The G7’s PQC Warning for Enterprise Security

Key takeaways

• The G7 report confirms quantum threat timing is uncertain, but organizations must prepare now, with “harvest now, decrypt later” attacks already collecting encrypted data for future decryption.
• Enterprise PQC migrations require discovery, planning, implementation, and validation phases spanning 12-15 years total.
• NIST will deprecate quantum-vulnerable algorithms by 2030 and disallow them by 2035, creating compressed migration windows
• Certificate automation for 47-day compliance builds the same capabilities needed for PQC: discovery, policy enforcement, and deployment.
• Six migration categories need coordination: certificates, applications, network infrastructure, data protection, vendors, and governance.

On May 11, 2026, the G7 Quantum Technologies report published findings on quantum technologies and financial system implications.

The report confirms what enterprise security teams are discovering: migrating to post-quantum cryptography isn’t about swapping algorithms. It’s about building infrastructure that can discover, manage, and deploy cryptographic changes across tens of thousands of certificates.
The G7 explicitly calls out risks to cryptographic trust foundations, “harvest now, decrypt later” (HNDL) as an active threat, and operational readiness requirements across interconnected systems.

Why the G7’s perspective matters

The G7 central banks (representing Canada, France, Germany, Italy, Japan, the UK, and the US) published this report through their Quantum Technologies Working Group. When institutions managing trillions in assets and overseeing global financial infrastructure reach consensus on quantum risk, it moves the conversation from theoretical concern to operational priority.

Three key findings for enterprise security

The G7 report identifies three strategic realities that directly impact enterprise PQC planning. Each finding shapes the timeline and approach organizations must take:

Finding 1: Quantum threat is real, timeline is not

The G7 report states: “While the timing of a cryptographically relevant quantum computer remains uncertain, the potential impact of such a device is now well identified.”

This creates two requirements: proactive preparation starting now, and operational infrastructure that can respond quickly when timelines become clear. For organizations managing certificate lifecycles across thousands of endpoints, this means automated discovery, policy enforcement, and deployment capabilities.

Finding 2: Regulatory deadlines are aggressive

NIST’s transition timeline is as follows:

• Quantum-vulnerable algorithms deprecated by 2030
• Entirely disallowed by 2035

The window for migration is narrower than most organizations realize. Enterprise migrations typically require 3-8 years from planning to completion. Discovery alone can take 6-12 months for large enterprises. Organizations that haven’t begun inventory and assessment activities are already operating on compressed timelines.

Finding 3: “Harvest now, decrypt later” (HNDL) is happening right now

The report explicitly identifies “the risk of ‘harvest now, decrypt later’, whereby encrypted data collected today could be decrypted in the future” as a threat that “highlights the need to consider long-term data confidentiality.”

These are the government security agencies confirming active HNDL operations:

• UK National Cyber Security Centre
• U.S. Department of Homeland Security
• Australian Cyber Security Centre

A study published in MDPI’s Telecom journal (December 2025) analyzing HNDL temporal risks found that high-retention sectors such as healthcare and financial services face exposure windows extending decades under delayed PQC adoption. Organizations that implement hybrid cryptographic approaches reduce this risk horizon by over two-thirds.

Building your PQC readiness strategy

The G7 report provides institutional validation for treating PQC as an operational transformation rather than a technology procurement exercise. Here’s how to translate the report’s findings into actionable priorities.

