Quantum Computing Is Approaching Faster Than Encryption Can Migrate
At GTC in San Jose last week, NVIDIA expanded the availability of NVQLink — a connector that links quantum processors to the GPU infrastructure that already runs most of the world’s AI workloads. NVQLink was first introduced at GTC Washington in October 2025. By March 2026, it had moved from announcement to deployment. The expansion was buried under a day of headlines about Vera Rubin, robotics, and foundation models. It deserved more attention — not for what NVQLink does today, but for what its trajectory signals about how fast the quantum engineering ecosystem is maturing.
NVQLink does not break encryption. No quantum computer does, yet. What NVQLink represents is the commercialisation of the bridge between quantum hardware and classical computing — the infrastructure layer that will eventually allow quantum processors to operate at the scale needed to threaten the encryption protecting virtually all digital communication. Pacific Northwest National Laboratory, Lawrence Berkeley National Laboratory, Quantinuum, Infleqtion, Q-CTRL, and a commercial deployment in South Korea by Anyon Computing and SDT have all adopted or integrated it. The technology is moving from research partnerships toward enterprise infrastructure, which means the engineering timeline for quantum capability is no longer set only by physicists in laboratories. It is being shaped by the same commercial deployment dynamics that accelerated GPUs, cloud computing, and AI itself.
The question this article addresses is not when quantum computers will be able to break current encryption — that timeline remains uncertain. It is whether the organisations that depend on that encryption are preparing for the transition, given that the cost of being late is not merely high but retroactive and irreversible.
The evidence suggests most are not.
---
A note on sources
This article draws on four categories of evidence: NVIDIA’s announcements regarding NVQLink and CUDA-Q from GTC Washington (October 2025) through GTC San Jose (March 2026) (company press releases and keynote presentations), the NIST post-quantum cryptography programme (FIPS 203, 204, and 205; NIST IR 8547; and associated technical documentation), the CISA Post-Quantum Cryptography Initiative and associated interagency guidance (CISA, NSA, and NIST joint publications), and the Global Risk Institute’s 2024 Quantum Threat Timeline Report. Where a claim originates with a company’s own announcement — such as NVIDIA’s NVQLink adoption figures or Dell’s product offerings — it is attributed accordingly. NIST publication dates and standard designations are drawn from NIST’s own documentation. The article does not present proprietary data analysis. Its contribution is the synthesis of a governance argument from publicly available sources.
---
The assumption under everything
Modern digital infrastructure rests on a single mathematical assumption: that certain problems are computationally hard.
When you connect to a bank, your browser establishes a secure connection using public-key cryptography — a system in which two mathematically related keys, one public and one private, allow parties to communicate securely without having to share a secret in advance. The two dominant versions are RSA and elliptic curve cryptography (ECC). Both depend on the same basic principle: they use mathematical operations that are easy to perform in one direction but extraordinarily difficult to reverse. For RSA, that operation is multiplying large prime numbers — easy to do, but effectively impossible to undo (factoring the product back into its primes) with today’s computers. For ECC, the hard problem is different in its mathematics but identical in its function: a one-way operation that secures the communication. The standard heuristic is that breaking a typical RSA key would take a classical computer longer than the age of the universe — though that figure assumes current methods and should be treated as an illustration of the difficulty rather than a guarantee. What matters for governance purposes is the gap between classical intractability and quantum tractability, not the precise magnitude of the classical number. The mathematics has held since Rivest, Shamir, and Adleman published RSA in the late 1970s, and since Miller and Koblitz independently proposed elliptic curve cryptography in the mid-1980s.
Quantum computing changes the calculus. In 1994, Peter Shor published an algorithm demonstrating that a sufficiently powerful quantum computer could factor large numbers — and therefore break RSA — in polynomial time. The same class of algorithm threatens elliptic curve cryptography. The theoretical vulnerability has been known for more than thirty years. What has changed is the engineering trajectory toward machines capable of executing Shor’s algorithm at relevant scale.
This is not a speculative risk in the way some technology threats are speculative. The mathematics is settled. Shor’s algorithm works. The question is purely engineering: when will quantum hardware reach sufficient scale, stability, and error correction to run it against the key sizes that protect real-world systems? That question does not have a precise answer, but the trend line is informative — and the consequences of arriving unprepared are severe enough that the uncertainty itself is the governance problem.
Every digital signature. Every certificate chain. Every encrypted communication archived by any government, corporation, or intelligence service. Every medical record, financial transaction, diplomatic cable, and trade secret protected by RSA or ECC has a shelf life. The expiration date is unknown but finite. And the infrastructure being built at GTC — NVQLink, CUDA-Q, hybrid quantum-classical pipelines available for enterprise procurement — is the engineering trajectory that determines when it arrives.
