Post-Quantum Cryptography: What SMBs Should Be Thinking About Before 2030

In August 2024, NIST finalized the first three post-quantum cryptographic standards: FIPS 203 (ML-KEM, formerly Kyber), FIPS 204 (ML-DSA, formerly Dilithium), and FIPS 205 (SLH-DSA, formerly SPHINCS+). These are the algorithms federal systems will migrate to over the rest of the decade, and which everything downstream of federal systems will eventually follow.

If you run a small business, three reactions are reasonable:

1. “I have no idea what any of those acronyms mean and I do not have time to care.”
2. “Cool, but quantum computers that break RSA are 15 years away. I will deal with it then.”
3. “I have been reading about this. Should I be doing something now?”

The honest 2026 answer for SMBs is somewhere between reactions two and three. You do not need to panic-buy anything. You should also not assume this is a 2040 problem. The migration is already underway in the parts of the stack you depend on, harvest-now-decrypt-later is real for some data today, and enterprise clients will eventually ask what you are doing about it.

What the threat actually is, in plain English¶

Modern internet security depends on a small set of public-key algorithms, mostly RSA and elliptic-curve cryptography (ECC). They are secure against any computer we currently know how to build because the underlying math (factoring large numbers, computing discrete logs on elliptic curves) takes impractical time on classical hardware.

A sufficiently large fault-tolerant quantum computer can run Shor’s algorithm, which solves both problems in polynomial time. A real cryptographically relevant quantum computer (CRQC, the term in NIST and CISA documents) would break RSA and ECC. TLS, VPNs, email encryption, code signing, software updates, the certificates securing your bank’s website, and a long list of other things would all need new algorithms.

The post-quantum algorithms NIST finalized are designed to resist both classical and quantum attacks. They rest on different math (lattice problems for ML-KEM and ML-DSA, hash-based signatures for SLH-DSA) with no known efficient quantum attack.

Quantum computers will eventually break the math we currently rely on. We have new math they cannot break. The remaining question is timing.

Why “10 years away” is misleading¶

The standard SMB-owner reaction is “great, deal with it when it happens.” The reason that is the wrong frame is a concept called harvest-now-decrypt-later (HNDL).

An attacker who captures encrypted traffic today and stores it does not need a quantum computer today to threaten you. They need one eventually. When a CRQC becomes available, every captured ciphertext from years prior becomes decryptable retroactively. Whether that matters depends entirely on the shelf life of the data.

The Mosca inequality, named after cryptographer Michele Mosca, is the standard framing: if the time you need data to remain confidential plus the time to migrate your systems is longer than the time until a CRQC exists, you are already exposed. Most SMB data has a short confidentiality window (a credit card number is useless after the card is reissued). Some does not: trade secrets, employee health records, attorney-client communications, M&A discussions, anything covered by long-tail regulatory retention.

The point of HNDL is not that quantum is imminent. It is that for a narrow class of long-lived sensitive data, the migration deadline is sooner than the CRQC deadline. For everything else, you have time.

What is already happening (you may not have noticed)¶

The interesting fact about post-quantum migration in 2026 is how much of it is already in flight without most users seeing it.

• Browsers and TLS: Chrome enabled a hybrid post-quantum key exchange (X25519MLKEM768) by default for TLS 1.3 in 2024. Firefox followed. By 2026, a meaningful share of HTTPS connections from major browsers are already protected by hybrid key exchange that resists future quantum decryption. You did not have to do anything to get this.
• OS vendors: Apple introduced PQ3 for iMessage in early 2024, a hybrid post-quantum messaging protocol. Microsoft, Google, and AWS have all announced PQC roadmaps.
• Certificate authorities: CA/Browser Forum working drafts on PQC certificate timelines exist. Production rollout is conservative because certificate ecosystems take years to migrate, but the planning is public.
• NIST and CISA guidance: NIST has published IR 8547 and IR 8413 on PQC migration planning. CISA’s Post-Quantum Cryptography Initiative is the federal coordination point. Federal agencies must inventory cryptographic systems and prepare migration plans under NSM-10 (May 2022).
• Federal procurement: Vendors who sell to the federal government are now subject to PQC requirements that will appear in solicitations over 2026-2030. Those vendors pass requirements down to their suppliers. Some of those suppliers are small businesses.

What this means for an SMB is that you are mostly a consumer of cryptography, not a producer of it. The libraries, browsers, OSes, and cloud platforms you depend on are migrating. Your job is to know which of your vendors are doing the work, and to be ready when customers start asking.

What an SMB should actually do in 2026¶

The temptation is to recommend a 12-step crypto-agility program. For most SMBs that is overkill. Here is the actual short list.

Step 1: Inventory where you rely on cryptography¶

You do not need a cryptographic bill of materials at the byte level. You need a one-page list of the systems where the integrity or confidentiality of long-lived data matters. Examples:

• Email and file storage (especially anything with retention obligations longer than five years)
• VPNs and remote-access tools
• Backup systems and the encryption-at-rest of those backups
• Code signing if you ship software
• Anything covered by HIPAA, attorney-client privilege, or trade-secret protection

For each, note the vendor and the rough sensitivity window. That is your starting inventory.

Step 2: Identify your HNDL exposure honestly¶

For each item on the inventory, ask: if this data were captured today and decrypted in 2032 or 2035, would that matter?

For most SMB data, the honest answer is no. Operational emails about quarterly logistics will not matter. For a healthcare practice’s patient records, an attorney’s case files, or an engineering firm’s IP, the answer may be yes. Concentrate the rest of the program on the small subset where the answer is yes.

Step 3: Monitor vendor roadmaps, do not panic-buy¶

Ask your major vendors, especially those handling long-lived sensitive data, what their PQC roadmap is. Most will not have an answer in 2026. By 2027-2028 most should. Two reasonable questions to send your top three vendors via email this quarter:

• “What is your post-quantum cryptography migration plan?”
• “Will I receive a notification when PQC-protected versions of your service become available?”

You are not demanding action. You are signaling that you are paying attention. Vendors prioritize what their customers ask about.

Step 4: Do not roll your own PQC anything¶

The PQC algorithms are new, implementations are still maturing, and side-channel attacks on early implementations are an active research area. Hybrid modes (classical + PQC together) are the responsible deployment pattern through at least the late 2020s because they fail safe against both quantum attacks and bugs in the new algorithms.

In practice: take what your browsers, OS, and cloud platforms ship. Do not build a custom PQC tunnel because you read a HackerNews post. The right time to adopt PQC in your own stack is when your platform vendor ships it with a “use this” recommendation.

Step 5: Update your written information security policy when the vendor wave hits¶

Sometime in 2027-2029, expect cyber insurance questionnaires, vendor security questionnaires, and possibly regulatory frameworks to start asking about cryptographic agility and PQC readiness. Your written information security policy should have a paragraph acknowledging the PQC transition, naming the standards you follow (FIPS 203/204/205), and pointing to a migration approach (mostly “we use vendor-provided PQC capabilities as they become available”). This will eventually become a line item in our Cyber Essentials suite as the policies catch up to the standards.

What I would ignore for now¶

PQC “drop-in replacement” pitches aimed at SMBs. The 2026 migration is happening at the platform layer, not at the SMB purchase layer. If a vendor is selling you a $25,000/year PQC product as a small business, they are either confused about the threat shape or hoping you are.

Doom-cycle headlines about Chinese or US quantum breakthroughs. Progress is real but slow. Public estimates for a CRQC capable of breaking RSA-2048 still cluster in the early to mid 2030s, with credible uncertainty in both directions. If that picture genuinely changes, it will be front-page news.

What to actually do this quarter¶

1. Spend 30 minutes producing the one-page inventory in Step 1 above.
2. Be honest with yourself about which 2-3 items on it have a real harvest-now-decrypt-later exposure.
3. Email your top three vendors (email provider, backup provider, primary line-of-business platform) and ask the two questions in Step 3.
4. Add one line to your written information security policy acknowledging the PQC transition and naming FIPS 203, FIPS 204, FIPS 205 as the standards you will follow.
5. Set a calendar reminder for Q3 2027 to revisit this. The vendor landscape will look different by then and you will want to refresh the inventory.

That is the entire 2026 program for a normal SMB. It is small because the migration is largely happening above your level. The discipline is to know that it is happening, to know which of your data actually has long-tail exposure, and to be ready to answer the question when your enterprise clients eventually ask it.