Category	Key Actions	Outcomes
Certificate & Key Management	Deploy automated discovery Modernize PKI infrastructure Automate lifecycle workflows	Visibility into cryptographic assets; ability to rotate algorithms at scale
Application & Code	Inventory cryptographic dependencies Update libraries to support PQC algorithms Implement hybrid cryptography	Applications ready for quantum-safe encryption without breaking backward compatibility
Network Infrastructure	Assess VPN, load balancer, firewall, and PQC support Plan firmware updates Test hybrid TLS configurations	Network devices capable of quantum-safe protocols
Data Protection	Identify long-lived sensitive data Prioritize by HNDL exposure Migrate the highest-risk systems first	Reduced retroactive decryption risk for critical assets
Vendor & Supply Chain	Map vendor PQC roadmaps (HSMs, CAs, cloud providers) Establish readiness timelines Identify gaps	Understanding of external dependencies and migration blockers
Governance & Policy	Define approved quantum-safe algorithms Establish deprecation timelines Create a compliance framework	Consistent cryptographic standards are enforced enterprise-wide

Your PQC action plan

Immediate actions (90 days)

• Gain cryptographic visibility. Deploy smart discovery capabilities to inventory certificates, keys, and algorithms across your infrastructure. You can’t migrate what you can’t see.
• Assess your crypto-agility baseline. Evaluate how quickly your organization could respond if a cryptographic algorithm were compromised tomorrow. Can you identify affected certificates within hours? Days? Weeks?
• Prioritize high-value, long-lived data. Identify systems protecting sensitive information with multi-year or multi-decade confidentiality requirements. These face the greatest HNDL exposure.
• Map vendor dependencies. Document which hardware security modules, certificate authorities, load balancers, and application servers require PQC support. Engage vendors for roadmap commitments.

Strategic initiatives (6-12 months)

• Modernize PKI infrastructure. Legacy PKI architectures built around manual certificate issuance can’t support PQC migration timelines. Migrate to PKI-as-a-Service platforms that enable rapid algorithm changes.
• Implement hybrid cryptography. Begin deploying hybrid certificates combining classical and post-quantum algorithms. This provides quantum protection while maintaining backward compatibility.
• Automate certificate workflows. Build closed-loop automation for certificate discovery, enrollment, renewal, and deployment. Manual processes that work for 398-day certificates become impossible at 47-day validity.
• Establish crypto governance. Create enterprise-wide cryptographic policies defining approved algorithms, key strengths, and certificate validity periods. Enforce these policies programmatically.

Major banks have begun running hybrid TLS pilots at network edges as of 2026. These deployments test the PQC algorithm performance in production environments and build operational experience before mandate deadlines.

Financial services organizations are investing in flexibility today. Crypto-agility provides value regardless of whether CRQCs arrive in 2030 or 2035.

The four migration phases

Enterprise PQC migration follows a structured timeline. NIST published its quantum-safe standards in August 2024, but deployment requires careful coordination. Each phase builds on the previous one, with large organizations requiring 12-15 years to complete the full cycle.

Discovery phase (6-12 months)

Inventory all cryptographic assets across cloud, on-premises, and hybrid environments. Identify certificate authorities, key management systems, and encryption dependencies.

Map cryptographic algorithms to business applications and data flows. Document certificate validity periods, renewal processes, and ownership. For large enterprises with distributed infrastructure, discovery alone can take a year.

Planning phase (3-6 months)

Assess quantum vulnerability by algorithm type and key strength. Prioritize migration based on data sensitivity and retention requirements.

Evaluate vendor roadmaps for PQC support across critical infrastructure. Design hybrid cryptographic deployment strategies.

Implementation phase (12-36+ months)

Upgrade hardware security modules and cryptographic libraries. Modernize PKI infrastructure to support larger key sizes and signature formats.

Integrate post-quantum algorithms alongside classical cryptography (hybrid mode). Automate certificate lifecycle workflows across expanded infrastructure. The timeline stretches because changes must be tested and deployed gradually to avoid production disruptions.

Validation phase (6-12 months)

Test interoperability across applications, protocols, and network devices. Validate performance under increased computational and bandwidth requirements.

Confirm compliance with CNSA 2.0, NIST guidelines, and industry regulations.

The timeline reality

Organizations starting migration in 2026 face a compressed timeline. Discovery and planning extend through 2028, implementation runs through 2032, and validation continues until 2034. Federal Reserve research on HNDL risks confirms this creates a potential vulnerability window if quantum computers arrive earlier.

