Store Now, Decrypt Later — Why 2026 Is the Year to Start Your Post-Quantum Plan

The encryption protecting your most sensitive data was designed for the threat environment that exists today. For data with a lifespan measured in decades, that is the problem. Patient records, long-term financial agreements, government security material, and intellectual property may remain confidential obligations for ten, fifteen, or twenty years. The cryptographic standards protecting them now need to remain adequate across that entire window – and the threat environment those standards will face in the future is materially different from the one they were designed for.

Key Takeaways: Post-Quantum Cryptography Planning Australia

• The “harvest now, decrypt later” strategy — collecting encrypted data today for future decryption as quantum computing matures — is a documented adversarial approach acknowledged by national security agencies including the Australian Signals Directorate, the US National Security Agency, and the UK’s National Cyber Security Centre. It is not a theoretical future concern; it is an active risk for organisations holding high-value, long-lived data.
• NIST finalised its first post-quantum cryptographic standards in August 2024: FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, for stateless hash-based signatures). The standards are published and available for implementation. Organisations can no longer defer post-quantum planning on the basis that standards are not yet finalised.
• ASD’s Australian Cyber Security Centre has explicitly named preparation for post-quantum cryptography as one of four priority “big moves” for Australian organisations, with its Information Security Manual recommending that organisations cease using traditional asymmetric cryptography by 2030. Planning must begin now because migration programmes typically take longer than anticipated.
• The practical prioritisation framework for post-quantum migration is based on data lifespan, not on when quantum computing will mature. High-longevity, high-sensitivity data — medical records, long-term financial agreements, government security material, biometric data — carries the most material exposure and should be the first priority for migration planning.
• The recommended first step is a Data Longevity Assessment: a structured review of major data categories against three questions — what is the confidentiality lifespan of this data? What cryptographic standard is currently protecting it? Does that standard remain appropriate given the lifespan and the post-quantum risk horizon?

The Time Horizon Problem in Current Encryption

RSA and elliptic curve cryptography (ECC) are the dominant asymmetric encryption standards protecting most enterprise systems today. They are computationally secure against classical computers because the mathematical problems they rely on — large number factorisation and discrete logarithm calculations — are infeasible to solve at current computing speeds. Against a sufficiently capable quantum computer running Shor’s algorithm (a quantum algorithm capable of solving these mathematical problems efficiently), that security does not hold.

This is well understood, and it is not a reason for immediate alarm. Cryptographically relevant quantum computers capable of breaking production-strength RSA or ECC at scale do not yet exist. The risk is not that current encryption is broken. The risk is that it has a time horizon.

For data with a short confidentiality lifespan — a session token, a transactional credential, a short-term authentication key — that time horizon is not a material concern. The data’s value will expire long before any threat to its encryption matures. For data with a long confidentiality lifespan, the calculation is different. A patient’s medical record may need to remain protected for fifty years. A long-term government security file may carry a classification requirement for decades. A research dataset representing significant intellectual property may remain commercially sensitive for fifteen years or more. The encryption protecting this data today needs to remain adequate across that entire window, not just in the current threat environment.

Shor’s algorithm is the mechanism through which quantum computing introduces this risk to current asymmetric cryptography. A quantum computer capable of running it efficiently could, in principle, factor the large primes underlying RSA-2048 and solve the discrete logarithm problems underlying ECC. The question of when such a computer will exist is genuinely uncertain — and that uncertainty is precisely the point. For organisations holding data that must remain confidential for a decade or more, the relevant planning horizon is not “when will quantum computers arrive?” but “what is the chance that the encryption protecting this data today is inadequate by the time that data’s confidentiality requirement expires?”

Harvest Now, Decrypt Later — A Present-Tense Risk

The threat that makes post-quantum cryptography a 2026 conversation rather than a future planning exercise is not contingent on quantum computers existing today. It is contingent only on adversaries believing they will exist within the value horizon of data that is being encrypted now.

The “harvest now, decrypt later” strategy — sometimes abbreviated HNDL in technical and policy documents — refers to the collection and long-term storage of encrypted data by adversaries who intend to decrypt it once their quantum computing capabilities mature. Nation-state actors with long-term intelligence objectives and the resources to store encrypted data at scale have a rational incentive to pursue this approach. ASD’s ACSC has specifically identified this threat (ASD, Planning for Post-Quantum Cryptography, 2025), noting that “storing highly sensitive or classified data using classical encryption methods may be vulnerable to ‘harvest now, decrypt later’ attacks” and that organisations should prioritise protection of their IT environment against the threat of a cryptographically relevant quantum computer now, even though one may not exist for some time. The NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) (NSA, CNSA 2.0, 2022) was developed expressly because of this threat vector: the need to protect long-lived classified information from adversaries who are collecting it today. The UK’s NCSC has similarly described the strategy in its post-quantum migration guidance as a concern for high-value data categories.

