Quantum fears reshape cybersecurity plans as Microsoft moves deadline to 2029
Quantum computing is no longer being treated as a distant cybersecurity problem, with Microsoft accelerating its plan to move critical products and services to post quantum cryptography by 2029.
The company says advances in quantum research have shifted the risk horizon, making it necessary for organisations to begin preparing now rather than waiting for a cryptographically relevant quantum computer to arrive. Microsoft Azure chief technology officer Mark Russinovich said the transition is a multi year engineering challenge that will affect systems, services, identity, infrastructure, data and supply chains.
The change brings Microsoft’s Quantum Safe Program into the company’s wider Secure Future Initiative, meaning quantum readiness will be measured and managed as part of its broader security strategy. Microsoft says the goal is to transition products and services to post quantum cryptography by 2029 while giving customers a clearer path to modernise their own environments.
At the centre of the concern is the possibility that future quantum computers could break parts of today’s public key cryptography. That technology currently underpins secure websites, email, digital signatures, software updates, identity systems and a wide range of online transactions.
The threat is not limited to future data. Security leaders are increasingly worried about “harvest now, decrypt later” attacks, where criminals or state backed groups steal encrypted information today and store it until more powerful systems can decode it. Microsoft says organisations with long lived sensitive data are already prioritising protections against that scenario.
Microsoft’s plan is not simply about swapping one encryption algorithm for another. The company says many organisations first need to understand where cryptography already exists across applications, networks, certificates, hardware, identity systems and legacy services. Without that inventory, security teams may struggle to know which systems need to change first.
The company has identified three major areas of work: upgrading network cryptography, building crypto agility for stored data and modernising trust chains. That includes adopting newer standards such as TLS 1.3, reducing legacy protocol use, making cryptographic settings easier to change and updating the systems used for certificate issuance, code signing, software updates and hardware backed key protection.
Crypto agility is likely to become a defining issue for enterprise security teams. Rather than hard coding encryption methods into systems that are expensive to redesign, organisations will need architectures that allow cryptographic algorithms to be updated with limited disruption. Microsoft argues that this flexibility will reduce the cost and risk of future transitions.
The wider standards landscape is also moving. In August 2024, the US National Institute of Standards and Technology released its first three final post quantum encryption standards and encouraged system administrators to begin transitioning as soon as possible. NIST said the standards are designed to protect electronic information from future quantum computer based attacks and are ready for immediate use.
NIST’s post quantum cryptography project says organisations should now begin identifying where quantum vulnerable algorithms are used and planning replacement or upgrade work. The agency has also indicated that quantum vulnerable algorithms will be deprecated and ultimately removed from its standards by 2035, with high risk systems expected to move earlier.
Major technology companies have already started testing or deploying elements of post quantum protection in products, including Apple, Google and Signal. The shift suggests that quantum readiness is moving out of research teams and into real deployment schedules across the technology sector.
Even so, Microsoft has not pointed to one single scientific breakthrough as the reason for pulling its timeline forward. Instead, the company describes the move as a precautionary response to steady progress in quantum research and the scale of work needed to prepare large digital environments.
For enterprises, the message is clear: waiting may create more risk than acting early. Security teams will need cryptographic inventories, clear ownership, phased roadmaps and modernised infrastructure long before quantum computers pose a practical threat to today’s encryption.
The quantum deadline may still be uncertain, but the cybersecurity planning window is already shrinking. For organisations that depend on long term data confidentiality, secure software delivery and trusted digital identity, quantum readiness is quickly becoming part of everyday risk management rather than a future research exercise.
