leaves at a governance level:
- How Google’s 2029 framing relates to current post-quantum standardisation efforts and what that means for migration planning
- The specific reasons stored encrypted material is the most credible early Q-Day exposure path
- Where organizations should begin a cryptographic inventory across applications, signatures, and trust chains
- Why simply updating product versions does not solve long-term encryption exposure
👉 Read Swarmnetics' analysis of Q-Day timelines and post-quantum encryption transition →
Post-quantum encryption by 2029: what should security teams do now?
Explore further
Q-Day creates a cryptographic governance problem before it becomes a cryptographic failure. The article’s central warning is that organisations can no longer treat post-quantum transition as a distant R&D topic. Once encrypted materials are stolen, the exposure window can extend far beyond the original breach. For identity and access programmes, that means secrets, certificates, and signed trust artifacts must be evaluated for long-term value, not just current protection. Practitioners should treat cryptographic ageing as a governance issue, not a tooling refresh.
A question worth separating out:
Q: Who should own post-quantum migration decisions inside the enterprise?
A: Ownership should sit with security architecture and crypto governance, but the work must involve IAM, application owners, data protection, and infrastructure teams. That model ensures certificates, secrets, signing services, and retention policies are changed together. For most organisations, the right control is a cross-functional migration programme, not a single technical team.
👉 Read our full editorial: Q-Day by 2029 sharpens the case for post-quantum encryption transition