---
The standard is written. The clock is running.
In August 2024, NIST released three post-quantum cryptographic standards — the culmination of an eight-year process that began in 2016 when NIST issued a public call for quantum-resistant algorithms.
The three standards address the two core functions of public-key cryptography. FIPS 203 (ML-KEM) replaces the current method for key exchange — the initial handshake by which two parties establish a secure channel. FIPS 204 (ML-DSA) replaces the current method for digital signatures — the mechanism that verifies identity and ensures that data has not been tampered with in transit. FIPS 205 (SLH-DSA) provides an alternative digital signature approach built on different mathematical foundations, serving as a hedge in case the primary approach is eventually found to be vulnerable. A fourth algorithm, HQC, has been selected for standardisation as an additional key exchange mechanism, providing further redundancy. The technical designations matter less than the structural point: NIST has published quantum-resistant replacements for both of the core cryptographic functions that underpin digital infrastructure.
The standards exist. They are published, free, and public. The algorithms have been vetted through years of open cryptanalysis. The question is no longer whether quantum-resistant cryptography is available. It is whether organisations will deploy it in time.
In November 2024, NIST published the initial public draft of IR 8547 — its transition plan for post-quantum cryptography. The document sets the direction: quantum-vulnerable algorithms are to be deprecated and ultimately disallowed by 2035, with high-risk systems expected to transition substantially earlier. Federal agencies and their contractors will be expected to have completed the migration within that window. The plan is in draft, but the trajectory is clear.
Ten years sounds like a long time. The migration itself does not.
---
Why migration is harder than it sounds
Cryptographic migration is not a software update. It is an infrastructure transformation that touches every system, protocol, certificate, and key in an organisation’s technology stack.
Consider what the migration requires. Every security certificate that protects a website, an internal service, or a connection between systems must be reissued using the new algorithms. Every piece of network equipment that handles encrypted traffic — VPN gateways, load balancers, network appliances — must support the new standards, which may require software updates, hardware replacements, or both. Every dedicated device that stores cryptographic keys (known in the industry as hardware security modules) must be evaluated for compatibility. Every certificate that validates software integrity must transition. Every encrypted database, every encrypted backup, every encrypted archive must be assessed for its remaining confidentiality requirement and re-encrypted or accepted as a future vulnerability.
And that is just the inventory an organisation controls directly. The harder problem is the supply chain. Most organisations’ encryption is not implemented by their own engineers. It is embedded in the products and services they purchase — in the TLS libraries of their cloud providers, in the firmware of their network equipment vendors, in the certificate infrastructure of the public certificate authorities they depend on, in the encrypted channels of every SaaS application their employees use. An organisation cannot complete its own migration until every link in its encryption supply chain has also migrated.
CISA’s guidance is explicit on this point. Its recommended first step is inventory: identify every system that uses public-key cryptography, categorise the data each system protects, and determine the lifecycle of that data. For most organisations, this inventory has never been conducted. The question “which of our systems depend on quantum-vulnerable encryption, and where are the keys?” has not been asked, because until now there was no reason to ask it. The cryptographic substrate was invisible infrastructure — like plumbing, assumed to work and never inspected.
The RAND Corporation, working in support of CISA, assessed all 55 National Critical Functions — the essential functions the US government has identified as critical to national security, economic security, and public health. The assessment concluded that quantum computing presents risks to every one of them. Four functions were identified as foundational to the migration itself: providing internet-based content, information, and communication services; providing identity management and associated trust support services; providing information technology products and services; and protecting sensitive information. If these four do not migrate first, everything built on top of them cannot migrate either.
---
The harvest problem
The standard objection to urgency is that cryptographically relevant quantum computers do not yet exist. The objection is correct, but it misses the mechanism by which the threat operates.
The strategy is called “harvest now, decrypt later” — HNDL in the security literature. The concept is straightforward: an adversary intercepts and stores encrypted communications today, knowing that current encryption protects the data. The adversary warehouses the ciphertext. When quantum computing reaches sufficient capability — whether in five years, ten years, or twenty — the adversary decrypts the archive.
The strategy is rational for any data whose confidentiality lifetime exceeds the timeline to cryptographically relevant quantum computing. Diplomatic communications whose sensitivity lasts decades. Medical records governed by retention requirements of thirty years or more. Trade secrets with commercial value measured in patent lifetimes. Intelligence intercepts whose relevance persists for the career of the source. National security information classified for twenty-five years or longer. Personal data subject to privacy regulations that impose indefinite protection obligations.
For these categories, the threat is not future. It is present. Every communication encrypted with a quantum-vulnerable algorithm and intercepted today is a future exposure, awaiting only the hardware to execute it. The confidentiality of the data depends not on whether the ciphertext was captured — that may have already happened — but on whether quantum capability arrives before the data’s sensitivity expires. The decryption is deferred, not prevented.
The Global Risk Institute’s 2024 Quantum Threat Timeline Report — its sixth annual assessment, drawing on 32 global experts in quantum computing, cryptography, and cybersecurity — found increasing concern that the threat timeline may be shorter than earlier estimates suggested. The finding should be contextualised: expert consensus on quantum computing timelines has historically been unreliable in both directions, with estimates shifting substantially between survey years depending on which engineering milestones were most recently achieved. What the longitudinal trend across six annual reports shows is not a precise date but a direction — the assessed probability of a cryptographically relevant quantum computer within a given timeframe has been rising, not falling, with each successive survey. The uncertainty is real. The trajectory of the uncertainty is informative.
The logical bridge from “experts are uncertain” to “act now” is not consensus. It is asymmetry of consequences. If an organisation migrates early and quantum capability arrives late, the cost is capital spent sooner than necessary — a timing inefficiency, not a loss, because the migration was required eventually regardless. If an organisation delays and quantum capability arrives early, the cost is catastrophic and retroactive: every communication harvested during the delay window is exposed, the migration must be conducted under emergency conditions at premium cost, and the reputational and legal consequences of a breach that was foreseeable land on the board that chose to wait. The expected value calculation does not depend on knowing when quantum computers will be capable. It depends on the ratio between the cost of acting early and the cost of acting too late. That ratio is not close.
CISA, NSA, and NIST issued a joint factsheet on quantum readiness in August 2023, explicitly citing the harvest-now-decrypt-later threat and recommending that organisations begin migration planning immediately — not when quantum computers become capable, but now, because the data being harvested today will be exposed whenever capability arrives.
The logic is uncomfortable but inescapable: the time to migrate is not when quantum computers can break encryption. It is the length of the migration minus the confidentiality lifetime of the data being protected. For any organisation whose data must remain confidential for longer than the migration will take, the deadline has already passed. They are accumulating exposure with every day of delay.
---
Three findings from the evidence
The preceding sections establish the technical landscape: what quantum computing threatens, what NIST has published, why migration is complex, and why the harvest-now-decrypt-later window means the threat is already active. The findings below do not recap that material. They synthesize the governance implications that emerge when the pieces are placed side by side.
Finding 1: The gap between the regulatory timeline and the historical migration rate has no precedent.
NIST’s IR 8547 sets 2035 as the deadline for removing quantum-vulnerable algorithms, with high-risk systems expected to transition earlier. The two closest historical precedents — the SHA-1 to SHA-2 transition and the DES to AES migration — each took well over a decade from standard publication to widespread adoption, and both were substantially simpler than what post-quantum migration requires. SHA-1 to SHA-2 replaced one component while leaving the surrounding infrastructure intact. The post-quantum migration replaces the mathematical foundations of both key exchange and digital signatures simultaneously, with downstream effects on key sizes, protocol performance, and every system that touches encrypted communication.
The historical rate does not predict how long this migration will take. It establishes a floor: even easier migrations took longer than anyone planned for. The post-quantum migration is harder on every dimension — mathematical foundations, key sizes, supply chain depth — which sets the planning assumptions for a harder one beneath a floor that was already uncomfortable.
A reasonable objection: if the post-quantum migration is categorically more consequential, perhaps it will move faster, because it attracts more resources, executive attention, and regulatory pressure than SHA-1 ever did.
But the floor argument has a real counterargument that deserves examination: perhaps a harder, more consequential migration will actually move faster, because it attracts more resources, executive attention, and regulatory pressure than SHA-1 ever did. Y2K is the natural precedent. The millennium bug involved a sweeping infrastructure audit and remediation across every sector, with a fixed deadline. Organisations mobilised at unprecedented scale, and the transition largely succeeded — precisely because the deadline was visible and immovable.