Phase	Timeline	Risk Exposure
Discovery & Planning	2026-2028	HNDL collection ongoing
Implementation	2029-2032	Partial protection begins
Validation	2033-2034	Vulnerability window if CRQC arrives early

Real-world migration blockers

Enterprise PQC migrations face challenges that extend timelines beyond technical complexity. Legacy systems running embedded cryptography can’t be easily updated without hardware replacement. Applications hardcoded with specific key sizes or algorithm assumptions require code rewrites and regression testing across thousands of endpoints.

Vendor dependencies create bottlenecks. Organizations can’t migrate faster than their certificate authorities, HSM manufacturers, and cloud providers release PQC-capable products. Even when vendors ship updates, procurement cycles, budget approvals, and change management processes add months to deployment schedules.

The coordination problem compounds these technical barriers. PKI teams, application developers, network engineers, and security operations need aligned timelines. A single uncoordinated change can break production systems serving millions of users. Organizations that treat PQC as a technology problem rather than an operational transformation consistently underestimate these human and process factors.

The 47-day certificate connection

The CA/Browser Forum’s 47-day certificate validity mandate and post-quantum cryptography readiness require fundamentally similar operational capabilities.

Both transitions demand:

• Automated discovery to maintain real-time certificate inventory across all environments
• Closed-loop automation enabling certificate renewal and deployment without manual intervention
• Protocol-based enrollment using ACME and other standardized interfaces
• Centralized governance enforcing cryptographic policy at scale
• Rapid deployment capabilities are pushing changes across the distributed infrastructure

Organizations investing in certificate lifecycle management automation to handle 47-day renewals are building the infrastructure required for PQC migration. The operational capability for frequent certificate rotation transfers directly to algorithm changes.

Capability	47-Day Certificate Mandate	Post-Quantum Migration
Automated Discovery	Track short-lived certificates	Inventory quantum-vulnerable algorithms
Lifecycle Automation	Handle 8x renewal frequency	Deploy hybrid certificates at scale
Policy Enforcement	Ensure validity compliance	Govern quantum-safe algorithm adoption
Integration Breadth	Connect to CAs, cloud, Kubernetes	Enable coordinated infrastructure migration

Certificate automation builds PQC readiness

AppViewX customers already managing tens of thousands of certificates with automated lifecycle workflows aren’t starting their PQC journey from zero.

They’re starting with operational visibility, automation, and control, the exact capabilities needed when migration windows arrive.

Organizations treating these as separate initiatives miss the strategic opportunity.
The same automation platform solving 47-day certificate challenges provides the foundation for quantum-safe migrations.

How AppViewX enables crypto-agility

The operational transformation required for PQC readiness aligns precisely with what modern certificate lifecycle management platforms provide.

Platform capabilities

• Smart Discovery. Automated scanning across cloud, on-premises, and hybrid environments maintains a real-time inventory of certificates, keys, and cryptographic dependencies.
• Closed-Loop Automation. End-to-end workflows handle certificate enrollment, approval, deployment, and renewal without manual intervention. Automation that scales to 47-day certificate validity also scales to PQC hybrid deployments.
• Policy-Based Governance. Centralized cryptographic policies define approved algorithms, key strengths, and certificate lifetimes. Enforcement happens programmatically across all environments.
• Broad Integration. Out-of-box connectors to major certificate authorities (including those with PQC roadmaps), cloud platforms, load balancers, web servers, and DevOps tools, including Kubernetes certificate management.
• Crypto Resilience Scoring. Real-time visibility into cryptographic posture across the enterprise. Identify quantum-vulnerable certificates, track migration progress, and demonstrate compliance.

Organizations using AppViewX for certificate automation are building the crypto-agility foundation required for every future cryptographic transition, including post-quantum migration.

Ready to assess your PQC readiness? AppViewX enables the automated discovery, lifecycle management, and policy governance your migration timeline demands.