This threat is most material for specific data categories and specific adversarial actors. Nation-state actors with both the technical infrastructure to store encrypted data at scale and the patience to hold it over a long horizon are the most plausible HNDL operators. The data most likely to be targeted includes government and defence communications, financial system data and transaction records, health and biometric records, and intellectual property and research datasets with decade-plus value horizons. Australian critical infrastructure operators, government agencies, and financial institutions hold all of these data categories in volume. The HNDL risk does not apply uniformly to all encrypted data — but for organisations managing data in these categories, treating it as an active rather than theoretical risk is the appropriate posture.

Orro observes that many organisations are in a position of managing high-longevity data without a clear view of whether its current cryptographic protections are appropriate for that lifespan. The question of whether data encrypted today will remain protected across its full confidentiality requirement is one that most data governance frameworks do not yet systematically ask — and it is the right question to start with.

What NIST’s Finalised Standards Mean for Australian Organisations

In August 2024, NIST finalised its first three post-quantum cryptographic standards (NIST, Post-Quantum Cryptography FIPS Approved, 2024): FIPS 203, FIPS 204, and FIPS 205.

FIPS 203 specifies ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), the primary standard for general encryption and key establishment. FIPS 204 specifies ML-DSA (Module-Lattice-Based Digital Signature Algorithm), the primary standard for protecting digital signatures. FIPS 205 specifies SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), a hash-based alternative for digital signatures. These three algorithms are designed to remain secure against quantum computing attacks, drawing on mathematical problems — module lattice structures and stateless hash functions — that are not susceptible to the same quantum techniques that threaten RSA and ECC.

The significance of this milestone is specific: organisations can no longer defer post-quantum migration planning on the basis that standards do not exist. They do. The question has shifted from “what will we migrate to?” to “what do we migrate first, and when do we begin?”

For Australian organisations, the international standards context is reinforced by specific domestic guidance. ASD’s ACSC Annual Cyber Threat Report 2024–25 (ASD’s ACSC, Annual Cyber Threat Report 2024–25, 2025) explicitly names preparation for post-quantum cryptography as one of four priority “big moves” for Australian organisations, alongside implementing effective logging, replacing legacy IT, and managing third-party risk. ASD’s Planning for Post-Quantum Cryptography guidance (ASD, Planning for Post-Quantum Cryptography, 2025) sets out a recommended transition timeline with a 2030 target for completion: organisations should have a detailed transition plan by end of 2026, begin implementation starting with the most critical and high-risk systems by end of 2028, and complete the transition across their environment by end of 2030. The ASD’s Information Security Manual recommends ceasing the use of traditional asymmetric cryptography — including RSA, Diffie-Hellman (DH), Elliptic Curve Diffie-Hellman (ECDH), and ECDSA — by the end of 2030.

These are not aspirational targets. For organisations with complex technology environments — and most healthcare, financial services, and government entities qualify — a migration programme of this scope requires multi-year planning, vendor engagement, and sequenced execution. The 2030 target leaves limited margin for deferral. As ASD notes, migration programmes typically take longer than anticipated because they require cryptographic inventory, dependency mapping, vendor readiness assessment, and sequenced rollout across systems with varying replacement cycles.

NIST’s standards are international benchmarks rather than Australian regulatory requirements in themselves. However, Australian government agencies are expected to align with ASD guidance, which draws on the Five Eyes relationship with US and UK standards bodies. For organisations operating in regulated sectors — healthcare under the Privacy Act, financial services under APRA prudential standards, critical infrastructure under the Security of Critical Infrastructure Act — the convergence of international standards and Australian guidance reinforces the case for beginning migration planning now.

A Framework for Prioritising Data by Longevity

Not all data needs to be migrated to quantum-resistant encryption with equal urgency. The prioritisation framework is straightforward: what matters is the relationship between the data’s confidentiality lifespan and the risk horizon that post-quantum migration is designed to address.

The highest-priority category for migration planning is high-longevity, high-sensitivity data: patient medical records, long-term financial agreements, government security material, biometric data held indefinitely, and research and intellectual property with decade-plus value horizons. These categories carry the most material exposure under a harvest-now scenario because their confidentiality requirements extend well into the window where post-quantum computing capabilities may exist. For a hospital system encrypting patient records today using RSA-2048, the question is not whether quantum computing is imminent — it is whether the encryption protecting records that must remain confidential for fifty or more years is appropriate for that full lifespan.

The medium-term priority category includes data with multi-year confidentiality requirements that do not necessarily extend into the highest-risk horizon: multi-year customer records, long-term contract data, authentication credentials for systems with extended operational lifecycles, and encryption keys protecting long-lived data stores. Retail loyalty databases, for example, may hold customer profiles and transaction histories across a period of years, and the encryption protecting that data warrants assessment against its retention lifespan even if the urgency is lower than for health or government material. Financial institutions holding long-term mortgage records and multi-year customer account data fall in a similar position. Migration planning for this category should occur in the near term, though immediate remediation may not be the first priority.