The Y2K comparison is instructive but not reassuring. Y2K had a fixed, publicly known deadline that no one could argue with: midnight on January 1, 2000. The post-quantum deadline is uncertain, contested, and invisible. There is no date on the calendar when encryption breaks. There is only a gradually increasing probability, assessed differently by different experts, that it will break at some point within a window that may be ten years or may be twenty-five. Y2K mobilisation happened because every CEO knew the date. Post-quantum mobilisation requires acting on a probability distribution — a fundamentally harder political ask inside any organisation. The counterargument that urgency will drive speed assumes the urgency will be felt before the deadline arrives. For HNDL-vulnerable data, the effective deadline may have already passed without anyone noticing, because the harm is silent until quantum capability materialises.
Finding 2: The inventory gap is a governance gap, not just an operational one.
The preceding section documented why most organisations lack a cryptographic inventory. The governance implication goes beyond operational delay. A board that cannot scope the migration cannot assess the organisation’s exposure to the harvest-now-decrypt-later threat — and cannot, therefore, make an informed decision about when to begin, how much to budget, or what to prioritise. The risk sits in a governance blind spot: it is not that the board has assessed quantum exposure and accepted it, but that the board lacks the information to assess it at all.
This distinguishes the quantum migration from most infrastructure risks that reach a board agenda. When a board evaluates cybersecurity posture, cloud migration, or regulatory compliance, it can at least scope the problem — identify which systems are affected, estimate the cost of remediation, and set a timeline. For post-quantum migration, most organisations cannot yet answer the first question: which of our systems are quantum-vulnerable, and which of those protect data whose confidentiality lifetime extends beyond the estimated quantum timeline? Until the inventory exists, the board is making resource-allocation decisions about a risk whose magnitude is unknown.
CISA has begun developing automated cryptography discovery and inventory tools — its Strategy for Migrating to Automated Post-Quantum Cryptography Discovery and Inventory Tools — specifically because manual inventory is impractical at the scale required. These tools are in early deployment. Their maturation may eventually close the gap, but the gap is open now, and every quarter it remains open is a quarter in which exposure accumulates without being measured.
Finding 3: The jurisdiction problem is more specific here than in previous articles.
This series has returned to the gap between global capability and national governance in every article. In this case the pattern is worth developing in detail, because the cryptographic jurisdiction problem has a concrete mechanism that the compute and biosafety jurisdiction problems do not: algorithm divergence.
Encryption standards are global in their deployment but national in their governance. NIST sets standards for US federal agencies and their contractors. The European Union is developing its own post-quantum migration guidance through ENISA. China has its own post-quantum research programme and has been developing indigenous lattice-based and code-based algorithms through its national cryptographic standards body. International standards bodies — ISO, IETF, ETSI — are incorporating post-quantum algorithms into their frameworks on different timelines with different requirements.
The divergence is not hypothetical. NIST’s selected algorithms — ML-KEM, ML-DSA, SLH-DSA — emerged from an open, international competition, but the selection was made by a US agency. China’s post-quantum programme has developed algorithms that were not submitted to or evaluated through the NIST process. If Chinese regulatory authorities require the use of domestically developed post-quantum algorithms for data within Chinese jurisdiction — which would be consistent with China’s existing approach to cryptographic standards and data localisation — an organisation operating across US and Chinese markets may need to implement two entirely separate post-quantum cryptographic stacks. The EU’s position is still forming, but ENISA’s guidance may diverge from NIST’s on implementation timelines, approved algorithm lists, or hybrid deployment requirements.
The practical consequence for a multinational organisation is a compliance matrix that does not yet have stable entries. Which post-quantum algorithms are approved in which jurisdictions, for which use cases, with which implementation requirements? The answer is not yet clear because the standards landscape is still consolidating. A migration completed to NIST standards may need to be partially redone to satisfy requirements in other jurisdictions — not because the cryptography is different, but because the governance is.
The NVQLink deployment illustrates the geography from the capability side. NVIDIA’s platform is available globally. National laboratories in the United States adopted it. A commercial deployment in South Korea followed. Quantum processing unit builders headquartered in different countries integrated it. The quantum computing capability is developing across borders, but the governance response — which algorithms to use, by when, under whose authority — remains national. An organisation that completes migration to NIST standards only to discover that its operations in the EU or China require different algorithms, different key management, or different transition timelines faces not a single migration but a series of them, compounding the cost and duration of an already difficult process.
---
Where this leaves boards and governance professionals
The analysis above describes a threat with a specific structure, and the governance response must follow from that structure rather than from a generic risk management template. Three features of the quantum-encryption problem distinguish it from most risks that reach a board agenda.
