Meeting Trump's 2030 Quantum Deadline Will be Expensive, Complex

CYBERSECURITY OPERATIONS DATA PRIVACY CYBERSECURITY ANALYTICS PERIMETER NEWS Meeting Trump's 2030 Quantum Deadline Will be Expensive, Complex Getting accurate visibility into IT and OT systems will be compounded by multivendor environments, misaligned update life cycles, and interoperability gaps. Alexander Culafi,Senior News Writer,Dark Reading June 26, 2026 6 Min Read SOURCE: PETER HANSEN VIA GETTY IMAGES Organizations will face major challenges — and even greater costs — on the road to becoming quantum-ready over the next five years. US President Donald Trump signed two executive orders related to quantum technology on June 22.  One, "Ushering in the Next Frontier of Quantum Innovation," aims to bolster US leadership in quantum information science and technology through updating the national quantum strategy and building out a domestic ecosystem that will lead to the development of a quantum computer beyond current capabilities. It also includes workforce investment and partnering with various stakeholders, such as international allies, manufacturers, and private sector investors. The second, "Securing the Nation Against Advanced Cryptographic Attacks," aims to prepare US infrastructure for the attackers that would use quantum technology to target organizations. The aim here is to accelerate the government's transition to post-quantum cryptography (PQC) and fortify sensitive government data. Related:AI Decline? Confidence in Autonomous Penetration Testing Falls The executive order requires federal agencies to appoint PQC migration leads within 30 days, establish PQC for key establishment and encryption by the end of 2030, and establish PQC for digital signatures by the end 2031 for high-value assets and high-impact systems.  The order also directs the National Institute of Standards and Technology (NIST) to begin a PQC pilot program to create standards for the transition and directs relevant agencies to create guidance for a cryptographic bill of materials. Relevant agencies must also assist critical infrastructure in becoming quantum ready. While many of these requirements primarily exist for the federal government, federal contractors will also be required to adhere to NIST's PQC standards by Dec. 31, 2030.  These orders dramatically accelerate the timeline many organizations had in mind for quantum readiness. Much of the security industry's previous framing was that cryptographically relevant quantum computers were unlikely before 2035, so PQC migration was treated as something to prepare for rather than a compliance exercise.   How government and industry think about quantum computing has changed in recent years. Security experts say threat actors are stealing credentials they can't decrypt today to prepare themselves for a world where quantum computers can (harvest now, decrypt later). Google in March set a deadline of 2029 to integrate PQC cryptography into its systems, products, and services, and Apple has been ringing the quantum bell for years now. Related:AI Won't Wipe-Out Entry-Level Cybersecurity Jobs Going Quantum: Big Challenges, Bigger Costs But even if the security industry is putting its best forward, it doesn't change the reality that for contractors and critical infrastructure organizations needing to comply with these standards, the process will be costly and complex. Jonathan Nguyen-Duy, chief technology officer (CTO) at quantum security vendor Arqit, tells Dark Reading that many organizations underestimate the scale of this challenge, viewing post-quantum migration as a technology upgrade. "Cryptography sits everywhere from applications, networks, cloud environments, and software libraries to connected devices and third-party systems," he says. "That's why post-quantum migration is much more than swapping one algorithm for another. Every update needs to be tested and implemented without disrupting the business. It requires long-term funding, cross-functional ownership and a level of persistence that many organizations will find challenging." Garfield Jones, SVP of research and strategy at post-quantum cryptography vendor QuSecure, says that many agencies are in the inventorying stage, and some have designated PQC leads. "But substantial work remains on implementation and testing of NIST standardized algorithms within agency environments," he explains. "Smaller agencies may be able to meet these accelerated deadlines, but larger and federated agencies face a more difficult path as previously unaccounted IT and OT assets continue to surface through manual counting processes." Related:Thanks for Crushing the Submissions Inbox. We're Trying to Keep Up In 2024, the Office of the National Cyber Director (ONCD) projected that "the total government-wide cost required to perform a migration of prioritized information systems to PQC between 2025 and 2035 will be approximately $7.1 billion in 2024 dollars." It is impossible to assess an across-the-board PQC transition cost for organizations because of their different sizes, needs, security readiness levels, assets that need inventorying, and more.  