The lowest-urgency category is short-lifespan transactional data: session tokens, short-term transactional records, temporary credentials, and data with defined short retention periods. The confidentiality requirement for these data categories does not extend into the post-quantum risk window, and they warrant lower priority in any migration sequencing plan. This does not mean they are excluded from eventual migration — it means they can be addressed later in a sequenced programme without materially increasing organisational exposure.

Crypto-Agility — Building the Architectural Capability to Migrate

Crypto-agility is the organisational capability to update cryptographic standards across an enterprise technology environment without requiring a full infrastructure rebuild. It involves maintaining a current inventory of cryptographic implementations, understanding the dependency relationships between those implementations and the systems that rely on them, and building migration into the architecture from the outset rather than retrofitting it under pressure.

For post-quantum migration specifically, crypto-agility is the difference between a managed programme of work and a crisis response. Organisations that have invested in understanding their cryptographic posture — knowing which systems use which algorithms, which systems have long procurement and replacement cycles, and where cryptographic changes will propagate upstream and downstream — can execute a migration to quantum-resistant standards in a sequenced and prioritised way. Organisations without that visibility face a much more complex and costly migration when urgency increases.

The investment in crypto-agility is not solely a post-quantum measure. Cryptographic standards evolve continuously, and the ability to update cryptographic implementations efficiently is a security hygiene capability with returns across the full security programme. ASD’s guidance on post-quantum migration emphasises that organisations should plan for crypto-agility as part of their transition approach, enabling adaptation to future algorithm updates as the field continues to develop.

Building crypto-agility in practice involves three elements. The first is a cryptographic asset inventory: a current, comprehensive mapping of all cryptographic standards and implementations in use across the environment — including protocols, products, certificates, devices, and applications — as well as which third parties and supply chain partners use cryptographic standards on the organisation’s behalf. The second is dependency mapping: understanding where cryptographic changes will require coordinated updates across upstream and downstream systems, including vendor dependencies, procurement cycle constraints, and interoperability requirements. The third is a migration sequencing plan: a prioritised programme that addresses the highest-risk data categories first, plans for hybrid deployments during the transition period where needed, and accounts for the multi-year timelines that realistic migration programmes require.

Orro works with organisations that are beginning to ask the right questions about their cryptographic posture — not waiting for regulatory mandate to initiate migration planning, but approaching post-quantum readiness as a governance responsibility. The organisations that start this work now, with a clear inventory and a prioritised roadmap, will be in a materially better position than those that wait for urgency to force the issue.

The Practical First Move — Starting with a Data Longevity Assessment

The recommended starting point for organisations beginning a post-quantum migration programme is a Data Longevity Assessment: a structured review of major data categories against three questions. What is the confidentiality lifespan of this data? What cryptographic standard is currently protecting it? Does that standard remain appropriate given the lifespan and the post-quantum risk horizon?

This assessment does not require deep quantum computing expertise. It requires data classification discipline, a basic cryptographic inventory, and a clear prioritisation framework. Most organisations with mature data governance programmes already have the data classification inputs — what they often lack is the structured lens to evaluate those categories against post-quantum risk specifically.

The output of a Data Longevity Assessment is a prioritised migration plan: a list of data categories ranked by the urgency of their migration need, mapped to the cryptographic systems protecting them, with a sequenced programme for addressing them in order of exposure. For a healthcare organisation, this may begin with patient records and clinical data. For a financial institution, it may begin with long-term mortgage records and the encryption keys protecting core banking data stores. For a government agency, it may begin with security-classified material and sensitive ministerial communications. The starting point differs by sector, but the method is consistent.

ASD’s guidance sets a recommended milestone of having a detailed transition plan in place by the end of 2026 — which means the assessment work should be underway now. For organisations that have not yet begun, the window for comfortable planning is shortening. The migration programme itself is long; the planning phase does not need to be.

Conclusion

The case for beginning post-quantum migration planning in 2026 is not based on the imminence of quantum computing. It is based on three converging factors: the data being encrypted today may carry confidentiality requirements that extend into the window where quantum threats become material; the harvest-now, decrypt-later strategy means adversaries do not need quantum capabilities today to begin creating that exposure; and the migration programme required to address the risk is long enough that starting now is the only way to complete it before urgency arrives.

NIST has published the standards. ASD has set the 2030 target. The prioritisation framework — data longevity, cryptographic inventory, sequenced migration — is well defined. What remains is execution, and the organisations that begin with a Data Longevity Assessment in 2026 will be executing a managed programme rather than a reactive one.

If this article has raised questions about which of your organisation’s data categories carry a confidentiality requirement that extends into the post-quantum risk window, whether your current cryptographic standards are appropriate for the lifespan of the data they protect, or where to start with a Data Longevity Assessment that produces a practical, prioritised migration plan, Orro’s team is available for a confidential discussion. There are no obligations — just a conversation with practitioners who work across these environments every day.