Post-Quantum Cryptography: Why 2026 Is the Starting Gun
4 min Read Time
On 11 February 2026, the BSI (Federal Office for Information Security) officially launched the phase-out of classical encryption methods. RSA and elliptic curve cryptography (ECC) must be replaced by post-quantum cryptography (PQC) for highly sensitive data by the end of 2030 – and across the board by the end of 2031. Industry analyses estimate the migration will take five to ten years. Anyone who delays starting until 2026 will miss the BSI deadlines. Why? Quantum computers don’t need to exist yet to pose a threat. Attackers are already harvesting encrypted data today – so they can decrypt it tomorrow.
The Key Takeaways
- BSI Deadline 2031: RSA and elliptic curves must be replaced by post-quantum cryptography by end of 2030 (highly sensitive data) or end of 2031 (general) (BSI, 11.02.2026).
- Harvest Now, Decrypt Later: Attackers store encrypted data today to decrypt it with future quantum computers. Affected: Patents, M&A data, health data.
- Migration takes 5 to 10 years: Anyone not starting in 2026 will not meet BSI deadlines. Every TLS connection, every VPN, every certificate must be touched.
- Three NIST Standards since 2024: ML-KEM (key exchange), ML-DSA (signatures), and SLH-DSA (hash-based signatures) are the new reference methods.
- First Step: Crypto Inventory: Systematically record where classical encryption is used in the company. No inventory, no migration plan.
What the BSI Announced on 11 February 2026
The BSI press release was unambiguous: time is running out for classical encryption methods. RSA, Diffie-Hellman, and elliptic curve-based methods (ECC) must be replaced by quantum-safe algorithms. 2030 is the target date for particularly sensitive data, 2031 for all others.
The BSI justifies the urgency with two arguments. First: the technical development of quantum computers is accelerating. Even if powerful cryptographically relevant quantum computers do not yet exist, the timing of their appearance is unpredictable. Security planning must assume the worst case, not the most likely scenario. Second: migrating existing systems takes years. Anyone who reacts only when quantum computers are available is too late.
Particularly relevant for SMEs: the BSI recommendation is not only for authorities and operators of critical infrastructures. It applies to all organizations processing sensitive data, i.e., virtually every company.
The scope of the announcement becomes clear when looking at the numbers: according to a Cloud Security Alliance survey, 40 percent of security managers surveyed expect cryptographically relevant quantum computers to be available before 2030. Another 34 percent expect the period 2030 to 2035. The BSI is not planning for a theoretical risk, but for an expected development within the planning horizon of today’s IT investments.
For SMEs, this has concrete consequences: every IT procurement made today must consider PQC compatibility. A new ERP system, a VPN refresh, a certificate rollout: everything with a lifespan of five or more years should be checked for PQC capability before the contract is signed.
“Classical asymmetric cryptography must be replaced by quantum-safe methods. Migration should begin now.”
– Paraphrased from BSI press release, 11 February 2026
Harvest Now, Decrypt Later: The Invisible Threat
The most dangerous scenario is called ‘Harvest Now, Decrypt Later’ (HNDL). Intelligence agencies and state-sponsored hacker groups intercept encrypted traffic today and store it. As soon as powerful quantum computers are available, they decrypt the collected data retroactively.
For data with a short lifespan, such as an order confirmation, this is irrelevant. For data with a long confidentiality period, it is existential: trade secrets, patent applications, M&A negotiations, strategic plans, research data. If a quantum computer decrypts this data in ten years, it still has value for competitors or foreign governments.
The consequence: the point in time from which post-quantum cryptography becomes relevant is not the day the first cryptographically relevant quantum computer is built. It is the day the data is first encrypted and transmitted. And that day was yesterday.
The Federal Office for the Protection of the Constitution confirms that state actors are already intercepting and storing encrypted traffic on a large scale today. China has publicly announced it will develop a cryptographically relevant quantum computer by 2030. The USA is investing several billion dollars in quantum research via the National Quantum Initiative Act. In this geopolitical race, German corporate data is not collateral damage, but a strategic target.
The New Standards: ML-KEM, ML-DSA, and SLH-DSA
The US National Institute of Standards and Technology (NIST) published the first three post-quantum cryptography standards in 2024. They form the basis for migration. ML-KEM (formerly CRYSTALS-Kyber) for key agreement, ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures, and SLH-DSA (formerly SPHINCS+) as a hash-based signature alternative.
The BSI recommends the NIST standards as a reference and is working in parallel on its own recommendations within the framework of European standardization. For SMEs, this means: the standards are defined, the algorithms are specified, and first implementations in open-source libraries like liboqs and OpenSSL are available. The technical basis for migration exists.
What is still missing: many commercial products, VPN solutions, email gateways, and ERP systems have not yet integrated the new algorithms. Manufacturers are working on it, but comprehensive PQC support in enterprise software is not expected until 2027 to 2028. This is one of the reasons why migration takes five to ten years.
