This is not a distant future problem
The common assumption is that quantum computing is decades away — and therefore post-quantum migration can wait. That assumption is wrong in two important ways. First, the timeline is shortening faster than most organisations realise. Second, the threat is already active: attackers are harvesting encrypted data today, storing it until quantum computers can decrypt it. Data you encrypt now may be readable in five to ten years.
For data that needs to remain confidential beyond that horizon — financial records, health data, intellectual property, state secrets — the window to act is not in the future. It is now. Nomios helps organisations understand their exposure, prioritise their most vulnerable cryptographic assets, and build the crypto agility to migrate without disruption.
Where we are — and where this is going
The transition from theoretical threat to operational reality is moving faster than most security programmes have planned for.
2022 — 2024
NIST standards finalised
NIST published the first post-quantum cryptographic standards — ML-KEM, ML-DSA, and SLH-DSA — marking the start of the migration era.
Now — 2026
Harvest now, decrypt later
Nation-state actors are actively harvesting encrypted traffic today, storing it to decrypt once quantum computers are available. Long-lived sensitive data is already at risk.
2027 — 2030
Regulatory mandates arrive
Financial regulators, government agencies, and critical infrastructure frameworks are expected to require PQC migration plans — and evidence of progress — within this window.
2030+
Cryptographically relevant quantum
Expert consensus places the arrival of a quantum computer capable of breaking RSA-2048 and ECC within this range. Organisations that are not prepared will face a crisis.
"Harvest now, decrypt later" — the threat that is already active
You do not need to wait for a quantum computer to be at risk from quantum computing. Sophisticated adversaries — primarily nation-state actors — are already recording and storing encrypted network traffic, knowing they will be able to decrypt it once quantum computers become available.
Any data that needs to remain confidential for more than five to ten years is potentially already compromised. That includes negotiated contracts, patient records, financial instruments, intellectual property, and government communications.
01 Today: Attacker intercepts and stores your encrypted data — even without being able to read it yet.
02 ~2030: Quantum computer becomes available, capable of breaking RSA and ECC encryption.
03 Result: Data encrypted years ago — contracts, IP, communications — is now readable in plaintext.
04 The fix: Migrate to post-quantum algorithms now, so data encrypted today cannot be decrypted by future quantum computers.
The algorithms your organisation needs to migrate to
- Module-Lattice Key Encapsulation Mechanism — the primary standard for key exchange and encryption. Replaces RSA and ECC in most key agreement protocols including TLS.
- Module-Lattice Digital Signature Algorithm — for digital signatures. Replaces RSA and ECDSA in certificate signing, code signing, and authentication protocols.
- Stateless Hash-Based Digital Signature Algorithm — an alternative signature scheme based on hash functions, providing diversity and resilience as a secondary standard.
NIST FIPS - 203 ML-KEM
NIST FIPS - 204 ML-DSA
NIST FIPS - 205 SLH-DSA
Three ways to engage
PQC readiness is primarily a consulting and assessment engagement today — with professional services delivery as organisations begin active migration.
Professional services
Hands-on PQC migration — updating PKI infrastructure, certificate estates, HSM firmware, application cryptography, and network protocols to NIST-standardised post-quantum algorithms.
Managed services
Once your post-quantum migration is underway or complete, Nomios can operate your PKI, CLM, and HSM infrastructure as a fully managed service — ensuring your cryptographic foundation remains healthy, current, and quantum-ready as the landscape continues to evolve.
Consulting services
PQC readiness assessment, cryptographic inventory, risk prioritisation, and migration roadmap. The essential starting point for any organisation taking quantum risk seriously.
When did you last assess your quantum exposure?
For most organisations, the answer is never. Start with a cryptographic inventory and risk assessment — and find out where you actually stand before the window to act closes.