Quantum encryption vendor QNSQY published a blog covering PQC readiness budgets, explaining that a number of factors drive this cost, including the need for cryptographic inventory tooling, staff time (such as a PQC architect, crypto engineers, and integrators), firmware upgrades, certificate authority costs, quality assurance, vendor migrations, and training.  Estimates vary, but assessments (including QNSQY's) range from $100,000 to $500,000 for small organizations (less than 100 employees), $1 million to $20 million for mid-sized enterprises (1,000 to 10,000 employees), and from $10 million to $100 million for large enterprises (more than 10,000 employees). It must be noted that because the timeline for many organizations has collapsed, many estimates may no longer be accurate.  Jones explains that for many organizations, the most pressing challenge will be to achieve accurate visibility into IT and OT environments as cryptography is embedded across a wide and complex technology stack, compounded by multivendor environments, misaligned update life cycles, and interoperability gaps. "The $7.1 billion OMB transition budget was scoped for a 2035 deadline; the accelerated timeline will likely drive costs significantly higher as demand for PQC transition services, crypto-agile tooling, hybrid architectures, and backward-compatible solutions intensifies across the federal enterprise," he says. To Become Quantum Ready, Start Immediately One thing generally agreed upon is that becoming quantum-ready is a lengthy, labor-intensive modernization process.  Celia Merzbacher, executive director of the Quantum Economic Development Consortium (QED-C), tells Dark Reading that organizations that want to get started preparing for PQC migration should visit NIST's page on the subject, which has a wide range of resources for organizations. She also stresses that "If organizations have not already begun the process of assessing and planning for PQC migration, they should do so immediately." Jones recommends starting with a sensitive data life cycle inventory across IT and OT assets, and he echoes the sequence laid out by the executive order: identifying critical systems, locating vulnerable cryptography, and prioritizing remediation by asset criticality, data sensitivity, and operational dependency. Mike Fleck, senior director at TLS/SSL certificate authority DigiCert, recommends that orgs should "start to move all current external TLS connections to TLS 1.3 and ML-KEM, the NIST-standardized post-quantum key exchange mechanism." Fleck says security leaders that have to communicate quantum risk to their boards should position it as a strategic issue that requires planning and action well in advance. "The biggest mistake boards can make is waiting for a cryptographically relevant quantum computer to emerge before acting," he elaborates. "By the time such a system becomes public knowledge, it is likely to have already existed for some time, and it will be too late to react." Don't miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics? Kickbacks, no-show jobs, "dirty" VCs, and shelfware — industry expert Robert "RSnake" Hansen explains why he thinks it's time for a CISO code of ethics. It could ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security. Listen now! Read more about: CISO Corner About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.  At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The total economic impact™ of Snyk How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 Access More Research Webinars Building a Risk Based Vulnerability Management Program Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response More Webinars You May Also Like CYBERSECURITY OPERATIONS Hand CVE Over to the Private Sector by Brian Martin JAN 27, 2026 CYBERSECURITY OPERATIONS China Imposes One-Hour Reporting Rule for Major Cyber Incidents by Robert Lemos, Contributing Writer OCT 01, 2025 CYBERSECURITY OPERATIONS CISA, FBI, NSA Warn of Chinese 'Global Espionage System' by Alexander Culafi AUG 28, 2025 CYBERSECURITY OPERATIONS Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers by Elizabeth Montalbano, Contributing Writer JUL 16, 2025 Editor's Choice CYBERSECURITY OPERATIONS Do CISOs Need a Code of Ethics? byDark Reading Editorial Team JUN 24, 2026 CYBERSECURITY OPERATIONS 2026 FIFA World Cup Faces Surge in Cyber Threats byAlexander Culafi JUN 24, 2026 3 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS