By now, most executives have heard some version of the quantum warning.
Quantum computers are coming. Encryption will break. Q-Day is inevitable.

At this point, it risks sounding like the cybersecurity equivalent of ‘eat your vegetables’: widely accepted, vaguely important, and very easy to ignore.

Google’s recent announcement changes that dynamic.

By setting a 2029 timeline for post-quantum cryptography migration, it has shifted the conversation from abstract theory to something far less comfortable: a deadline.

This is not a prediction of when quantum computers will break encryption. It is more practical, and more urgent. It is a signal that organisations should assume the window to act is closing, and plan accordingly.

From Theory to Timeline

The reason this matters is simple. For years, quantum risk has been discussed as a future possibility. Now it is being framed as a present planning problem.

The drivers are well understood:

• Improvements in quantum hardware, particularly error correction

• Rapid reductions in the estimated cost of breaking RSA
• Increasing confidence that large-scale systems are achievable

At the same time, the threat is already active in a quieter form. Sensitive data is being collected today with the expectation that it can be decrypted later, a tactic known as ‘harvest now, decrypt later’.

Which leads to an uncomfortable but important point:

The breach has, in many cases, already happened.
We are simply waiting for the decryption.

The Part Everyone Is Avoiding

If there is one reason the conversation keeps circling back to theory, it is this: the real problem is inconvenient. It is not about choosing a new algorithm. It is about replacing cryptography everywhere, and ‘everywhere’ is doing a lot of work here.

Cryptography sits inside applications and APIs, devices and firmware, networks and data flows, supply chains and third-party services, and legacy systems that nobody wants to touch.

Most organisations do not have a complete map of where it is used; some would struggle to produce even a partial one. Which makes the idea of a clean, orderly migration somewhat optimistic.

Why Waiting Feels Easier, and Why It Isn’t

There is a natural temptation to delay.

After all: The standards are new; The timelines are uncertain; The problem feels distant.

And, if we are honest, the industry has a long tradition of discussing quantum risk without doing very much about it.

But procrastination is not neutral. It creates two very practical risks:

• More data at risk
  Every year adds to the volume of information that could be decrypted later
• Less time to fix it properly
  Migration windows shrink, increasing the likelihood of rushed, disruptive implementations

Put differently: waiting does not reduce uncertainty. It simply reduces options.

The Legal Grey Area, and Why It Matters

There is a common assumption that quantum risk is too early to carry real liability. That assumption may not hold. Under frameworks such as GDPR, organisations are required to implement ‘appropriate technical and organisational measures’, often interpreted as maintaining ‘state of the art’ security.

In practice, this means:

• Using current, proven protections
• Regularly reviewing and updating controls
• Responding to known, credible threats

‘State of the art’ is not fixed. It evolves.

If post-quantum cryptography is available, standardised, and increasingly adopted, and organisations choose not to act, the question becomes uncomfortable:

Is inaction still defensible?

There is, as yet, no case law defining liability in a post-quantum breach scenario. But that may offer little reassurance. Because the organisations that test that boundary will do so after the breach, not before it.

The Conversation Few Boards Want to Have

There is another, less technical barrier. Many organisations struggle to take this issue to the board in clear terms. Because the honest version sounds like this:

‘At some point in the future, the cryptography that underpins everything we do may stop working.’

That is not an easy message to deliver. Nor is it an easy one for boards to act on.So the issue is often softened:

• Framed as a long-term risk
• Delegated to technical teams
• Or deferred for ‘further monitoring’

But the combination of clearer timelines and increasing industry movement makes that position harder to sustain. This is no longer just a technical issue. It is a governance decision

The Problem Is Not Cryptography, It Is Infrastructure

Much of the current discussion focuses on post-quantum algorithms. This is necessary, but it misses the point.

The real challenge is operational.

Replacing cryptography across global infrastructure is not a patch. It is a transformation. And most organisations are not structured to do it quickly, safely, or at all without significant disruption.

Google’s emphasis on ‘crypto agility’, and its integration of post-quantum standards into platforms such as Android, reflects this reality. Security must be designed to evolve, not replaced wholesale.

This is where the gap lies.

What Organisations Should Actually Do

If the conversation is to move beyond theory, it needs to become practical.

The instinct is often to start with multi-year crypto audits. That instinct is understandable, but increasingly flawed. By the time you have perfectly mapped where cryptography sits, the timeline to safely replace it may already have closed. The priority is not perfect visibility. It is controlled remediation at pace.

Three priorities stand out:

1. Move from discovery to action

• Assume RSA and ECC are widely embedded
• Prioritise high-risk, high-value systems first
• Begin upgrading now, not after full audits

This is not about understanding everything. It is about reducing exposure quickly.

2. Build the ability to adapt

• Avoid hard-coded cryptography
• Enable updates without replacing entire systems
• Design for flexibility

3. Think beyond the algorithm

• Treat cryptography as infrastructure
• Plan for continuous change, not one-off migration
• Focus on deployment, not just selection

None of this is particularly glamorous. But it is where the real work lies.

A More Practical Perspective

At Sitehop, we view the quantum transition less as a cryptographic problem and more as an infrastructure one.

The organisations that succeed will not be those that simply adopt post-quantum algorithms. They will be those that can: Deploy changes at scale; Update security dynamically; Maintain performance and uptime. In short, those that can evolve without disruption.

This requires architectures where cryptographic functions can be updated at line speed across networks, rather than replaced system by system.

The Clock Is Now Visible

Google’s timeline does not guarantee when Q-Day will arrive. But it does something arguably more important: it makes inaction harder to justify.

The industry has moved from ‘Quantum is coming’ to ‘You should already be preparing’

The next phase will be less forgiving. Because this is not just another upgrade cycle. It is a reset of the trust mechanisms that underpin the digital economy.

The longer organisations remain in the realm of theory, the more likely they are to encounter the problem in practice. And by that point, it will no longer be a discussion about timelines. It will be a discussion about accountability.

Request a demo if you’d like to see our platform in action.

Or stay in touch with Sitehop’s latest thinking, subscribe to our PQC Bulletin.

Or call us: +44 (0)114 478 2366

Sitehop.

Engineered for speed. Built for the future.