First, the exposure is accumulating silently. Unlike a data breach, a compliance failure, or a systems outage, the harvest-now-decrypt-later threat produces no alert, no incident report, and no observable symptom. An organisation whose communications are being intercepted and warehoused today will learn about it only when quantum capability arrives and the archive is decrypted — or, more precisely, will never learn about it directly, because the decryption will happen in an adversary’s facility. The board’s normal feedback loop — something goes wrong, the incident is detected, the response is triggered — does not operate here. The harm accrues in silence. This means that the governance question is not “how do we respond when the risk materialises?” It is “how do we act on a risk that will never announce itself until the damage is irreversible?”
Second, the organisation cannot solve this alone. The supply-chain dependency documented above means that even a perfectly executed internal migration is incomplete if any link in the cryptographic supply chain — cloud provider, certificate authority, HSM vendor, SaaS platform, network equipment manufacturer — remains quantum-vulnerable. The governance question is not only “are we migrating?” but “are we tracking whether everyone we depend on is migrating, and do our contracts give us the right to require it?”
Third, the migration has no natural owner. It touches infrastructure, applications, procurement, legal, vendor management, and risk — spanning every function without sitting naturally in any one. Without explicit executive assignment, it will default to IT infrastructure teams who lack the authority to drive cross-functional change at the pace the timeline requires and who lack the budget to absorb what is, in effect, a re-engineering of the organisation’s entire cryptographic substrate.
The operational steps that follow from these features — cryptographic inventory, harvest-window calculation, supply-chain mapping, executive ownership — are well documented. CISA’s guidance covers them. A competent security team that reads the NIST transition plan and the joint CISA-NSA-NIST factsheet will arrive at the same list. The steps are not where most organisations are stuck.
The contribution of the analysis above is not the action list. It is the explanation of why the action list is not being acted on. The three structural features — silent accumulation, supply-chain dependency, and absent ownership — are not obstacles that better guidance will overcome. They are properties of the threat itself, and they work against the normal mechanisms by which organisations mobilise.
Silent accumulation means there will be no crisis to trigger the response. Boards that govern by exception — responding when something breaks — will not respond to this, because nothing will visibly break until the damage is complete. Supply-chain dependency means that even organisations that do respond cannot finish alone, and the coordination problem has no natural coordinator. Absent ownership means the migration will compete for attention inside every function without being the priority of any one of them.
The question for governance professionals is not “what should we do?” — that question has been answered, publicly, by the agencies responsible for answering it. The question is whether boards can act on a threat that never announces itself, that cannot be resolved unilaterally, and that belongs to no one’s budget. The organisations that complete the migration in time will be those that found a way to govern a risk that is structurally designed to evade governance.
---
What remains open
This article describes a threat with an unusual structure: the mathematics is certain, the engineering timeline is uncertain, and the consequences of delay are accumulating now, invisibly, in archives of harvested ciphertext that cannot be recalled.
Three questions will determine how this unfolds.
First, whether the quantum computing timeline compresses. The expert surveys — including the Global Risk Institute’s longitudinal series — show the assessed probability of near-term capability trending upward, though individual estimates vary widely. Every advance in quantum error correction, qubit stability, and hybrid quantum-classical integration — of the kind NVQLink represents — brings the timeline forward. The engineering is progressing on multiple fronts simultaneously, and breakthroughs in any one area can accelerate the others. Organisations that plan for the longest estimated timeline are exposed if the actual timeline is shorter. The uncertainty is not a reason for delay. It is the reason delay is dangerous.
Second, whether the migration achieves critical mass before the threat materialises. Cryptographic migrations exhibit network effects: the value of migrating increases as more of the ecosystem migrates, and the cost of not migrating increases as the infrastructure around you assumes post-quantum standards. The current state is early — NIST published the standards eighteen months ago, and widespread deployment has barely begun. The question is whether the transition reaches a tipping point where migration becomes the default expectation, or whether it follows the pattern of previous cryptographic transitions and stalls for years in partial adoption.
Third, whether the harvest-now-decrypt-later window produces consequences before the migration completes. If nation-state adversaries are warehousing encrypted communications — and the intelligence community’s public statements suggest they are — the cost of delay is already being incurred. It simply has not been invoiced yet. When quantum capability arrives, the invoice will be presented all at once, retroactively, for every communication intercepted during the window. No organisation will be able to assess its exposure after the fact, because no organisation can know what was intercepted.
The previous article examined what happens when AI-accelerated science outruns the safety frameworks designed to govern it. This article examined what happens when the mathematical foundation of digital security has a known expiration date and most organisations have not started replacing it. The next article in this series turns to a different kind of infrastructure under pressure: climate models, the AI systems that are transforming them, and the governance of predictions that shape trillions of dollars in capital allocation.