Crypto Inventory: Where Classical Encryption Hides in SMEs
The first and most important step is the crypto inventory: a systematic record of all places in the company where classical asymmetric cryptography is used. In practice, these are more places than most IT managers suspect.
VPN connections: Site networking and remote access almost always use RSA or ECC for key exchange. Email encryption: S/MIME and PGP are based on RSA. TLS certificates: Every HTTPS connection, every API interface, and every internal portal uses classical cryptography. ERP systems: SAP and other ERP systems encrypt database connections and API communication with RSA/ECC. Code Signing: Software updates and firmware signatures use RSA keys.
A crypto inventory does not need to be created from scratch. Tools like Venafi, Keyfactor, or the open-source project cryptosense automatically scan for cryptographic artifacts in the IT infrastructure. The result is a prioritized list: which systems use weak key lengths, which have long-lived certificates, and which process data with high confidentiality requirements.
The results are often surprising: a typical SME with 200 employees has 50 to 200 TLS certificates, 5 to 15 VPN tunnels, 3 to 8 applications with own cryptography, and dozens of embedded SSH keys. Most of these use RSA-2048 or ECDSA, both vulnerable to quantum attacks. Without an inventory, targeted migration is impossible, and without migration, there is no compliance with the BSI recommendation.
PQC Readiness: Five Steps for the IT Manager
1. Create crypto inventory. Record all cryptographic methods and keys in the company. Prioritize by confidentiality duration of protected data.
2. Query suppliers. Ask every software and hardware vendor: When will PQC be supported? Is there a roadmap? Which standards are being implemented?
3. Introduce hybrid cryptography. As a transitional solution, the BSI recommends hybrid methods that use classical and quantum-safe algorithms in parallel. This maintains compatibility while building protection against quantum attacks.
4. Set up test environment. Evaluate first PQC implementations in an isolated test environment. Measure performance impacts, as PQC algorithms sometimes have larger keys and longer computation times than RSA.
5. Create migration plan. Develop a schedule for step-by-step migration based on the inventory and supplier roadmap. Systems with the most sensitive data and longest confidentiality duration first.
6. Plan budget. PQC migration is not a one-off project, but a multi-year process. For a company with 200 to 500 employees, experts estimate total costs of 50,000 to 300,000 euros over the migration period. The largest item is not software, but internal working time and external consulting. A realistic annual budget of 30,000 to 50,000 euros is sufficient for the first steps.
Conclusion
Post-quantum cryptography is no longer a future topic. With the press release of 11 February 2026, the BSI formulated a clear expectation: migration must be completed by 2031. With an expected duration of five to ten years, 2026 is the latest possible starting point.
Getting started is less complex than many fear. A crypto inventory can be created in weeks, supplier conversations can begin immediately, and hybrid cryptography enables a gradual transition without big-bang migration. The greatest danger is not technical complexity, but procrastination.
The costs of inaction are calculable: if a quantum computer decrypts trade secrets intercepted today in ten years, the damage is irreversible. The costs of precaution, on the other hand, are manageable and plannable. Post-quantum cryptography is one of the few IT investments where the ROI is measurably negative: you see the damage that did not occur.
Frequently Asked Questions
Are there already quantum computers that can break encryption?
No. Cryptographically relevant quantum computers do not yet exist. But the ‘Harvest Now, Decrypt Later’ threat makes that irrelevant: encrypted data intercepted today can be decrypted in ten years.
What is hybrid cryptography?
A method that uses classical and quantum-safe algorithms in parallel. As long as no quantum computer exists, the classical algorithm protects. When one becomes available, the PQC algorithm protects. The BSI recommends this approach as a transitional solution.
Does this affect small companies too?
Yes, as soon as they process sensitive data that must remain confidential for more than ten years. This applies to trade secrets, patents, contracts, and personal data. The BSI recommendation is expressly addressed to all organizations.
Which software already supports PQC?
OpenSSL 3.x (experimental), Signal (already standard), Chrome and Firefox (experimental support for ML-KEM in TLS 1.3). For enterprise software like SAP, VPN gateways, and email servers, PQC support is expected from 2027 to 2028.
How much does PQC migration cost?
Depending on the size and complexity of the IT infrastructure. For an SME with 200 to 500 employees, experts estimate total costs of 50,000 to 300,000 euros over the migration period, mainly for consulting, testing, and system adaptations.
Do I have to carry out the migration myself?
No. Specialized consulting companies and major IT service providers offer PQC readiness assessments and migration support. The IHK and BSI also offer free initial consulting.
Editor’s Reading Recommendations
More from the MBF Media Network
- cloudmagazin – Cloud, SaaS, and IT Infrastructure for Decision Makers
- Digital Chiefs – Leadership, Transformation, and C-Level Perspectives
- SecurityToday – Cybersecurity, Compliance, and Data Protection
Further Reading
Cyber Resilience Act: What Manufacturers Must Do Now
AI Act from August 2026: High-Risk AI in SMEs
Exit, Succession, or Acquisition: M&A in SMEs 2026
Header Image Source: Pixabay / Pexels
